Data Protection Directive
Gstaad Palace
1. Purpose and Principles
This data protection directive contains regulations on the protection of personal data that apply to Gstaad Palace (Company). The directive provides employees with the fundamental principles of data protection and, together with other measures and documents, enables them to carry out their activities in compliance with applicable data protection regulations
As the Company processes a wide range of personal data related to the hotel industry, Swiss data protection laws and, where applicable, other data protection regulations (e.g., European regulations) are relevant to the Company.
2. Scope
This data protection directive applies to all employees of the Company who process personal data. Employees are required to comply with the relevant data protection regulations and this data protection directive as part of their employment obligations.
3. Subject
The subject of this data protection directive is the processing of personal data, regardless of the nature and form of processing (i.e., on paper, digital, orally, as well as fully, partially, or non-automated.).
4. Definitions
The applicable data protection law defines some important terms. In principle, the following terms have the same meaning as defined in the Federal Act on Data Protection (FADP). The most important terms have the following meaning:
Personal data: personal data is all information relating to an identified or identifiable natural person
Example: name, address, location data, online identifiers such as device ID, cookie ID, IP address, RFID tags, etc
Note: it concerns natural persons and not legal persons or other entities However: information about a contact person of a supplier or other B2B relationship is also considered personal data
Sensitive personal data: personal data falling into the following categories:
‒ data on religious, ideological, political or trade union-related views or activities;
‒ data on health, the intimate sphere or racial or ethnic origin;
‒ genetic data;
‒ biometric data uniquely identifying a natural person;
‒ data on administrative or criminal proceedings and sanctions; and
‒ data on social security measures
Examples: Recordings from video surveillance systems, health data of employees, criminal records of employees, etc
Data subject: Any natural person whose personal data is processed.
Examples: customers, employees, partners or partners' contact persons, suppliers or suppliers' contact persons, etc.
Processing: processing of personal data includes any operation with personal data, irrespective of the means and procedures applied
Examples: collection, retention, storage, use, alteration, disclosure, archiving, deletion, or destruction of data
5. Principles for Processing of Personal Data
The Company and all employees adhere to the following principles when processing personal data:
5.1 Lawfulness, Fairness, Transparency
Personal data must be processed in a lawful, fair, and transparent manner that is comprehensible to the data subject. Transparency, in particular, requires that the collection of personal data, as well as the scope and purpose of the processing, is transparent to the data subject (e.g., through a privacy policy providing the necessary information about the specific processing). Therefore, employees must ensure that data subjects have been informed about such matters and other details as outlined in Sections 8 and 9 when handling personal data.
Practical instructions:
Before processing personal data, employees must ensure that such processing is lawful, i.e., that the principles of processing personal data, as set out in this Section and in Sections 8 and 9, are adhered to, and that, if necessary, consent has been obtained from the data subject. Furthermore, employees must ensure that data subjects have been transparently informed about the respective processing of their personal data before it takes place.
If there are doubts about whether these requirements are met, the processing must be suspended until the data protection coordination unit confirms its legality. Processing activities explicitly declared lawful in other directives are exempted.
5.2
Purpose Limitation
Personal data may only be collected for specified, explicit, and, if the processing is subject to the GDPR, lawful purposes, and any further processing should be carried out only within the scope of this purpose The processing of data for which no purpose has been specified, for example in a privacy policy, is therefore not permissible.
If data is to be further processed for a purpose other than the one initially specified, employees must assess whether the new purpose is still within the scope of the original purpose, i.e., whether it is compatible with the initial purpose
Under certain circumstances, personal data may be processed for additional purposes that go beyond the initial purpose for which the data was collected. To determine whether processing is compatible with a purpose other than the initial one, the Company takes into account various factors, in particular:
Under certain circumstances, personal data may be processed for additional purposes that go beyond the original purpose for which the data was collected at the time of collection. To determine whether the processing is compatible with a purpose other than the original one, the company takes into account, among other factors:
‒ any connection between the purposes for which the personal data was collected and the purposes of the intended further processing;
‒ the context in which the personal data was collected, in particular with regard to the relationship between the data subjects and the data controller.
‒ the type of the personal data, in particular whether sensitive personal data is being processed
‒ the potential consequences of the intended further processing for the data subjects; and
‒ the existence of appropriate safeguards and further measures, such as encryption or pseudonymisation.
