Privacy policy

1. What is this Privacy Policy about?

Data protection is a matter of trust, and your trust is important to us. In this Privacy Policy, we therefore explain how and why we collect, process, and use your personal data.

In this privacy policy, you will learn, among other things:

• what personal data we collect and process;
• the purposes for which we use your personal data;
• who has access to your personal data;
• how our data processing benefits you;
• how long we process your personal data;
• what rights you have regarding your personal data;
• How to contact us.

We have aligned this privacy policy with both the Swiss Data Protection Act and the European General Data Protection Regulation (GDPR). The GDPR has established itself worldwide as the benchmark for strong data protection. However, whether and to what extent the GDPR applies depends on the specific circumstances of each case.

2. Who is responsible for data processing?

Under data protection law, the entity responsible for a specific data processing operation is the company that determines whether such processing should take place, for what purposes it is carried out, and how it is structured. For data processing in accordance with this Privacy Policy, the responsible party is generally either Pradaschier AG Top (Pradafenzerwäg 12, 7075 Churwalden), or Lenzerheide Bergbahnen AG (Voa Principala 80, P.O. Box 160, CH-7078 Lenzerheide), or Lenzerheide Marketing & Support AG (Voa Principala 37, CH-7078 Lenzerheide) is responsible. For a specific data processing activity, these companies may also be jointly responsible if they jointly determine the design or purpose of the data processing in question.

3. Who is this Privacy Policy intended for, and what does it cover?

This Privacy Policy applies to all individuals whose data we process (hereinafter “you”), regardless of how you interact with us—for example, through an online store, on a website, in an app, at a checkout counter, at an information desk, by phone, via social media, at an event, etc. It applies to the processing of both personal data already collected and personal data to be collected in the future.

Our data processing activities may involve the following categories of individuals in particular, to the extent that we process personal data:

• Visitors to our websites;
• People who use our online stores, checkout counters, and retail locations;
• Service providers who offer products and services through our online stores and retail locations;
• other individuals who use our services or come into contact with our offers;
• People who use our online services;
• People who use our facilities and parking lots;
• People who write to us or contact us in other ways;
• Individuals who receive information and marketing communications;
• People who participate in contests and sweepstakes;
• People who attend customer events and public events;
• Individuals who participate in market research, opinion polls, and customer surveys;
• People who volunteer to help at an event;
• People who require assistance from the ski patrol;
• Contact persons at our suppliers, customers, and other business partners, as well as at organizations and government agencies; and
• People who are applying for a job.

Please also review the terms and conditions for individual services (e.g., General Terms and Conditions, Terms of Use, or Terms of Participation). These may contain additional information regarding our data processing activities. For information on the collection and processing of personal data when using our website and social media platforms, particularly in connection with cookies and similar technologies, please also review our Cookie Policy on the website.

4. What personal data do we process?

“Personal data” refers to information that can be linked to a specific individual. We process various categories of such personal data. The most important categories are listed below for your reference. However, in specific cases, we may also process additional personal data.

4.1 Master Data

Master data refers to basic information about you, such as your title, name, contact information, or date of birth. We collect master data when you create a customer account with Pradaschier AG Topanlegen. However, we also collect master data, for example, when you participate in a contest or sweepstakes, sign up for a newsletter, or make a booking without a customer account. We also collect master data regarding contact persons and representatives of contractual partners, organizations, and government agencies.

Master data includes, for example,

• Title, first name, last name, gender, date of birth;
• Address, email address, phone number, and other contact information;
• Payment information (e.g., stored payment methods, bank details, billing address);
• Username and profile picture;
• Information about linked websites, social media profiles, etc.; information about preferences and interests, language preferences, etc.
• Information about your relationship with us (guest, supplier, customer, etc.);
• Information about affiliated third parties (e.g., contact persons or representatives); settings regarding the receipt of advertising, subscribed newsletters, etc.
• Information regarding your status with us (inactive or suspended customer account, store bans, etc.);
• Information regarding participation in contests and sweepstakes;
• Information regarding participation in events (e.g., large-scale events);
• Official documents in which you are listed (e.g., identification documents, extracts from the commercial register, permits, SwissPass, proof of residence, etc.);
• Information regarding the titles and positions within the company of contact persons and representatives of our business partners;
• Date and time of registrations.

