Version dated 10.08.2023
OUR COMMITMENT FOR THE PROTECTION OF DATA
Splash & Spa Tamaro SA wishes to inform you that, pursuant to art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (hereinafter "European Regulation" or "GDPR"), it needs to process your personal data collected automatically or provided by you through browsing or use of the website www.splashespa.ch (hereinafter "Website").
The purpose of the following policy is therefore to explain to you what types of data are collected, how the data you provide are managed, processed and used, and what measures are taken to ensure compliance with data protection.
The processing of personal data by Splash & Spa Tamaro SA is also carried out in compliance with the Federal Data Protection Act (LPD, RS 235.1) and the Ordinance on the Federal Data Protection Act (OLPD, RS 235.11), the principles of good faith, lawfulness, transparency, correctness, purpose and storage limitation, proportionality, minimisation and accuracy, and the protection of integrity and confidentiality.
By using our Website, you declare that you agree with the data protection declaration described below and with the way in which data are collected, processed, stored, transmitted and used.
- DATA CONTROLLER
The Data Controller is Splash & Spa Tamaro SA, with registered office in Via Campagnole, 1 6802 Rivera - Monteceneri (hereinafter referred to as “Data Controller”).
You can communicate any data protection concerns you may have to us using the following contact details: [email protected]
- DEFINITION OF TERMS
Personal data: any information relating to the personal or material circumstances of a specific (identified) or identifiable (identifiable) person, such as - for example - name, contact details, IP addresses.
Process/processing: any processing of personal data carried out with or without the aid of automated processes, regardless of the means and procedures used, in particular the obtaining, storage, use, disclosure, archiving or destruction of data.
- TYPE AND SCOPE OF PERSONAL DATA PROCESSED
To enable you to use the Website and its services, the Data Controller needs to know and process some of your personal data.
The type and scope of data collection and use vary depending on how you use the Website. That is, a distinction is made between the use of the website for purely informational purposes and the use of the services.
These are the data you provide when filling in forms on our Website (newsletter registration and enquiries via the contact form) and other information required to purchase our services.
In order to answer any enquiries via the contact form, we will need to process the following personal data: first name, last name, telephone number, email address. When the user subscribes to our newsletter, we process his or her email address.
For the simple browsing of the Website, on the other hand, the types of data processed and the specific information on "cookies" are specified below.
The computer systems and software procedures used to operate the Website acquire, during their normal operation, some personal data the transmission of which is implicit in the use of Internet communication protocols.
This information is not collected in order to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified
This category of data includes the IP addresses or domain names of the computers used by users logging onto the Website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. This data is used by the Data Controller for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check its correct functioning. The data could also be used to ascertain responsibility in the event of hypothetical computer crimes against the Data Controller. Without prejudice to this eventuality, at present, data on contacts to the Website are not stored for more than seven days.
Data provided voluntarily by the user
The optional, explicit and voluntary sending of notifications to the addresses indicated on the Website entails the subsequent acquisition of the sender's address, which is necessary in order to reply to requests, as well as any other personal data, such as the email address and the address where the decoder is located.
The types of cookies used by this website are specified below in order to understand how personal data will be processed using this type of technology.
This website uses so-called "technical cookies", i.e. small text files containing a certain amount of information exchanged between the website and your terminal (or rather your terminal's browser), which allow the website to function and be used correctly. Cookies are not used for the transmission of personal information, nor are so-called persistent cookies of any kind used.
This website does not use so-called "profiling cookies", since the Data Controller does not intend to create profiles of the user in order to send advertising messages in line with the preferences expressed by the user while browsing the Internet.
Third parties may also install cookies on your device. We do not control the use of third-party cookies and are not therefore responsible for their use. Third parties have their own privacy policies and data collection methods. These policies can be found at the following links:
hotjar – https://www.hotjar.com/legal/policies/terms-of-service/
facebook – https://www.facebook.com/legal/fb_work_privacy
google analytics – https://www.facebook.com/legal/fb_work_privacy
Through our cookie banner you can set your preferences regarding cookies. You can check the storage of cookies on your access device as well as refuse them. In addition, you can also delete cookies that have already been set.