Practical instructions:
To assess the lawfulness of further processing of personal data, the data protection coordination unit must be consulted prior to the start of such processing, and its consent for the processing must be obtained.
The data protection coordination unit shall indicate the basis for the processing of the respective personal data.
5.3
Data Minimisation
The processing of personal data must be adequate, relevant, and limited to the specified purpose. Therefore, no more data may be collected or processed than is necessary for the processing purpose.
Practical instructions:
Before processing personal data, it must be checked whether the data to be collected or processed is absolutely necessary for the purpose of processing.
If this is not the case, such personal data may only be processed based on the valid consent of the data subjects.
Examples:
1. On the hotel website, it is possible to register to receive the newsletter. The title, name and email address are collected and marked as mandatory information. For sending a newsletter, however, it would be sufficient for the guest to provide an e-mail address. In order to comply with the principle of data minimization, only the e-mail address may be collected as mandatory information. The title and name may only be collected on a voluntary basis.
2. The guest must fill in a registration form in the hotel In addition to the title, name and address and other information required by law, the guest's interests are marked as mandatory information. For the compliance with the statutory notification duty, however, it would be sufficient for the guest to provide the information required by law. In order to comply with the principle of data minimization, only the information required by law may be collected. The interests of the guest may only be collected on a voluntary basis.
If there is any doubt as to whether certain data may be collected as mandatory information, the processing must be suspended until the data protection coordination unit has analysed the specific case and made a relevant decision. Processing that has been explicitly declared lawful in other directives is exempt.
5.4 Accuracy of Personal Data
Personal data shall be accurate and kept up to date. However, there is no obligation for active research regarding the accuracy of the data. If there are reasonable grounds to believe that personal data may no longer be up-to-date, this suspicion must be investigated, and the relevant data must be corrected if necessary.
Practical instructions:
Employees who become aware of inaccurate data should inform their supervisor or correct the data themselves, provided they have the necessary processing rights and there are no doubts as to the inaccuracy.
5.5
Storage Limitation
Personal data must be stored in a form that allows the identification of the data subjects only for as long as necessary for the purposes for which they are being processed. Data that is no longer needed must therefore be deleted or anonymised The question of when data is no longer needed cannot be generalised and must be determined on a case-by-case basis or specified in specific directives. The Company and all employees of the Company shall not store personal data for longer than is necessary for the purposes for which it was originally collected or subsequently processed.
Practical instructions:
What is considered a necessary retention period depends on the circumstances of each individual case and is determined with the assistance of the data protection coordination unit.
5.6 Integrity and Confidentiality (Data Security)
Personal data must be processed in a manner that ensures appropriate security of the personal data. It must therefore be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage through appropriate technical and organisational measures. Employees must in particular ensure that other persons, including fellow employees, cannot access or process personal data unless their authorisation has been clearly established
Practical instructions:
Each employee contributes to ensuring that data security is maintained in the Company. If it is established that the integrity or confidentiality of personal data have been compromised (e.g., by sending an email with a customer list to an incorrect recipient, suspicion of a phishing email, etc.), the data protection coordination unit must be immediately notified. The data protection coordination unit decides on the further course of action.
5.7 Documentation Requirement
The management of the Company shall ensure that the aforementioned principles are adhered to for all personal data. It is obliged to be able to prove compliance at any time in a documented manner.
5.8
Consent
The Company obtains the necessary consents from the data subjects in a timely manner, i.e. before any processing is carried out for which consent is required.
If explicit consent is required, it must be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data.
A declaration of consent should be provided in an intelligible and easily accessible form, using clear and plain language. It should be clearly distinguishable from other matters and not contain any unfair terms
Additionally, the data subject should be provided with a simple method to withdraw its consent at any time.
Practical instructions:
When assessing whether the requirements for consent are met, the further instructions should be also taken into account
If there are doubts, employees shall refrain from processing the data until the data protection coordination unit confirms compliance with the requirements.