In some cases, you may be able to sign in to certain online services using a third-party login (e.g., Apple, Google, or Facebook). In this case, we will have access to certain data stored with that provider, such as your name and email address; you can usually control the scope of this data. For more information, please refer to the privacy policy of the relevant provider.

Disclosing your identity in your public profile on our platforms is optional. The username you choose—which does not have to be your real name—is the one that appears to others.

4.2 Communication Data

When you contact us or we contact you—for example, when you reach out to an information office, or when you write to us or call us—we process the content of the communication and details regarding the nature, time, and location of the communication. In certain situations, we may also ask you to provide proof of identity for verification purposes.

Examples of communication data include

• Name and contact information, such as mailing address, email address, and phone number;
• The content of emails, written correspondence, chat messages, social media posts, comments on a website, telephone calls, video conferences, etc.;
• Responses to customer and satisfaction surveys;
• Information regarding the nature, time, and, where applicable, location of the communication; proof of identity, such as copies of official identification documents;
• Background information on the communication.

4.3 Behavioral and Transaction Data

When you shop with us, make a reservation, use our services and facilities, or use our

When you use our services, we often collect data about that use. This is the case, for example, when you shop in our online store, when you participate in our communities, or when you use our website. If you are acting on behalf of third parties, personal data may also pertain to those third parties (e.g., your family members, if you are shopping on their behalf).

Behavioral and transaction data includes, for example, the following information, to the extent that it is personally identifiable:

• about your behavior in online stores (orders placed and abandoned shopping carts, wish lists, items viewed, search terms and results, payment method, selected shipping method, etc.);
• about your in-store purchases at a checkout or in a restaurant (e.g., where, how often, what, and at what prices you shop, as well as the payment method and delivery option you choose);
• about your attendance at our events (e.g., date, location, and type of event);
• regarding participation in contests, sweepstakes, and similar events;
• about your behavior on websites;
• about your use of electronic communications from us (e.g., whether and when you opened an email or clicked on a link);
• about your use of our Wi-Fi networks (e.g., date, time, and duration of the connection, location of the Wi-Fi network, and data usage).

You can also use some of our services anonymously. For example, you can purchase a non-personalized day pass with cash at the ticket office. However, on our website, behavioral and transaction data may still be linked to your profile even if you are not logged in when you visit the site.

4.4 Technical Specifications

When you use our website, our Wi-Fi networks, or other electronic services, we collect certain technical data, such as your IP address or a device ID. Technical data also includes the logs in which we record the use of our systems (log data). In some cases, we may also assign a unique identifier (an ID) to your device (tablet, PC, smartphone, etc.), for example, using cookies or similar technologies, so that we can recognize it.

Based on technical data, we may also collect behavioral data, specifically information about your use of the website. However, we generally cannot identify you personally from technical data. Technical data includes, among other things:

• your device's IP address and other device identifiers (e.g., MAC address);
• Identifiers assigned to your device by cookies and similar technologies (e.g., pixel tags);
• Information about your device and its configuration, such as the operating system or language settings;
• Information about the browser you are using to access the site and its settings;
• Information about your activity and interactions on our websites and in our apps;
• Information about your Internet service provider;
• Your approximate location and the time of use;
• system-generated records of accesses and other activities (log data).

4.5 Contract Information

Contract data refers to personal data collected in connection with the conclusion of a contract or the

contract processing, e.g., details regarding the conclusion of the contract, acquired rights, and

Claims or information regarding customer satisfaction. We primarily enter into contracts with guests, business partners, and job applicants. A contract is also formed, for example, when you purchase a service from Pradaschier AG Top. When you use our offerings based on a contract—such as purchasing products or using services—we also frequently collect behavioral and transaction data.

