Data privacy information for owners of Hapimag products
This data privacy information describes the way in which Hapimag AG, Sumpfstrasse 18, 6312 Steinhausen, (“Hapimag” or “we”) processes the personal data of its shareholders and members (owners) . We take the protection of these data seriously and act in accordance with the applicable legal provisions on the protection of personal data and on data security.
Personal data refers to any information relating to an identified or identifiable natural person. This is always information that is assigned to you personally (hereinafter also the “data subject”) and may convey something about you.
Hapimag is the controller of the processing of personal data and decides on the purposes and means of processing.
To enable you to exercise your acquired rights of residence independently, you need access to the password-protected Booking Portal (login) on the Hapimag website. For information about the processing of personal data when you visit the Hapimag website or use the Booking Portal or the mobile Hapimag App, please see our separate privacy statement, which can be called up on the Hapimag website www.hapimag.com.
2. Categories of personal data
Depending on the information that you make available to us, we record and process the following personal data:
- personal identification data (e.g. name, address, occupation, date of birth);
- contact data (e.g. telephone number, e-mail address);
- financial identification data (e.g. bank account details);
- creditworthiness data;
- member information (e.g. membership number, name and address of fellow travellers, notes on telephone conversations when handling complaints or providing advice);
- bill settlement data on food and drinks consumed, on telephone calls made from the room and other tourist services;
- information on the acquired right-of-residence product (e.g. number of units, purchase date, residence points, rewards);
- reservation and billing data;
- insurance data (e.g. travel insurance, points insurance, claims);
- holiday history;
- access data for the Booking Portal (login) on the Hapimag website.
As a rule we do not process sensitive personal data of our shareholders and members (e.g. data on health, racial or ethnic origin or political opinions). In the event that such data are processed, we will obtain the consent of the data subjects beforehand and process the sensitive data only in accordance with the applicable data protection laws and regulations.
If you use our services, we only collect the personal data we need to provide the requested services. Any additional data collection is made on a voluntary basis and solely for the purposes of our own legitimate business interests.
3. Legal basis and purposes of processing
The legal basis for processing personal data is deemed to be the principles of the Swiss Data Protection Act (DPA) and Art. 6 (1) of the EU General Data Protection Regulation (GDPR), specifically
- (a) if the data subject has given consent;
- (b) if processing is necessary for the performance of a contract to which the data subject is party. This also applies to the steps required prior to entering into a contract.
- (c) if our company must comply with a legal obligation;
- (d) if the vital interests of the data subject or another natural person are to be protected;
- (e) if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in our company;
- (f) if processing is required for the purposes of the legitimate interests pursued by our company or a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. The legitimate interest of our company lies, amongst others, in conducting our business activity (see point 3.2 below).
3.1 Data processing necessary for the performance of a contract or to take steps prior to entering into a contract (Art. 6 (1) b GDPR)
Hapimag builds and operates its own resorts, which are primarily made available to Hapimag shareholders and members. Hapimag sells right-of-residence products with and without shares. By acquiring such a right-of-residence product you are credited with residence points on a one-off or recurring basis, which enable you to book and use accommodation services in the available Hapimag resorts. The legal relationship (“contract”) between you and Hapimag is defined – in addition to the Articles of Association – by the Basic Information and General Terms & Conditions for acquiring right-of-residence products.
Insofar it is necessary within the context of the accommodation contract, Hapimag collects and stores personal data of its guests by automated means.
Therefore, Hapimag processes the data provided by you on the basis of Art. 6 (1) b GDPR without your separate consent for the following purposes:
- performance and processing of your contract with Hapimag. This also includes activities in the context of clarifications prior to entering into a contract, including text documents, such as correspondence, drawn up and archived by automated means;
- provision of accommodation services and associated ancillary and additional services.
3.2 Data processing for the purposes of a legitimate interest of us or third parties (Art. 6 (1) f GDPR)
On the basis of legitimate interests, Hapimag processes your data for the following purposes:
- further development of right-of-residence products, services or business processes;
- improvement of service quality through market studies and analyses of customer satisfaction (e.g. follow-up holiday surveys);
- advertising of new (right-of-residence) products and services (e.g. by sending out newsletters or product information);
- establishment of legal claims and protection in legal disputes that cannot be directly assigned to the contract between you and Hapimag;
- video surveillance in the resorts, carried out solely to collect evidence in the event of vandalism, burglary, robbery or other crimes. The presence and use of video cameras is made known through warning notices;
- to protect Hapimag, its employees and customers, and third parties from loss/damage, injury, legal liability, abuse, criminal offences or other misconduct.
Before we process other data on the basis of our legitimate interests, we will check in each individual case whether our interests override your interests when balanced against them.
3.3 Data processing within the scope of your consent (Art. 6 (1) a GDPR)
Your data may also be processed for certain purposes with your consent. For example, you may give us your consent to provide you with information about the following content and advertising channels:
- company news by e-mail (Hapimag News, latest news, construction and renovation of resorts, CEO Blog, surveys and similar content);
- advice and offers by e-mail and social media (holiday and product-related advice, offers and surveys; recommendations; invitations to events and similar content);
- advice and offers by telephone (holiday and product-related advice, offers and surveys; recommendations; invitations to events and similar content).