6. Special Processing Activities
6.1 Processing of sensitive Personal Data
The Company and all employees process sensitive personal data only after consultation with the data protection coordination unit, under the following conditions and only to the extent that there are no legal provisions prohibiting such processing:
‒ the data subject has provided explicit consent to the processing of the data for one or more specified purposes;
‒ the processing is necessary for the Company or the data subject to exercise their rights or comply with their obligations under labour law and social security and social protection law;
‒ the processing relates to personal data which the data subject has manifestly made public; or
‒ the processing is necessary for the establishment, exercise or defence of legal claims or for actions before courts;
Employees refrain from processing sensitive personal data until the data protection coordination unit confirms the lawfulness of the processing.
Practical instructions:
Before processing sensitive personal data, the data protection coordination unit is consulted, its approval for the processing is obtained, and the basis for the processing of the personal data concerned is specified.
The company applies enhanced security measures when processing sensitive personal data.
6.2
Processing of Child's Personal Data
Personal data of a child shall in principle only be processed if the child has reached the age of sixteen. If the child has not yet reached the age of sixteen, their personal data shall only be processed if and to the extent that consent to processing has been given by the child's legal representative.
The Company, as well as all employees, make reasonable efforts to ensure that in such cases, consent has been given by the legal representative of the child.
Practical instructions:
If there are doubts about whether the requirements for consent by the legal representative are met, employees shall refrain from processing the data until the data protection coordination unit confirms compliance with the requirements.
6.3
Digital Marketing
No communications for advertising or marketing purposes will be sent to contacts (customers, suppliers, etc.) via digital media such as email, internet, or mobile phones without obtaining prior consent from the data subjects. If consent for the processing of personal data for digital marketing purposes is obtained, the data subject will be informed in each communication that they have the right to withdraw their consent at any time.
Practical instructions:
If there is any doubt as to whether a communication is of an advertising nature, whether consent has been given, or whether consent has been withdrawn, the data processing must be suspended until the data protection coordination unit confirms compliance with the digital marketing requirements
Good Practice:
The following is not allowed:
- pre-ticked opt-in boxes;
- relying on silence, inactivity, default settings, or your terms and conditions; and
- only requiring an opt-out choice without explicit opt-in
The following must be ensured:
- records relating to the consent procedure are kept (e.g., date of consent, type of consent, and information provided to the data subject);
- the consent to processing is distinguishable, clear, and not associated with other written agreements or statements. Separate consent is obtained for different processing operations (consent to direct marketing shall never be linked to other processing consents);
- data subjects are informed that they have the right to withdraw their consent at any time; and
- simple methods are provided in the system to withdraw consent.
Note: certain special conditions may apply to existing customers, and these must be assessed on a case-by-case basis together with the data protection coordination unit
7. Records of processing activities
The Company and, where applicable, its representatives, shall maintain a record of all processing activities under its responsibility. This record shall include at least the following information:
‒ the identity of the data controller, i.e., the name and contact details of the Company and, where applicable, the joint controller, their representatives, and the data protection officer;
‒ the purposes of the processing;
‒ a description of the categories of data subjects and of the categories of personal data processed;
‒ the categories of recipients to whom the personal data have been or will be disclosed (including recipients in third countries or international organisations);
‒ where possible, the retention period of the personal data or the criteria for determining this period;
‒ where possible, a general description of the technical and organisational security measures; and
‒ when the data is disclosed abroad, the indication of the country and the implemented safeguards to ensure an adequate level of data protection.
Practical instructions:
To keep the record of processing activities up-to-date, employees shall notify the data protection coordination unit of new processing activities indicating the aforementioned information before they are included in the record.
8. Information Obligations when collecting Personal Data directly from Data Subject
At the time of collection of the personal data, the following information in particular must be provided by the Company to the data subjects:
‒ the identity and contact details of the Company;
‒ the processing purposes; and
‒ where applicable, the recipients or categories of recipients of the personal data
‒ when disclosing personal data abroad: the country or international organisation involved and, where applicable, the safeguards to ensure an adequate level of data protection or the application of an exception to ensure an adequate level of data protection
‒ when making automated individual decisions: the possibility for the data subject to express their point of view on the decision made without human intervention, as well as the possibility to have the automated individual decision reviewed by a natural person.
