Data Protection Policy of Hotel Banana City

The following Data Protection Policy provides an overview concerning the collection and processing of your data by SISKA Immobilien AG (Hotel Banana City). With the following information, we would like to give you an overview of the processing of your personal data by us and of your rights in accordance with data protection legislation. The specific kinds of data that are processed and how they are used essentially depends on the specific circumstances.

Recitals

a) Who are we?

Hotel Banana City is a Winterthur-based business and seminar hotel with its own restaurant (Restaurant Banana); it is operated by SISKA Immobilien AG (hereinafter referred to as “Hotel Banana City”).

b) Who does this Data Protection Policy apply to?

This Data Protection Policy applies to all clients, potential clients and suppliers in the entire hotel, seminar and catering area of Hotel Banana City.

If we process personal data, this means that we, for example, collect, store, use, transfer or erase such data. In connection with our website, this Data Protection Policy is aimed at, in particular, the following individuals:

potential clients, clients and suppliers of Hotel Banana City who are individuals, particularly in the areas of hotel business, catering, seminars and events;

all other individuals who are in contact with our company, such as authorised agents, representatives or employees of legal entities, as well as visitors to our website and persons who registered on our website.

Until such time as the legal situation changes as a result of an amendment of the Swiss Federal Act on Data Protection (FADP; Bundesgesetz über den Datenschutz – DSG), this Data Protection Policy also applies to legal entities, to the extent that the FADP is applicable.

1. Who is responsible for data processing, and whom can I contact?

The person responsible for data processing is:

SISKA Immobilien AG/Hotel Banana City<br/> Jérôme Waldbauer, Managing Director<br/> Schaffhauserstrasse 8, 8400 Winterthur, Switzerland<br/> jerome.waldbauer@bananacity.ch<br/> +41 52 268 16 16

For enquiries concerning the topic of data protection, please contact:

Hotel Banana City<br/> Data Protection<br/> Schaffhauserstrasse 8, 8400 Winterthur, Switzerland<br/> datenschutz@bananacity.ch<br/> +41 52 268 16 16

To the extent that the European Union General Data Protection Regulation (GDPR: Datenschutz-Grundverordnung – DSGVO) is applicable, our designated representative in the EU is:

Travel GmbH/Data Protection Representative<br/> Radlkoferstrasse 2<br/> 81373 Munich<br/> Germany<br/> info@ihr-datenschutz-vertreter.ch<br/> www.ihr-datenschutz-vertreter.ch<br/> +49 89 210 94026

2. What sources and data do we use?

We collect your personal data, in particular, if you contact us, for example through our website, as a potential client, applicant, client, etc. We process personal data that we receive as part of our business relationship with our clients. In addition, to the extent necessary for providing our services, we also process personal data that we obtain from publicly available sources, as permitted by law.

Furthermore, we process data that are generated in connection with the use of our website, as well as any data that you disclose (e.g. when subscribing to the newsletter or registering for events, or in other web forms).

Relevant personal data include personal details (name, address, contact details, date and place of birth, and nationality) and identity verification data (e.g. identification card data). These data may also include order data, data from the performance of our contractual obligations, advertising and sales data, and documentation data, as well as other types of data comparable to the aforementioned categories.

If you merely use our website for informational purposes, i.e. if you do not complete any web forms, do not register for an event or do not otherwise transmit any information to us, we do not collect personal data. The only data that are transferred are those transmitted by your browser, such as IP address, pages visited on our website, date and time of day of accessing our website, browser type and version, type of end device, referring website, etc. Identification is not possible using these data.