In the password-protected Booking Portal you can give or withdraw your consent on these contents at any time. Please note that the withdrawal of consent is only effective for the future. Processing carried out prior to the withdrawal is not affected and remains lawful.
3.4 Compliance with legal obligations (Art. 6 (1) c GDPR) or in the public interest (Art. 6 (1) e GDPR)
Like everyone involved in economic affairs, we are also subject to a wide range of legal obligations. The primary ones are statutory requirements (e.g. registration laws, commercial and tax laws), but sometimes provisions of supervisory and other authorities too. Therefore, the purposes of processing may include compliance with control and reporting obligations under tax law as well as the archiving of data for the purposes of data protection and data security and of audits by tax and other authorities. Personal data may also have to be disclosed under official or judicial measures for the purposes of collecting evidence, law enforcement or enforcement of civil law claims.
3.5 Other purposes
If we wish to process your personal data for a purpose not indicated above, we will inform you of this beforehand in accordance with the legal provisions and, if required, obtain your consent.
4. Usage and disclosure of collected data to third parties
In connection with the purposes set out above, data may be transferred or disclosed by Hapimag to the following categories of recipients:
- internal departments involved in the execution and fulfilment of the relevant business processes (e.g. Financial Accounting, Marketing, Member Services, IT, Legal);
- Hapimag Group companies or external service providers (processors within the meaning of Art. 28 GDPR or Art. 10a DPA; e.g. organisers of excursions, support/maintenance of IT systems, electronic voting procedure at the Annual General Meeting);
- other external bodies (e.g. banks, debt collection agencies, credit card companies, lawyers, courts, experts, travel insurance companies);
- public bodies or authorities that request data on the basis of legal regulations.
5. Time limits for deleting data
Your personal data are only stored until the purpose for which they were collected and processed has been fulfilled. Statutory storage obligations and time limits remain reserved. After these time limits expire, personal data are routinely deleted and, if they are in paper form, destroyed according to data protection requirements and in observance of specific precautions.
On termination of the contract, your data are excluded from further use and are deleted after the storage time limits have expired under tax and commercial law, provided you have not expressly given your consent for your data to be used further or there is no other legal justification.
Legal storage time limits under Swiss law:
- 15 years is the absolute limitation period under Swiss tax law, i.e. the right to demand tax is time-barred 15 years after the tax period has ended. After this period, Hapimag deletes all relevant membership-related data, provided they are no longer relevant for further performance of the contract.
- 10 years is the storage time limit under Swiss law for business correspondence (e-mails, letters, contracts, agreements), annual reports, accounting books (balance sheet and income statement) and related booking records. The storage time limit begins with the end of the calendar year in which the last entries were made, correspondence was received or sent out, or booking vouchers were created.
6. Data transmission to other countries
Data are transmitted to other countries only in connection with the fulfilment of a contract, necessary communication or on the basis of legal obligations (e.g. reporting obligations under tax law), if it’s within the scope of our legitimate interests or you have given us your consent.
In order to process right-of-residence and accommodation contracts (including apartment reservation, charging of residence points and crediting of rewards), member data are exchanged between Hapimag’s headquarters in Steinhausen (Switzerland) and the locations of Swiss and foreign resorts. The exchange of data between Switzerland and the countries of the European Union is carried out in compliance with similarly high-level data protection laws in a data-compliant framework.
Hapimag’s subsidiaries in Morocco, Turkey and the USA are obliged to provide a reasonable level of data protection on the basis of the EU Standard Contractual Clauses.
No data are transmitted to other countries, particularly those where data protection is deemed to be low, and there are currently no plans to do so.
7. Rights of data subjects
Pursuant to the DPA and the GDPR (Articles 15–18, 20, 21, 77), you have the following rights with regard to the handling of your personal data:
- right of access;
- right to rectification;
- right to erasure;
- right to restriction of processing;
- right to data portability, in particular to receive the data in a structured, commonly used and machine-readable format;
- right to object;
- right to lodge a complaint with a competent data protection supervisory authority.
Right to object
You have the right at any time, for reasons based on your particular situation, to object to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) e GDPR (data processing in the public interest) and Art. 6 (1) f GDPR (data processing on the basis of the balance of interests).
If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate reasons for doing so that override your interests, rights and freedoms, or the processing is for the assertion, exercise or protection of legal claims.
You also have the right at any time to object to the processing of personal data concerning you for the purposes of direct marketing. If you object to this processing, we will no longer process your data for these purposes.
8. Automated individual decision-making (including profiling)
Profiling in the sense of the GDPR is understood to mean any type of automated processing of personal data that consists of evaluating, analysing or predicting certain personal aspects about you (e.g. holiday interests, preference for sporting activities etc.). We do not use purely automated individual decision-making procedures (including profiling) pursuant to Art. 22 GDPR. If we should apply such procedures in the future, we will inform you separately, if this is legally required.
9. Amendments to this data privacy information
We reserve the right to periodically amend or update this data privacy information We will notify all shareholders and members of all material amendments on the Hapimag website or via other suitable communication channels, such as by e-mail. All amendments will enter into force on the date indicated in the updated data privacy information unless otherwise indicated in the notification.
10. Controller and contact for data protection
Fax +41 58 767 89 20
In connection with the assertion of your rights or if you have any questions or concerns relating to data protection, you can contact our Data Protection Officer at the above address, by telephone +41 58 733 70 10 or by e-mail [email protected].