Contract details include, for example, information such as

• regarding the initiation and conclusion of contracts, e.g., the date the contract was concluded, details from the application process, and information about the contract in question (e.g., type and duration);
• regarding the processing and administration of contracts (e.g., contact information, shipping addresses, successful or failed deliveries, and payment method information);
• in connection with customer service and technical support;
• about our interactions with you (including, where applicable, a history of such interactions);
• regarding claims and acquired entitlements and benefits (e.g., gift certificates);
• regarding defects, complaints, and contract amendments;
• regarding customer satisfaction, which we can measure through surveys;
• for financial purposes, such as determining creditworthiness (i.e., information that allows conclusions to be drawn about the likelihood that debts will be repaid), for

Reminders, debt collection, and enforcement of claims;

• in connection with a job application, e.g., resume, references, qualifications, certificates, interview notes, etc. (which may also contain personal data of third parties);
• regarding interactions with you as a contact person or representative of a business partner;
• in connection with security checks (e.g., checks for fraudulent activity in connection with orders) and other checks related to the establishment or continuation of a business relationship.

4.6 Audio and Video Recordings

We regularly take photos, videos, and audio recordings in which you may appear, for example, when you attend an event. For security and evidentiary purposes, we also take photos and videos at our rail facilities, on our premises, or at events. In doing so, we may obtain information about your behavior in those areas. The use of video surveillance systems is limited to specific locations and clearly marked.

Examples of visual and audio recordings include:

• Recordings from video surveillance systems;
• Photos, videos, and audio recordings of customer events and public events;
• Photos, videos, and audio recordings of classes, presentations, training sessions, etc.;

5. Where does the personal data come from?

5.1 Data Provided

You often provide us with personal data yourself, for example, when you submit data to us or communicate with us. In particular, you usually provide us with master data, contract data, and communication data yourself. You also frequently provide us with preference data yourself.

You provide us with personal data yourself in the following cases, for example:

• You are entering a sweepstakes or contest;
• Please contact our customer service department or the visitor information desk;
• You are signing up for other offers.

The provision of personal data is generally voluntary, meaning that you are usually not required to disclose personal data to us. However, we must collect and process the personal data necessary for the performance of a contractual relationship and for the fulfillment of related

obligations are required or mandated by law, e.g., mandatory master data and

Contract information. Otherwise, we will not be able to enter into or continue the contract in question.

If you provide us with information about other people (e.g., family members), we assume that you are authorized to do so and that the information is accurate. Please also ensure that these other people have been informed of this Privacy Policy.

5.2 Data Collected

We may also collect personal data about you manually or automatically, for example, when you make a purchase from us, use our offers, or avail yourself of our services. This often includes behavioral and transactional data, as well as technical data (e.g., the time you visit our website or use our app).

For example, we collect personal data about you on our own initiative in the following cases:

• You order a product or service from our online store;
• You are visiting our website;
• You make a purchase at one of our checkout locations, information desks, or other facilities and provide your customer account information;

We can also derive personal data from existing personal data, for example, by analyzing behavioral and transactional data. Such derived personal data often consists of preference data.

5.3 Data Received

We may also receive personal data about you from third parties, such as companies we work with, individuals who communicate with us, or public sources.

For example, we may receive information about you from the following third parties:

• from partners, such as service providers and software vendors;
• from your employer and coworkers, in connection with a job application and your professional duties;
• from third parties, if the correspondence and meetings concern you;
• from people in your circle (family members, legal representatives, etc.), e.g., your address for deliveries, references, or powers of attorney;
• from credit reporting agencies, e.g., when we obtain credit reports;
• from Swiss Post and address brokers, e.g., for address updates;
• from banks, insurance companies, sales partners, and other contractual partners in connection with purchases and payments;
• from online service providers, such as providers of web analytics services;
• Cybersecurity service providers
• from information services to ensure compliance with legal requirements such as anti-money laundering regulations and export restrictions;
• by government agencies, political parties, and other third parties in connection with administrative and judicial proceedings;
• by media monitoring companies in connection with articles and reports in which you appear;
• from public records such as the debt collection register or the commercial register, from public agencies such as the Federal Statistical Office, from the media, or from the Internet.