3. For what reasons do we process your data (purpose of processing), and on what legal basis?

We process personal data in compliance with the provisions of the FADP and the GDPR, in each case to the extent that the relevant provisions are applicable. Since the GDPR requires that we list these provisions in detail, the following sets forth the legal grounds on which we base our processing, to the extent that the GDPR is applicable:

a) For the performance of contractual obligations (Article 6(1)(b) of the GDPR)

Data are processed in order to provide services of Hotel Banana City in connection with the performance of our contracts (e.g. in the context of hotel reservations, seminars, events or company occasions, and concerning any other services) with clients or in order to take steps prior to entering into a contract in response to an enquiry. The purposes of data protection are primarily determined by the specific service and may include such activities as hotel bookings, preparation of quotes, client support and billing of services provided.

In this regard, we process basic data (e.g. client master data, such as name and address), contact and communication data (e.g. e-mail, telephone numbers) and payment data (e.g. banking details, payment history).

The contract documents and the General Terms and Conditions may contain further details regarding data processing purposes.

b) As part of the balancing of interests (Article 6(1)(f) of the GDPR)

Where necessary, we process your data going beyond the actual performance of the contract for the purposes of legitimate interests pursued by us or third parties. Examples:

Advertising or market and opinion research, unless you have objected to the use of your data

Establishment of legal claims and defence in the case of legal disputes

Newsletter, event registrations and orders (to the extent that delivery can be expected by the data subject)

Assurance of IT security and IT operation

In order to analyse Internet traffic on our website and to improve the functionality of our website

Prevention and investigation of criminal offences

Measures to manage business and enhance products and services

c) On the basis of your consent (Article 6(1)(a) of the GDPR)

To the extent that you have given us your consent to the processing of your personal data for certain purposes (e.g. disclosure of data to third parties, analysis of personal data for marketing purposes, newsletter, unless there is a legal ground for this based on letter b), the lawfulness of this processing is deemed to pertain on the basis of your consent. Consent that has been given may be withdrawn at any time. This also applies to the withdrawal of declarations of consent that had been given to us prior to the entry into force of the GDPR, i.e. prior to 25 May 2018. The withdrawal of consent does not affect the lawfulness of data that have been processed up to the time of withdrawal.

d) As a result of statutory requirements (Article 6(1)(c) of the GDPR) or due to public interest (Article 6(1)(e) of the GDPR)

In addition, we are subject to legal requirements specified by the Swiss legislator, meaning that processing of personal data may also take place if this is necessary as a result of statutory requirements or if processing is in the public interest. This is the case, for example, with regard to reporting obligations.

4. Confidentiality and security

The data that you enter in an online form are transmitted in unencrypted form. Therefore, it cannot be ruled out that the data may be lost in the process or viewed by third parties. The online transmission of personal data takes place at your own risk.

The data you transmit to us are stored on our servers, are retained with due care and are protected against unauthorised access by third parties. Access to your data is limited to only those employees who require such data for fulfilling their responsibilities. We only disclose your data to third parties if we have expressly made a record of this.

The collected data are used solely for the respective declared purpose.

5. Newsletter

With our various newsletters, we are pleased to keep you apprised of current topics and events relating to Hotel Banana City and our products. In order to send out the newsletter, we require at least your e-mail address, usually your name and gender, and, if necessary, your mailing address (in order to be able to determine the applicable legal basis). If you would like to register for one or more newsletters, you can enter these details in the fields provided for this purpose. After sending these data, you will receive an e-mail from us at the e-mail address you provided, in which you will be asked to click on a confirmation link in order to verify the e-mail address you provided.

You can unsubscribe to our newsletters at any time and thus object to the further use of your data. To do so, you can use the unsubscribe link found at the end of every Hotel Banana City newsletter.

6. Who receives my data?

Within Hotel Banana City, your data can only be accessed by those offices that need them in order to comply with our contractual and legal obligations. In addition, any third-party service providers (e.g. in the areas of IT services, logistics, printing services, telecommunications, advice and consulting, and sales and marketing) and agents that we use may receive data for these purposes.

Recipients of personal data may include, for example:

Public authorities and institutions (e.g. criminal prosecution authorities, police) where a statutory or regulatory obligation exists

Use of contractors (e.g. web hosting companies)

Other data recipients may include those offices for which you have given your consent to data transfer, or for which you have released us from any confidentiality obligations pursuant to agreement or consent.

