Privacy Policy

In the following section, you will find information on how we handle your personal data, which is collected during your navigation on the website and when using the services we offer. In order to provide you with all the features and services of our website, it is necessary for us to collect and process personal data about you. The processing of your personal data may include any type of action, including collection, organization, storage, retrieval, analysis, modification, selection, extraction, comparison, use, linking, blocking, communication, deletion, and destruction. The processing of your personal data is always carried out in accordance with the principles of lawfulness and fairness, taking into account all applicable regulations and in accordance with EU Regulation 679/2016 of the European Parliament and of the Council. We explain which data we collect, why this is necessary, and what rights you have regarding your data.

Responsibility for Data Processing

Responsibility for the processing of personal data on this website lies with Sonnegg KG, Saltnerweg 1, 39010 Saltaus (BZ), Italy, VAT No. IT01574240212.
If you have any questions, you can contact us at any time.
Tel. & Fax: +39 0473 645478
Email: info@pension-sonnegg.com
Internet: www.pension-sonnegg.com

Purpose of Data Processing

The controller processes data

1. to fulfill legal obligations
2. to fulfill contractual obligations
3. to provide the information and services you request
4. to verify the efficiency of the system
5. to carry out marketing activities such as sending commercial information, promotional material, and market research
6. to protect liabilities (e.g., payments)
7. to determine customer satisfaction regarding the quality of products and services

Type of Data Processing

Your personal data is processed manually, telematically, but mainly using automated means and processes tailored to the respective purposes. This primarily involves databases and electronic platforms managed by us or by third parties. Any type of data processing ensures the security and confidentiality of the data.

When connecting to the website, the IT systems and software procedures automatically and indirectly manage and/or acquire a series of general data and information. The following data may be collected:

• browser types and versions used
• the operating system used
• the website from which an accessing system reaches our website (so-called referrer)
• the sub-pages accessed on our website via an accessing system
• date and time of access
• an Internet Protocol address (IP address)
• other similar data and information

This general data and information is stored in the databases and log files of the server to ensure a stable and secure experience for you. The legal basis is Art. 6 of the GDPR.
This anonymously collected data and information is therefore evaluated statistically and also with the aim of increasing data protection and data security, in order to ultimately ensure an optimal level of protection for the personal data we process.

Data Retention

In order to comply with the law, the controller has established different retention periods for personal data depending on the individual purposes:

1.) For the management and response to your inquiries regarding products and initiatives, your personal data will be retained for as long as necessary to process your request.
2.) For the management of activities related to your use of the website, your personal data will be retained for as long as necessary to provide the service you have requested
3.) For the management and performance of legally required services (relating to accounting, administration, taxation, etc.), your personal data will be retained for as long as necessary for this purpose
4.) For the management of disputes and any legal proceedings, your personal data will be retained for as long as absolutely necessary to pursue these purposes, and in any case no longer than the applicable limitation periods.

Partnership with Third-Party Providers

When we work with our third-party providers, they are contractually obligated to use the same data protection/security standards, and we ensure that these are complied with. Such third parties, acting as processors, guarantee that they do not store the data received from us and do not use it for other purposes.
Within the framework of such agreements, users’ email addresses are transmitted to the third-party provider using cryptographic mechanisms (e.g., hashing). Tracing back to the email address is therefore prevented.

We may need to transfer your data to service providers in non-European countries (EEA). The EEA consists of countries of the European Union and Switzerland, Iceland, Liechtenstein, and Norway, which are considered countries with equivalent laws regarding data protection and privacy. This type of data transfer may occur if our servers (i.e., where we store data) or our suppliers and service providers are located outside the EEA. In the event that we transfer your information to a country outside the European Economic Area (EEA), we will ensure that the information is properly protected.

Distribution of Data

The personal data we process is generally not subject to distribution. In certain cases, data is transmitted to the following recipients.