6. For what purposes do we process personal data?

6.1 Communication

We would like to stay in touch with you and address your specific concerns. We are processing

We therefore use personal data to communicate with you, such as to respond to inquiries and provide customer service. For this purpose, we primarily use communication and master data and, to the extent that the communication relates to a contract, contract data as well. We may also personalize the content and timing of messages based on behavioral, transactional, and preference data, as well as other data.

The purpose of communication includes, in particular:

• responding to inquiries;
• to contact you if we have any questions;
• customer service and customer care;
• communication related to recalls or refunds (for example, we may

contact you directly if we know that you have purchased a product that is covered by a

(such as a refund or an issue with the processing of services);

• the delivery of other notifications (e.g., order status updates);
• authentication, e.g., when using our online services;
• quality assurance and training;
• all other processing purposes, provided that we communicate with you in connection with them (e.g., contract fulfillment, providing information, and direct marketing).

6.2 Contract Execution

We want to provide you with the best possible service. We therefore process personal data in connection with the initiation, management, and fulfillment of contractual relationships, for example, to deliver an order, provide a service, facilitate purchases and services, build our communities, or organize a contest. Contract fulfillment also includes any agreed-upon personalization of services. To this end, we use, in particular, master data, contract data, communication data, behavioral and transaction data, as well as preference data.

The scope of contract performance generally includes everything that is necessary or appropriate for concluding, performing, and, if necessary, enforcing a contract.

These include, for example, the following modifications:

• to determine whether and how (e.g., using which payment options) we will enter into a contract with you (including a credit check);
• to provide contractually agreed services, such as delivering goods, providing services, and making features available (including personalized service components);
• to provide customer service and measure customer satisfaction;
• to determine the winners of contests and sweepstakes, notify them, and, if applicable, publish their names;
• to bill for our services and for general accounting purposes;
• to plan and prepare for the provision of our services, e.g., scheduling our employees;
• to assess the suitability of job applicants and, if necessary, to prepare and finalize the employment contract;
• to determine whether we want to and are able to work with a company, as well as to monitor and evaluate its performance;
• to prepare and execute corporate transactions, such as acquisitions, divestitures, and mergers;
• to enforce legal claims arising from contracts (debt collection, legal proceedings, etc.);
• to manage and administer our IT and other resources; to store data in accordance with retention requirements;
• to cancel and terminate contracts.

6.3 Market Research and Product Development

We are committed to continuously improving our offerings and making them more appealing to you. For this reason, we process personal data for market research and product development. In particular, we process demographic, behavioral, transactional, and preference data, as well as

Communication data and information from customer surveys, polls, and studies, as well as other information, such as from the media, the internet, and other public sources. Whenever possible, we use pseudonymized or anonymized data for these purposes.

Market research and product development include, in particular:

• conducting customer surveys, polls, and studies;
• the further development of our offerings (e.g., product design, site selection, pricing, etc.);
• assessing and improving the reception of our offerings and our communication regarding those offerings;
• optimizing and improving the user-friendliness of websites and apps;
• the development and testing of new offerings;
• reviewing and improving our internal processes;
• statistical analyses, e.g., to evaluate information about our customers’ interactions with us on a non-personal basis;
• an assessment of the supply situation in a particular market and the behavior of our competitors;
• market monitoring, e.g., to understand current developments and trends and respond to them.