7. Are data transferred to a third country or to an international organisation?

Data may be transferred to offices in countries outside the European Union or Switzerland (i.e. third countries) – for example where transfer of data to third parties, such as to payment service providers, is necessary for performance of the contract –

if this is prescribed by law, or

if you have given your consent to this, or

if we have provided for appropriate guarantees through corresponding mechanisms (e.g. contracts). To the extent that the GDPR is applicable, we are happy to provide you with a copy of such measures upon request (see contact data under section 1).

8. How long are my data stored?

We process and store your personal data for as long as is necessary in order to perform our contractual or statutory obligations, or for as long as we consider it necessary for the purposes for which they are being processed, or if we have legitimate interests, or if you have not withdrawn your consent.

If the data are no longer necessary for the performance of contractual or statutory obligations, they will be erased on a regular basis, unless their continued – temporary – processing is required for the following purposes:

Compliance with retention obligations under commercial or tax law; these include the Swiss Code of Obligations (CO; Obligationenrecht – OR) and tax laws. The retention or documentation periods specified there usually amount to 10 years.

Preservation of evidence within the scope of the statutory provisions concerning limitation. In accordance with Articles 127 et seqq. of the CO, these limitation periods may amount to up to 10 years.

9. What data protection rights do I have?

Depending on the applicable legal basis, you have various rights. To the extent that the FADP is applicable, your rights are determined by its provisions.

To the extent that the GDPR is applicable, the following applies:

Every data subject has the right of access under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR, the right to data portability under Article 20 of the GDPR and the right to object under Article 21 of the GDPR. If you object, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing of such data which override your interests, rights and freedoms, or unless processing of your personal data is required for the establishment, exercise or defence of any legal claims. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes. The objection can be made without any requirements concerning form, and it should be sent to: datenschutz@bananacity.ch

If you believe that processing by us conflicts with applicable data protection legislation, you can report this to us (see contact data under section 1) or lodge a complaint with the competent data protection supervisory authority (Article 77 of the GDPR).

10. Am I under an obligation to provide data?

As part of our business relationship, you must provide the personal data that are necessary for initiating and carrying out a business relationship and for performing with the associated contractual obligations, or the personal data that we are obligated to collect by law. Without these data, we are usually not able to conclude a contract with you or to perform it.

11. To what extent is automated decision-making utilised?

As a rule, we do not utilise any fully automated decision-making pursuant to Article 22 of the GDPR for establishing and carrying out the business relationship. If we employ this process in individual cases, we will notify you separately thereof, provided that this is required by law.

12. Tracking cookies

The website of Hotel Banana City uses what are known as tracking cookies. They register your IP address, the website from which you accessed our website, the type of browser software and the pages on the Hotel Banana City website that you are currently visiting, including the date and duration. Such tracking data do not make it possible to draw conclusions about the identity of individual users. Therefore, these data cannot be used to identify specific individuals.

Cookies are files that are placed on a computer system through an Internet browser and stored there. The data subject can prevent the storage of cookies by our website at any time by adjusting the settings in the browser being used, and thus permanently object to the placing of cookies. In addition, cookies that have already been placed can be deleted at any time through an Internet browser or other software programs.

13. Plug-ins of social-media platforms

Embedded on the website of Hotel Banana City are plug-ins of various third-party providers of social-media platforms (Facebook, Google+, Tripadvisor, etc.). When accessing a website on which the plug-ins of such third-party providers are embedded, these plug-ins can automatically transfer data to the third-party provider. If the visitor is logged into the network of the relevant third-party provider, the visit to the website can – depending on the provider – be assigned to his or her user profile. Hotel Banana City has no influence over the manner of data transfer.

14. Changes to this Data Protection Policy

We reserve the right to make changes to this Data Protection Policy at any time. You can find the date of the most recent update at the end of this Data Protection Policy.

Version: 1 October 2019