If the applicable data protection law, such as European data protection law, includes additional provisions, it may require that the provided information includes also the following details:
‒ the legal basis for the processing;
‒ where applicable, the intention to transfer the personal data to a third country and the existence or absence of an adequacy decision by the EU Commission, a reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available;
‒ the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
‒ the existence of the right to access the relevant personal data and the rights to rectification, erasure, restriction of processing, and objection to processing, as well as the right to data portability;
‒ where applicable, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
‒ the right to lodge a complaint with a supervisory authority; and
‒ where applicable, the existence of automated decision-making, including profiling, and in such cases, meaningful information about the logic involved, the significance, and the envisaged consequences of such processing for the data subject
This information is usually provided to data subjects through a privacy policy.
Practical instructions:
To ensure that the information provided to data subjects remains up-to-date, employees shall notify the data protection coordination unit of new processing activities before they are carried out indicating the aforementioned information.
9. Information Obligations when collecting Personal Data indirectly
Personal data about data subjects may also be collected indirectly, i.e., from third parties. However, this does not exempt the Company from informing the data subject about the processing. In addition to the information listed in Section, the Company shall also inform the data subject about the categories of personal data processed. This information shall be provided to the data subject no later than one month after the Company has received the personal data from the third party, or at the time of disclosure to a third party if it occurs before the one-month period.
If the applicable data protection law, such as European data protection law, includes additional provisions, it may require that the provided information includes also the following details in addition to those outlined in Section 8 above:
‒ from which source the personal data originate; and
‒ where applicable, whether it came from publicly accessible sources.
Practical instructions:
To ensure that the information provided to data subjects remains up-to-date, employees shall notify the data protection coordination unit of new processing activities before they are carried out indicating the aforementioned information.
10. Rights of Data Subjects
The company and all employees respect the following rights of the data subject:
10.1 Right of access
Every data subject has the right to request confirmation from the Company as to whether their personal data is being processed. Received requests for information shall be forwarded immediately to the data protection coordination unit if they have not been received by the latter
Before responding to the request, it is mandatory to verify the identity of the data subject. If the identity can be clearly established, the data subject has the right to obtain the following information regarding their own personal data:
‒ the identity and contact details of the data controller;
‒ the personal data processed as such;
‒ the purposes of the processing;
‒ the retention period of the personal data or, if not possible, the criteria used to determine this retention period;
‒ the available information about the source of the personal data, insofar it has not been obtained directly from the data subject;
‒ where applicable, the existence of automated individual decision-making, including profiling, and the logic behind such decision-making;
‒ where applicable, the recipients or categories of recipients to whom personal data is disclosed, as well as the country or international organisation involved, and, if applicable, the safeguards implemented to ensure an adequate level of data protection or the application of an exception to ensure an adequate level of data protection
If the applicable data protection law, such as European data protection law, includes additional provisions, it may require that the provided information includes also the following details:
‒ the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
‒ the right to lodge a complaint with a supervisory authority;
‒ the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, and the envisaged consequences of such processing for the data subject
The Company shall provide a copy of the personal data that is the subject of processing in a commonly used, structured and machine-readable format.
The disclosure of the requested information to the data subject may potentially result in the disclosure of personal data pertaining to another data subject. In such cases, the information relating to the other persons must be redacted or withheld, depending on what is necessary or appropriate to protect that person's rights
Practical instructions:
Requests from data subjects for information about their personal data must be forwarded immediately to the data protection coordination unit
10.2 Right to Rectification
The data subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject also shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement
Practical instructions:
Requests from data subjects to rectify their personal data must be forwarded immediately to the data protection coordination unit.
Requests from data subjects for the rectification of employee data shall be addressed to the human resources department of the Company.
10.3 Right to Erasure (Right to be forgotten)
The data subject shall have the right, under certain circumstances, to obtain from the Company the erasure of personal data concerning him or her without undue delay. The Company shall have the obligation to inform any involved processors about the erasure and, if necessary, to oblige them to erase the data If the Company itself acts as a processor, it must inform the controller of the request for erasure without undue delay.
Practical instructions:
Requests from data subjects to erase their personal data must be forwarded immediately to the data protection coordination unit
Requests from data subjects for the erasure of employee data shall be addressed to the human resources department of the Company.