6.4 Safety and Prevention

We want to ensure your safety and ours and prevent misuse. We process

We therefore also process personal data for security purposes, to ensure IT security, to prevent theft, fraud, and misuse, and for evidentiary purposes. This may involve all categories of personal data listed in Chapter 4, including, in particular, behavioral and transaction data, as well as image and audio recordings. We may collect, analyze, and store this data for the purposes described above.

The scope of safety and prevention includes, for example:

• the creation and analysis (manual and automated) of video recordings and visual material for the detection and investigation of criminal acts;
• conducting spot checks to verify the proper use of tickets on mountain railways or at events;
• issuing bans from the premises and managing lists of banned individuals;
• the analysis of behavioral and transactional data to identify suspicious patterns of behavior and fraudulent activities;
• the analysis of system-generated records of the use of our systems (log data);
• preventing, defending against, and investigating cyberattacks and malware attacks;
• Analyses and tests of our networks and IT infrastructures, as well as system and error checks;
• Control of access to electronic systems (e.g., user account logins); • physical access controls (e.g., access to office premises);
• For documentation purposes and to create backup copies.

6.5 Compliance with Legal Requirements

We want to establish the conditions necessary to comply with legal requirements. We therefore also process personal data to comply with legal obligations and to prevent and detect violations. This includes, for example, receiving and processing complaints and other reports, complying with orders from a court or an authority, and taking measures to detect and investigate abuses. This may involve all categories of personal data listed in Chapter 4.

Compliance with legal requirements includes, in particular:

• the protection of young people and minors, e.g., enforcing age limits for the purchase of alcohol and cigarettes;
• the implementation of health and safety plans;
• Background checks on business partners;
• receiving and processing complaints and other reports;
• conducting internal investigations;
• ensuring compliance and risk management;
• the disclosure of information and documents to public authorities when we have a legitimate reason to do so (e.g., because we ourselves are an aggrieved party) or are legally required to do so;
• cooperation in external investigations, e.g., by a law enforcement or regulatory authority;
• ensuring the data security required by law;
• the fulfillment of disclosure, information, or reporting obligations, e.g., in connection with regulatory and tax obligations, such as archiving requirements, and for the purpose of

Prevention, detection, and investigation of crimes and other offenses;

• the legally mandated fight against money laundering and terrorist financing.

In all cases, this may involve Swiss law, but also foreign regulations to which we are subject, as well as self-regulatory measures, industry and other standards, our own corporate governance policies, or official directives.

6.6 Legal Compliance

We want to be able to enforce our claims and defend ourselves against claims made by others. We therefore also process personal data for the purpose of legal defense, e.g., to enforce claims in court, in pre-litigation or out-of-court proceedings, and before authorities in Switzerland and abroad, or to defend ourselves against claims. In doing so, we process different types of personal data depending on the circumstances, e.g., contact information as well as details regarding events that have given rise to or could give rise to a dispute.

For the purpose of safeguarding legal rights, this includes, in particular:

• the investigation and enforcement of our claims, which may also include claims by our affiliated companies and our contractual and business partners;
• the defense against claims brought against us, our employees, our affiliated companies, and our contractual and business partners;
• the assessment of the prospects of a lawsuit and other legal, economic, and related issues;
• participation in proceedings before courts and government agencies both in Switzerland and abroad. For example, we can preserve evidence, assess the prospects of a case, or submit documents to a government agency. Government agencies may also request that we disclose documents and data storage media containing personal data.

6.7 Internal Administration and Support

We aim to streamline our internal processes. For this reason, we also process personal data for the internal administration of Pradaschier AG Top. In particular, we process master data, contract data, and technical data, as well as behavioral and transaction data and communication data.

Internal administration includes, in particular:

• IT and real estate management;
• accounting;
• the archiving of data and the management of our archives;
• training and education, e.g., when we review recordings of telephone, video, or other communications;
• the review or execution of corporate transactions, such as

Acquisitions, divestitures, and mergers;

• forwarding inquiries to the appropriate departments, e.g., if you submit an inquiry to a company regarding another company;
• the sale of receivables, in which we provide the purchaser with information such as the basis and amount of the receivable and, where applicable, the debtor’s creditworthiness and payment history;

generally, the review and improvement of internal processes.