The provision of all cookies can however be deactivated by adjusting the settings on your browser. It should be noted, however, that changing these settings could make the Website unusable if you block cookies that are indispensable for the provision of our services. In any case, each browser has different settings for deactivating cookies. Links to instructions for the most common browsers can be found here APPLE SAFARI, GOOGLE CHROME, MICROSOFT INTERNET EXPLORER, MOZILLA FIREFOX, OPERA.
- TRACKING DATA – STATISTIC RECORDING WITH GOOGLE ANALYTICS
- INTERACTION WITH SOCIAL NETWORKS
We use social plug-ins (hereinafter: plug-ins) of social networks on the Internet. These plug-ins are recognisable on our Website by the logo corresponding to the social network. When you call up a Website with such a plug-in, a direct connection is established with the servers of the corresponding social network. Only by clicking on one of the logos does the corresponding plug-in become activated and is a connection, as well as a transmission of data - that the user, among other things, is visiting our Website - granted to the third-party provider. If at that time the user is also connected to this network with his or her own user name and password, it is possible that all interactions with the plug-in will be assigned to his or her profile. For example, the content of our Website may be linked to his or her profile. Other network users may become aware of such interactions. Splash & Spa Tamaro SA is not affiliated with nor responsible in any way for third-party operators whose sites are linked via plug-ins. We have no control over the use of personal data collected by third parties and disclaim all liability in this respect. If the user is not a member of the social network or is not logged in, it is still possible that his or her IP address will be transmitted and stored.
- PURPOSES OF PROCESSING AND LEGAL BASIS
The personal data which come into the possession of the Data Controller are solely those provided while browsing and/or when sending any requests for information and/or when subscribing to the newsletter and/or when purchasing our services online.
The personal data will therefore be processed to:
A) allow using the Website;
B) analyse the behaviour of visitors or users on our Website;
C) satisfy any requests made to us using the contact form, including enabling us to contact you at the email address given to us;
D) send newsletters, following the user’s consent;
E) allow purchasing our services in the best, most secure, pleasant and efficient way possible;
In view of your decision to make use of the services provided by the Website, the legal basis for the processing of your personal data may be:
- the need to comply with a legal obligation, should this be necessary, as well as communicating your personal data whenever we are required to do so by the competent authorities;
- a legitimate interest in processing your personal data in order to provide you with the best service; to enable us to respond in the event of your making a request; to prevent fraud; to keep the Website, our services and IT system secure; and to ensure that our processes, procedures and systems are kept efficient at all times.
Personal data may be processed using either computerised or paper media.
- PERSONAL DATA RETENTION PERIOD
The Data Controller intends to keep the personal data for no longer than is necessary to achieve the purposes for which they were collected and processed. Data on contacts to the Website will not be stored for more than seven days, unless this is necessary to ascertain liability in case of hypothetical computer crimes against the Data Controller. Data relating to requests sent containing personal data are deleted 6 months after receipt.
With regard to any further personal data, since it is not possible to precisely determine the retention period, the Data Controller forthwith undertakes to ensure the processing of personal data is inspired by the principles of adequacy, relevance and minimisation of data, as required by the European Regulation, constantly verifying the need for their retention. Therefore, once the purposes for which they were collected and processed have been fulfilled, they will be removed from the systems or rendered completely anonymous.