10.4
Right to Restriction of Processing
The data subject shall have the right to obtain restriction of processing of their personal data where one of the following applies:
‒ the accuracy of the personal data is contested by the data subject. The processing shall be restricted by marking data as disputed for a period enabling the Company to verify the accuracy of the personal data;
‒ the processing is unlawful, and the data subject requests the restriction of the use of their personal data instead of the erasure;
‒ the Company no longer needs the personal data for the purposes of the processing However, the data subject requires it for the establishment, exercise, or defence of legal claims and requests the restriction of the use of their personal data instead of the erasure; or
‒ the data subject has objected to the processing in accordance with the right to object. The restriction shall be in place until it is established whether the legitimate grounds of the Company override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent, for the establishment, exercise, or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest.
A data subject who has obtained restriction of processing shall be informed by the Company before the restriction of processing is lifted.
Practical instructions:
Requests from data subjects to restrict the processing of their personal data must be forwarded immediately to the data protection coordination unit.
10.5 Data Portability
The data subject shall have the right to receive the personal data concerning them, which they have provided to the Company, in a structured, commonly used, and machine-readable format. The data subject shall also have the right to request that the Company transmit those data to another company without hinderance, provided that:
‒ the processing is based on consent of the data subject;
‒ the processing is carried out in connection with entering into or the performance of a contract between the Company and the data subject; or
‒ the processing is carried out by automated means.
10.6
Practical instructions:
Requests from data subjects to transmit their personal data must be forwarded immediately to the data protection coordination unit
Right to object
The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them.
In such cases, the Company shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise or defence of legal claims
Practical instructions:
If the data subject exercises the right to object, the data protection coordination unit must be informed immediately.
10.7 Rights related to automated individual Decision-Making
A data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Exceptions are permitted where provided by law.
The Company shall only apply automated individual decisions that have legal effects on data subjects if the decision is necessary for the entering into or performance of a contract between the data subject and the Company, is necessary due to applicable statutory provisions, or is made with the explicit consent of the data subject.
In this context, decisions are those that are based solely on automated data processing and either have legal effects on the data subject or significantly affect the data subject in a similar way. Therefore, for example, in the case of an automated credit check, which may result in a refusal to enter into a contract with a person, the provisions of this Section must be observed.
Profiling means as any form of automated processing of personal data consisting of the use of personal data to evaluate, analyse, or predict certain personal aspects relating to data subject, in particular concerning that data subject's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. Where profiling is associated with an automated individual decision-making that either has legal effects on the data subject or significantly affects the data subject in a similar way, the provisions of this Section must be observed
The Company ensures that profiling and automated individual decision-making are based on accurate data.
Practical instructions:
The employees shall refrain from automated individual decision-making until the data protection coordination unit has declared its use and modalities to be lawful.
10.8 Procedure for requests from data subjects
Practical instructions:
If requests for information, deletion, rectification, data portability, withdrawal of consent, and objections to data processing based on legitimate interests are not automatically received by the data protection coordination unit, they shall be immediately forwarded to the data protection coordination unit
The employees are prohibited from processing requests from data subjects and communicating with data subjects without prior coordination with the data protection coordination unit
11. Transfer of Personal Data to third Parties
11.1 Principle
The transfer of personal data abroad is generally permissible if an adequate level of data protection can be ensured for the respective third country or international organisation. An adequate level of data protection is deemed to exist when determined by the competent authority (by the Federal Council in Switzerland and by the European Commission in the EU).
If personal data is to be transferred to third countries without an adequate level of data protection, appropriate safeguards must be implemented. Such transfers are only permissible after prior examination and with the approval of the data protection coordination unit.
11.2 Transfers between group companies
From a data protection point of view, group companies of the Company are considered third parties to each other. To establish a consistent approach throughout the group, the companies shall enter into an intercompany agreement, whereby the group companies can act as both controllers and processors. The intercompany agreement shall set out the obligations of the contracting parties in accordance with their roles as controllers and processors.
11.3 Transfers to other third parties
The Company transfers personal data to third parties and grants access to personal data only when it is guaranteed that the recipient will process the data lawfully and provide adequate protection:
‒ the third party is considered a controller, the Company shall enter into a contract with the controller specifying the responsibilities of each party with respect to the transferred personal data
‒ if the third party is considered a data processor, the Company shall enter into a corresponding data processing agreement with the data processor. The data processing agreement obligates the data processor to comply with data protection principles, in particular to protect the data from further disclosure, to process the data only in accordance with the Company's directives, to implement appropriate technical and organisational measures to protect the personal data, and to report any data security breaches.