7. On what legal basis do we process personal data?

Depending on the purpose of the data processing, our processing of personal data is based on different legal grounds. In particular, we may process personal data if the processing:

• is necessary for the performance of a contract with the data subject or for precontractual measures (e.g., reviewing a contract application);
• is necessary for the purposes of legitimate interests, for example when data processing is a central part of our business operations;
• is based on consent;
• is necessary to comply with domestic or foreign laws and regulations.

In particular, we have a legitimate interest in processing data for the purposes described above in Chapter 6 and in disclosing data in accordance with Chapter 8, as well as in achieving the associated objectives. These legitimate interests include both our own interests and those of third parties.

These legitimate interests include, for example, the interest

• to deliver products and services to third parties (e.g., to recipients of gifts);
• a commitment to excellent customer service, maintaining relationships, and communicating with customers even outside the scope of a contract;
• advertising and marketing activities;
• to get to know our customers and other people better;
• to improve existing products and services and develop new ones;
• internal administration and internal communications;
• on mutual support among companies in their activities and goals;
• in combating fraud, for example in online stores, and in preventing and investigating crimes;
• the protection of customers, other individuals, and data, as well as company secrets and assets;
• ensuring IT security, particularly in connection with the use of websites, apps, and other IT infrastructure;
• in ensuring and organizing business operations, including the operation and further development of websites and other systems;
• in corporate management and development;
• the sale or purchase of companies, parts of companies, and other assets;
• to assert or defend legal claims;
• compliance with Swiss and foreign laws as well as internal rules.

8. Who do we share personal data with?

8.1 Within the companies (PAGT, LBB, LMS)

We may share personal data that we receive from you or from third-party sources with the companies listed above. Such sharing may serve internal administrative purposes or support the relevant companies and their own processing purposes (Chapter 6), for example when we assist with the personalization of marketing activities, the development and improvement of products and services, the conduct of credit checks, or efforts to prevent theft, fraud, and abuse. The personal data received may also be compared and linked by the relevant group companies with existing personal data, as appropriate.

This may include, for example, the following disclosures of data:

• All categories of personal data listed in Chapter 4 for the administration and management of contractual relationships, particularly in connection with products and services that involve the services of multiple companies;
• Master data, contract data, communication data, behavioral and transaction data, and preference data, as well as insights from customer surveys, polls, and studies, and audio and video recordings for market research and product development, to the extent that such data must be linked to specific individuals;
• Master data, contract data, communication data, behavioral and transaction data, preference data, as well as image and audio recordings for the delivery and personalization of offers, communications, and marketing activities;
• Master data, contract data, communication data, behavioral and transaction data, as well as preference data for fraud and abuse prevention and for credit checks (e.g., in connection with a purchase on account);
• Master data, behavioral and transaction data, as well as video and audio recordings for theft prevention and for evidentiary purposes;
• Safety-related information for safety purposes and to ensure compliance with legal requirements;
• Information regarding assistance with legal protection.

For example, if you contact us with a question about a product or service, we may share this information with the relevant company for the purpose of improving our products and services.

8.2 Outside the companies (PAGT, LBB, LMS)

We may share your personal data with companies outside our group of affiliated companies when we use their services. As a rule, these service providers process personal data on our behalf as so-called “data processors.” Our

Data processors are required to process personal data strictly in accordance with our instructions and to implement appropriate data security measures. Certain service providers share responsibility with us or are solely responsible (e.g., debt collection agencies). By carefully selecting service providers and entering into appropriate contractual agreements, we ensure that data protection is maintained throughout the entire processing of your personal data.

