Data protection

Zürich Tourismus is an association with its headquarters at Stampfenbachstrasse 52, 8006 Zurich, Switzerland, and registered in the Commercial Register of the Canton of Zurich under number CHE-105.846.358. It is the operator of the website www.zuerich.com and its subdomains.

When collecting, processing and using your personal data, Zürich Tourismus deems it a matter of course to comply with the requirements of Swiss data protection legislation (in particular, the Swiss Federal Act on Data Protection, FADP, and the Ordinance to the Federal Act on Data Protection, VDSG), as well as any other applicable data protection provisions of Swiss and European law (in particular the EU General Data Protection Regulation (GDPR)). This data protection policy is an integral component of the General Terms & Conditions, which can be found here.

Zürich Tourismus takes data protection very seriously. In this data protection policy, we provide you with information about our company’s data processing practices.

1. Visits to the website of Zürich Tourismus

When you visit the website of Zürich Tourismus (including without registration or log in), Zürich Tourismus receives information that allows it to draw conclusions about your surfing behavior and thereby determine which information and offers are of particular interest to you. Cookies (see item 11 below), web analysis tools, remarketing tools and social plugins (see item 11 et seq. below) are used in this connection. As is generally the case with connection to a web server, this data is temporarily recorded in a log file and stored by us until it is automatically deleted. This concerns the following data:

  • IP address of the requesting computer
  • Name of the owner of the IP address block (usually your internet service provider)
  • Date and time of access
  • Website from which the access originated (‘referrer URL’), including any keywords used
  • Country from which the access originated
  • Name and URL of the accessed file
  • Operating system of the computer
  • Browser used (type, version, and language)
  • Name of your internet service provider

This data is collected and processed for the purpose of enabling the use of our website (establishing a connection), ensuring ongoing system security and stability, optimizing the website, and for internal statistical purposes. This data is not combined or saved with personal data.

Only in the event of an attack on the website’s network infrastructure, or if it is suspected that the website is being misused or otherwise used unlawfully, will the IP address be analyzed for clarification and defense purposes, and if necessary used to identify or take civil or legal action against the user concerned.

Our legitimate interest within the meaning of Art. 6 para 1(f) GDPR therefore constitutes the lawful basis for processing of the data.

2. Bookings or reservations on the website of Zürich Tourismus

You can make certain bookings or reservations on our website. We will usually require the following details:

  • Title
  • First name, surname
  • Street, postcode, country
  • Email address
  • Telephone number
  • Credit card information

The details necessary to complete a booking are marked with an asterisk (*). The provision of other information is optional and will not affect the use of our website or your booking.

Depending on the type of service booked, the details entered by you will either be collected directly from the provider in question or forwarded to the provider by us. In the latter case, the data protection policy of the provider will apply.

The booking platforms and solutions are operated by the following companies:

Unless specified otherwise in this data protection policy, or where you have not specifically provided consent, we will use and, in particular, share the data in order to supply the requested services, provide the desired functionality, process your order and ensure correct payment. For details of how your credit card information is processed and shared, see item 6 below.

The performance of a contract pursuant to Art. 6 para 1(b) GDPR therefore forms the legal basis for processing of the data.

3. Subscriptions to our newsletter

On our website, you have the option of subscribing to our newsletter. You must register for this purpose and provide the following details:

  • Title
  • First name, surname
  • Language
  • Country
  • Date of birth
  • Email address

By explicitly requesting the newsletter on the Zürich Tourismus website, you give your consent that we may use the provided personal data for marketing purposes and to send you emails with personalized marketing content. You have the right at any time to unsubscribe from the newsletter by clicking on the corresponding link in the newsletter. After you have unsubscribed, your personal data will be deleted.

Consent within the meaning of Art. 6 para 1(a) GDPR forms the legal basis for processing of your email address.

4. Participation in our competitions

On our website, you have the option of taking part in competitions. If you would like to take part in a competition offered by us, but you are not registered or do not wish to register, you will must provide the following details at the time of entering the competition:

  • Title
  • First name, surname
  • Postal address, place, country
  • Email address
  • Newsletter registration or deregistration

This data will be processed for the purpose of holding the competition. Your data will be used for other purposes (e.g. marketing) only if you provide your explicit consent; i.e. by ticking ‘yes’ or ‘no’ in the relevant field.