12. Technical and organisational Measures
The Company implements appropriate technical and organisational measures to ensure the security of personal data in accordance with applicable data protection regulations. Any breaches of data security, e.g., a hacker attack, must be promptly reported to the data protection coordination unit. The handling of such breaches is governed by a separate directive concerning information security.
13. Data Protection by Design and by Default
The Company shall ensure that data protection principles are taken into account at an early stage in new projects and are incorporated into the technical implementation (Privacy by Design).
The Company shall also implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for the respective processing purpose is processed. In particular, it shall ensure that the default settings are designed to be privacy-friendly (Privacy by Default).
Practical instructions:
When planning and implementing new processes and system applications, the data protection coordination unit shall be involved as early as possible to ensure that the principles of Privacy by Design and Privacy by Default are appropriately implemented in the project.
14.
Data Protection Impact Assessment
The company shall carry out a prior an assessment of the impact of the envisaged processing operations (Data Protection Impact Assessment) when planned processing poses a high risk to the privacy and the fundamental rights of the data subjects
The analysis of whether a Data Protection Impact Assessment is required should be carried out, in particular, when using new technologies or engaging in innovative data processing operations, and taking into account the nature, scope, context and purposes of the processing, e.g., processing on a large scale of sensitive data or systematic and extensive video surveillance of publicly accessible areas.
Practical instructions:
The Company shall seek the advice of the data protection coordination unit to determine whether conducting a Data Protection Impact Assessment is necessary. The Data Protection Impact Assessments shall be carried out in accordance with a separate internal guideline.
15. Notification of Data Security Breaches
A data security breach occurs when a breach of security leads to the accidental or unlawful loss, deletion, destruction, alteration, unauthorised disclosure of, or access to personal data.
In the event of a data security breach, the Company shall notify the relevant supervisory authority of the breach without undue delay, but no later than 72 hours after becoming aware of the breach if the data security breach is likely to result in a high risk to the rights and freedoms of natural persons. The Company shall also inform the data subjects if it is necessary for their protection or if the competent supervisory authority so requires
Practical instructions:
If employees establish or suspect a data security breach, they may report it via fbm@palace.ch
The process for internal reporting of a data security breach shall be governed by a separate policy.
16. Responsibilities
16.1 Management
The management of the Company defines the overarching principles for ensuring data protection within the Company. They appoint a person or department - the data protection coordination unitresponsible for enforcing compliance with data protection regulations.
16.2 Supervisors
Supervisors at all levels are responsible for enforcing and ensuring compliance with data protection regulations within their areas of responsibility. They collaborate with the data protection coordination unit to provide training and raise awareness among the employees. They serve as role models and encourage employees to adhere to data protection measures.
16.3 Data Protection Coordination Unit
The management has appointed a data protection coordination unit The data protection coordination unit is the central point of contact for privacy-related questions and can be reached via fbm@palace.ch or by phone at 861.
The data protection coordination unit has in particular the following tasks:
‒ it bears the responsibility for the documents relating to this data protection directive;
‒ it supports the Company in the enforcement and implementation of data protection; and
‒ it monitors and takes into account the development of legal requirements in the area of data protection
The enforcement of this directive is the sole responsibility of the supervisors and not of the data protection coordination unit.
A detailed description of responsibilities shall be defined in the job description of the data protection coordination unit
17. Sanctions
Violations of this data protection directive may result in disciplinary measures and/or civil and/or criminal actions.
18. Final Provisions
18.1 Amendments and Extensions
This data protection directive may only be amended, supplemented, or revoked in writing by a decision of the Company's management. Any addition, deletion, or modification of individual provisions shall be considered as an amendment or supplement. Excluded from this are corrections of a formal nature
18.2 Additional Documents
This data protection directive serves as the basis for the Company's data protection requirements In addition to this, further documents, directives, and processes can be developed that are necessary in relation to the processing of personal data
18.3 Access to this Directive and Amendments
This data protection directive shall be available to all employees through the existing directives system of the Company or through other channels.
Amendments or supplements to this data protection directive shall enter into force at the time of publication on https://issuu.com/gstaadpalace/docs/data_protection_directive_en_8.1.2025.docx?fr=xKAE9_-Dt8g
18.4 Entry into Force
This data protection directive enters into force on Monday, 13th January 2025.