This includes, for example, services in the following areas:

• Operation of the mountain railways' access system;
• Operation of access control systems at events;
• Freight forwarding and logistics, e.g., for shipping ordered goods;
• Advertising and marketing services, such as sending communications and information;
• Business administration, such as accounting or asset management; payment services;
• Credit information, e.g., if you wish to make a purchase on account;
• Debt collection services;
• Insurance provider
• Fraud prevention services provided by payment service providers on their own responsibility, such as PayPal Fraud Protection. These procedures apply only if you are already a customer of the respective payment service provider. More detailed information is available in the privacy policy of the respective service provider;
• IT services, such as data storage (hosting), cloud services, email newsletter distribution, data analysis and processing, etc.;
• Consulting services, such as those provided by tax advisors, attorneys, management consultants, or recruitment and placement consultants.

We may also share personal data with other third parties for their own purposes, for example, if you have given us your consent or if we are required to do so

are legally required or authorized to do so. In such cases, the recipient of the data is considered a separate data controller under data protection law.

These include, for example, the following cases:

• Reporting to the authorities
• Information regarding product recalls issued by manufacturers, provided that you have purchased a product from that manufacturer from us.
• the transfer of receivables to other companies, such as debt collection agencies;
• the review or execution of corporate transactions, such as acquisitions, divestitures, and mergers;
• the disclosure of personal data to courts and authorities in Switzerland and abroad, e.g., to law enforcement agencies in cases of suspected criminal activity;
• the processing of personal data to comply with a court order or an administrative order, or to assert or defend legal claims, or if we deem it necessary for other legal reasons. In doing so, we may also disclose personal data to other parties involved in the proceedings.

Please also review our cookie policy regarding the independent collection of data by third-party providers whose tools we have integrated into our websites and apps.

We are generally not bound by any professional duty of confidentiality (such as bank or medical confidentiality). Please let us know on a case-by-case basis if you believe that certain personal data is subject to a duty of confidentiality so that we can review your request.

9. How do we disclose personal data abroad?

We generally process and store personal data in Switzerland and within the European Economic Area (EEA). In certain cases, however, we may also disclose personal data to service providers and other recipients located outside this area or who process personal data outside this area, in principle in any country in the world. The countries in question may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a country, we will ensure the protection of your personal data in an appropriate manner.

One way to ensure adequate data protection is, for example, to enter into data transfer agreements with the recipients of your personal data in third countries that guarantee the necessary data protection. These include agreements that have been approved, issued, or recognized by the European Commission and the Federal Data Protection and Information Commissioner, known as standard contractual clauses. Please note that such contractual arrangements partially compensate for weaker or absent legal protection but cannot completely eliminate all risks (e.g., from government access abroad). In exceptional cases, transfers to countries without adequate protection may also be permitted in other circumstances, e.g., based on consent, in connection with legal proceedings abroad, or if the transfer is necessary for the performance of a contract.

10. How do we process sensitive personal data?

Under data protection law, certain types of personal data are considered “particularly sensitive,” e.g.,

Health information and biometric characteristics. Depending on the circumstances, the following may be included in

The categories of personal data listed in Chapter 4 also include sensitive personal data. However, we generally process sensitive personal data only if it is necessary for the provision of a service (e.g., the mountain railways’ rescue service), if you have voluntarily provided us with this data, or if you have consented to its processing. We may also process sensitive personal data if this is necessary to defend our legal rights or comply with domestic or foreign legal regulations, if the relevant data has been publicly disclosed by the data subject, or if applicable law otherwise permits its processing.

We may process special categories of personal data, for example, in the following cases:

• You use the mountain railway rescue service;
• When you apply for a job opening, you provide information about your health, union membership, or any criminal convictions or criminal penalties.
• They are checking with us regarding the availability of meal options that reflect religious affiliations.

11. How do we protect personal data?

We take appropriate technical and organizational security measures to ensure that the

To safeguard the security of your personal data in order to protect it against unauthorized or unlawful processing and to mitigate the risk of loss, accidental alteration, unintended disclosure, or unauthorized access. However, like all companies, we cannot completely rule out data breaches; certain residual risks are unavoidable.