• Subcontractors for technical audits, payments, identity and delivery services, analytics providers, or credit insurance agencies
• Public administration and authorities, when required by law
• Credit institutions with which we have business relationships for the management of receivables/liabilities and for financing mediation
• any natural or legal persons, public and/or private (legal, administrative, and tax advisory offices, courts, chambers of commerce, etc.) if the forwarding of data proves necessary or expedient for the exercise of our activities

SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us, there is SSL/TLS encryption. You can recognize such an encrypted connection by the fact that the address bar of the browser begins with “https://”. You can also recognize the encryption by the lock symbol in your browser bar. When SSL/TLS encryption is active, the data you transmit to us cannot be read by third parties.

Encrypted Payment Transactions

If, after concluding a paid contract, there is an obligation to transmit your payment data to us, such as your account number, this data is required for payment processing. Payment transactions using common payment methods (Visa/MasterCard, direct debit) are carried out via an encrypted SSL/TLS connection.

Contact Form

If you choose to send an inquiry via the contact form, it is necessary to provide certain personal data in order to meet your requirements. This is also the reason why the respective fields of the form are marked with an asterisk or otherwise as mandatory data. The provision of further personal and sensitive data is entirely up to you. Failure to provide or incomplete provision of the personal data marked with an asterisk or otherwise as mandatory data means that the service or desired service you have requested cannot be performed. By submitting the form, you agree to the data processing. Your data will be processed for the management and response to your questions and will not be stored longer than necessary for the respective processing purposes.

Referrer Measurement

We also collect data using so-called referrer measurement about which advertising medium/partner or marketing campaign visitors to the website used to access the contact form. This allows us to evaluate and optimize the success and performance of certain advertising measures accordingly.

Newsletter

We send newsletters with promotional information only with the consent of the recipient or legal permission. Our newsletter contains information about the company, services, offers, and promotions (e.g., new platform features, travel tips, travel offers, additional offers for your trip, vouchers, competitions, or information on participating in the community), which may come from us or our partners. When and how often the newsletter is sent depends on the respective newsletter. Before we send a newsletter, we obtain confirmation of the newsletter registration (double opt-in procedure). This is regulated in Art. 6 Para. 1 Letter b) GDPR. Recipient data is transmitted to the service provider for newsletter dispatch. This partnership is regulated in the data processing agreement according to GDPR. To meet legal requirements, we log newsletter registrations. This includes, in particular, recording the registration and confirmation time. Personal master data is only used to personalize the newsletter, and recipients can object to the dispatch at any time directly in the newsletter. The storage period corresponds to the duration of the newsletter subscription.

Use of Cookies

To improve the use of our website, we use cookies. Cookies are text information that is stored on a computer via the browser when visiting a website. This storage serves to recognize a session. You can delete stored cookies at any time via your web browser or adjust the settings so that no cookies are stored. In some cases, it may then happen that not all of our services and features of our website are available. For more information, please see our Cookie Policy.

Profiling

Profiling is any type of automated processing of personal data that consists of using this personal data to evaluate, analyze, and predict certain aspects relating to a natural person. For this type of marketing, we have concluded agreements with third-party providers.

User Rights

The rights listed above can be asserted by the data subject or a person authorized by them by means of a request to the controller by registered letter or email. The user has the right to receive a copy of the personal data in our possession. The response will be provided within the legally prescribed period.
In certain cases, we may store some information for legal purposes (suspicion of fraud, violation of the general terms and conditions). If you believe that your rights have been violated, you also have the right to file a complaint with the competent data protection supervisory authority or to take legal action.

We summarize the rights of the affected user as follows:

1. Right to Confirmation
   Every data subject has the right to obtain confirmation from the controller as to whether personal data concerning them is being processed. If a data subject wishes to exercise this right of confirmation, they can contact us at any time.
2. Right to Access
   Every data subject has the right to obtain free information at any time about the personal data stored about them. The information includes the following:
   • the purposes of processing
   • the categories of personal data being processed
   • the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations. If the data is transferred to a third country, the data subject also has the right to obtain information about the guarantees of data processing.
   • the planned duration for which the personal data will be stored
   • the existence of a right to lodge a complaint with a supervisory authority
   • if the personal data is not collected from the company concerned: All available information about the origin of the data
   • the existence of automated decision-making, including profiling, in accordance with Article 22 Para. 1 and 4 GDPR and—in these cases—meaningful information about the logic involved, as well as the scope and intended effects of such processing for the data subject.
3. Right to Rectification
   Every person affected by the processing of personal data has the right to request the immediate rectification of inaccurate personal data concerning them.
4. Right to Erasure
   Every person affected by the processing of personal data has the right to request that the controller delete the personal data concerning them without delay, provided that one of the following reasons applies and insofar as the processing is not necessary:
   • The personal data was collected or otherwise processed and is no longer necessary.
   • The data subject withdraws their consent on which the processing is based in accordance with Art. 6 Para. 1 Letter a GDPR or Art. 9 Para. 2 Letter a GDPR, or the processing contradicts another legal basis.
   • The data subject objects to the processing in accordance with Art. 21 Para. 1 GDPR and there are no overriding legitimate grounds for the processing.
   • The personal data has been processed unlawfully.
   • The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
   • The personal data was not collected in relation to services offered in accordance with Art. 8 Para. 1 GDPR—protection of minors.
5. Right to Restriction of Processing
   Every person affected by the processing of personal data has the right to request that the controller restrict processing if one of the following conditions is met:
   • The accuracy of the personal data is contested by the data subject. The restriction applies for a period that enables the controller to verify the accuracy of the personal data.
   • The processing is unlawful, the data subject refuses the deletion of the personal data and instead requests the restriction of the use of the personal data.
   • The controller no longer needs the personal data for the purposes of processing, but the data subject needs it for the establishment, exercise, or defense of legal claims.
   • The data subject has objected to the processing in accordance with Art. 21 Para. 1 GDPR and it has not yet been determined whether the legitimate grounds of the controller outweigh those of the data subject.
6. Right to Data Portability
   Every person affected by the processing of personal data has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided. Furthermore, when exercising their right to data portability in accordance with Art. 20 Para. 1 GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another controller, where technically feasible and provided that this does not adversely affect the rights and freedoms of other persons.
7. Right to Object
   Every person affected by the processing of personal data has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them. This also applies to profiling based on these provisions. We will no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing serves the establishment, exercise, or defense of legal claims. If we process personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data for the purpose of such marketing. This also applies to profiling insofar as it is related to such direct marketing.
8. Automated Individual Decision-Making, Including Profiling
   Every person affected by the processing of personal data has the right to object to a decision based solely on automated processing—including profiling—that has legal effects concerning them or similarly significantly affects them, unless the decision is necessary for the conclusion or performance of a contract between the data subject and the controller. If the decision is necessary for the conclusion or performance of a contract between the data subject and the controller, or if it is made with the express consent of the data subject, we will take appropriate measures to safeguard the rights and freedoms.
9. Right to Withdraw Data Protection Consent
   Every person affected by the processing of personal data has the right to withdraw consent to the processing of personal data at any time.

Location of Processing of Your Personal Data

Your personal data is processed primarily in our premises and in those departments where the data processing controllers are located. The contractually agreed service is provided exclusively in a member state of the European Union or in a contracting state of the Agreement on the European Economic Area. Any relocation of the service or parts thereof to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. GDPR are met (e.g., adequacy decision of the Commission, EU standard data protection clauses, approved codes of conduct).

Please contact us for further information at the addresses provided in the “Imprint” section.

ADDITIVE+ MARKETING AUTOMATION – Direct Marketing

To increase customer loyalty and to sell services and additional services, we use Hotel Marketing Automation Software from ADDITIVE OHG, 39011 Lana (BZ), Italy (“ADDITIVE”) in the area of marketing and sales automation for hotels. Data that we collect and process in connection with your inquiry, booking, order, activation, registration, or other submission of a form on the website is analyzed and used to automatically offer you services and additional services via ADDITIVE+ MARKETING AUTOMATION. The appropriate level of data protection results from the concluded data processing agreement.

You can object to the use of your data for this purpose at any time via the unsubscribe link in the respective message.

The data processing is based on the legal provisions of Art. 6 Para. 1 Letter f (legitimate interest) of the GDPR.

Our concern within the meaning of the GDPR (legitimate interest) is to avoid disadvantages compared to our competitors, to improve our brand awareness, and to maximize our economic success through the best possible sales use of the contacts obtained.