- CATEGORIES OF DATA RECIPIENT ENTITIES
The processed data will not be disclosed to third parties. The following may, however, become aware of the data in connection with the processing purposes set out above:
- entities that can access the data by virtue of legal provisions provided for by the law of the European Union or by the law of the Member State to which the Data Controller is subject;
- our employees, provided that they are designated as System Administrators or as persons acting under the authority of the Data Controller or the Data Processor within the meaning of the European Regulation;
- entities that carry out, within the borders of the European Union, in complete autonomy, as separate Data Controllers, or as Data Processors appointed for this purpose by the Data Controller, purposes ancillary to the activities and services referred to in paragraph 3, such as companies that offer advertising, marketing and communication services, computer and information technology services, design and creation of websites, companies that offer services useful for analysing and developing data and for processing and conducting market research.
Any communication of personal data will take place in full compliance with the legal provisions of the European Regulation and the technical and organisational measures taken by the Data Controller to ensure an adequate level of security.
- TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
The Data Controller may transfer the data to Third Countries. Any transfer will always be subject to adequate safeguards, inasmuch as the destination country has obtained an adequacy decision from the Commission pursuant to article 45 of the European Regulation, or standard contractual clauses have been adopted pursuant to article 46(2)(c) of the European Regulation.
- ANY AUTOMATED DECISION-MAKING PROCESSES
The Data Controller does not use automated decision-making processes, including profiling as referred to in article 22(1) and (4) of the European Regulation. Therefore, the Data Controller considers that it does not need to provide information on the logic used and on the importance and consequences of this type of processing for the data subject.
- RIGHTS OF THE DATA SUBJECT
In relation to the processing of his or her personal data, pursuant to the European Regulation, the data subject is entitled to:
- withdraw consent to the processing at any time. It must be emphasised, however, that withdrawal of consent does not affect the lawfulness of processing based on consent provided before withdrawal, as indicated in art. 7(3) of the European Regulation;
- ask the Data Controller to be able to access his or her personal data, as provided for by art. 15 of the European Regulation;
- obtain from the Data Controller the rectification and supplementing of personal data deemed to be inaccurate, also by providing a simple supplementary declaration, as provided for by art. 16 of the European Regulation;
- obtain from the Data Controller the erasure of personal data if any of the reasons provided for in art. 17 of the European Regulation apply;
- obtain from the Data Controller the restriction of the processing of personal data if one of the cases provided for in art. 18 of the European Regulation applies;
- receive from the Data Controller the personal data concerning him or her in a structured, commonly used and machine-readable format, as well as the right to transmit such data to another data controller without hindrance, as provided for by art. 20 of the European Regulation;
- object at any time, on grounds relating to his or her particular situation, to the processing of personal data carried out in accordance with art. 6(1)(e) or (f), including profiling on the basis of these provisions, as provided for in art. 21 of the European Regulation;
- not undergo decisions based solely on automated processing, including profiling, which produce legal effects concerning him or her, unless he or she has given his or her prior and express consent, as provided for in art. 22 of the European Regulation. This category shall include, but not be limited to any form of automated processing of personal data intended to analyse or predict aspects concerning consumption and purchasing choices, economic situation, interests, reliability, behaviour;
- lodge a complaint with a supervisory authority, if he or she considers that the processing concerning him or her is in breach of the European Regulation. The complaint may be lodged in the Member State in which he or she habitually resides or works or in the place where the alleged breach has occurred, as provided for in art. 77 of the European Regulation.
To exercise any of the above rights, you may contact the Data Controller, in the person of the legal representative, by sending a communication to the registered office at Via Campagnole, 1 6802 Rivera - Monteceneri, or by sending an email to [email protected], providing the following data:
– First name, last name and postal address
– Request details
– Photocopy of a valid identity document.
- CONSENT OF MINORS IN RELATION TO THE SERVICES OF THE INFORMATION SOCIETY
In order to be able to make use of the services provided through the Website, it is necessary to be over sixteen years of age: consent to the processing of personal data of minors under sixteen years of age is lawful as long as it is provided by the person exercising parental control.
- DATA SECURITY
The Data Controller adopts adequate security measures – from a technical and organisation point of view – in order to protect the user’s data from the risk of unauthorised accesses and improper use.
- APPLICABLE LAW AND JURISDICTION