Technical security measures include, for example, encryption and

Data pseudonymization, logging, access restrictions, and the storage of backup copies. Organizational security measures include, for example, guidelines for our employees, training, and audits. We also require our data processors to implement appropriate technical and organizational security measures.

12. How long do we retain personal data?

We process and store your personal data,

• for as long as necessary for the purpose of the processing or for purposes compatible with that purpose; in the case of contracts, generally at least for the duration of the contractual relationship;
• as long as we have a legitimate interest in storing the data. This may be the case, in particular, when we need personal data to assert or defend against claims, for archiving purposes, and to ensure IT security;
• as long as they are subject to a legal retention requirement. The following applies to certain data:

For example, a ten-year retention period. Shorter retention periods apply to other types of data, such as video surveillance recordings or records of certain online activities (log data).

In certain cases, we may also ask for your consent if we wish to retain your personal data for a longer period. Once the specified retention periods have expired, we will delete or anonymize your personal data.

We generally follow the retention periods listed below, although we may deviate from them in specific cases:

• Customer Account: Personal data is stored for the duration of the customer account. If a request is made to delete the customer account, the data will be deleted no later than 30 days after reviewing any outstanding claims and other relevant factors that prevent immediate deletion. Instead of deletion, the data may also be anonymized.
• Contracts: We generally retain master and contract data for ten years from the date of the last contract activity or from the end of the contract. However, this period may be longer if necessary for evidentiary purposes, due to legal or contractual requirements, or for technical reasons. Transaction data related to contracts is generally retained for ten years.
• Technical specifications: Cookies are typically stored for a period ranging from a few days to two years, unless they are deleted immediately after the session ends.
• Communication records: Emails, messages sent via the contact form, and written correspondence are generally retained for ten years.
• Audio and video recordings: The retention period varies depending on the purpose. It ranges from a few days for security camera footage to several years for reports on events that include video footage.
• Job Applications: We generally delete application data within six months of the conclusion of the application process. With your consent, we may keep your application on file for potential future employment.

13. What rights do you have regarding the processing of your personal data?

You have the right to object to the processing of your data, especially if we

Process personal data based on a legitimate interest, provided that the other applicable requirements are met. You may also object at any time to data processing related to direct marketing (e.g., promotional emails).

Provided that the applicable conditions are met and no legal exceptions apply, you also have the following rights:

• the right to request information about your personal data stored by us;
• the right to have inaccurate or incomplete personal data corrected;
• the right to request the deletion or anonymization of your personal data;
• the right to request that the processing of your personal data be restricted;
• the right to receive certain personal data in a structured, commonly used, and machine-readable format;
• the right to withdraw consent with future effect, to the extent that processing is based on consent.

Please note that these rights may be restricted or excluded in certain cases, for example, if there is doubt regarding your identity or if it is necessary to protect others, to safeguard legitimate interests, or to comply with legal obligations.

You can exercise the most important of the rights listed above by contacting us via the contact information provided in Chapter 15. If you have a customer account, you can correct the personal information stored there (e.g., your address) at any time. You can also unsubscribe from newsletters and other promotional emails by clicking the corresponding link at the bottom of the email. You can also contact us if you wish to exercise any of your rights or if you have questions about the processing of your personal data.

You are also free to file a complaint with the relevant supervisory authority if you have concerns about whether the processing of your personal data complies with the law.

• The competent supervisory authority in Switzerland is theFederalData Protection andInformation Commissioner( ) (EDÖB).

15. How can you contact us?

If you have any questions about this Privacy Policy or the processing of your personal data, you can contact the relevant company using the contact information provided on its website.

You are also welcome to contact us at any time as follows:

Pradaschier AG Top
Pradafenzerwäg 12
7075 Churwalden

Or by email to: info@pradaschier.ch, with the subject line: Data Protection