Our legitimate interest within the meaning of Art. 6 para 1(f) GDPR and your consent pursuant to Art. 6 para 1(a) GDPR form the legal basis for processing of the data in a competitive context.

5. Use of our chat function

On our website, you have the option of contacting us via a chat function. The chat works both online and offline. Offline means that your chat inquiry will be sent to us as an email and we can then contact you by email if necessary. This gives you the opportunity to ask questions about the website’s functions or content. You are responsible for the messages and content that you send to us via the chat function. We advise you not to send any sensitive information via the chat function.

In connection with the chat function, we work with Userlike, a service provided by Userlike UG, Probsteigasse 44-46, 40670 Cologne, Germany. If you access the chat online, you do not have to enter any details. However, Userlike will temporarily retrieve your IP address in order to determine from which country you are starting the chat. The IP address will be retrieved exclusively for this purpose and will not be stored permanently by Userlike. Userlike will also store the chat history and content on a server in the EU (Germany). If you access the chat offline, you must enter the following details:

  • First or last name
  • Email address
  • Message

To enable us to answer your questions offline or online, we may request additional information from you, such as your telephone number. We collect personal data from you that is necessary only to answer your questions or provide the requested services.

Our legitimate interest within the meaning of Art. 6 para 1(f) GDPR forms the legal basis for the processing of your chat inquiry and data.

6. Applications for job vacancies

On our website, you can apply for job vacancies. In order to be considered as a candidate, we expect you to send us your complete application containing the usual documents (cover letter, CV, employment references, certificates, etc.).

This data and any other information that you provide voluntarily will be used to conduct the application process. If you do not provide your explicit consent to use of this data in other ways, it will be deleted after the application process is complete.

The execution of pre-contractual measures and our legitimate interest pursuant to Art 6 para 1(b) and (f) GDPR form the legal basis for the processing of the data. For any other use of the data, your consent pursuant to Art. 6 para 1(a) GDPR forms the legal basis.

7. Sharing your data with third parties

We will share your data with third parties if this is necessary in connection with use of the website or fulfillment of the contract, such as when booking hotels or tours (see item 2). This data also includes credit card information when making card payments, which we will forward to your credit card provider or to the credit card acquirer. If you choose to pay by credit card, you will be asked to enter all essential information in each case. For the processing of your credit card information by third parties, please also read the General Terms & Conditions and the data protection policy of your credit card provider.

Your data may be shared with third parties for other purposes only if you have provided your explicit consent, if we are legally obliged to do so (e.g. request by a law enforcement agency) or if necessary in order to assert our rights under the contractual relationship (e.g. debt collection measures).

We require our employees and third parties that we use to provide our services to comply with the legal data protection provisions, and we have issued the necessary directives for employees and concluded data processing agreements with third parties for this purpose.

Your data may also be shared if you use social plugins (see items 13-15).

8. Transfer of personal data abroad

We have the right to send your personal data to companies based outside Switzerland, the EU and the European Economic Area should this be necessary for the above-mentioned purposes. The legal provisions governing the sharing of information with third parties are of course observed in such cases. These third parties are subject to the same data protection obligations as ourselves. If the level of data protection in a certain country is lower than the level of protection provided under Swiss or EU data protection laws, we take contractual measures to ensure that your personal data is afforded the same level of protection as in Switzerland or the European Economic Area (EEA) at all times.

In the interest of completeness, we point out to users based or resident in Switzerland that monitoring measures in the US by the US authorities generally permit the storage of all personal data of anyone whose data is sent from Switzerland to the US. This is done without differentiation, restriction or exception on the basis of the pursued objective and without any objective criteria that would restrict access to the data and its subsequent use by the US authorities to very specific and limited purposes that would justify the intervention associated with access and use of this data. We also wish to point out that no legal remedies are available in the US for people concerned from Switzerland that would enable them to access their data or request that it is corrected or erased, and that no effective legal protection against the general access rights of the US authorities exists. We expressly make the persons concerned aware of these laws and circumstances, in order that they can make an informed decision about consent to the use of their data.

We make residents of EU member states aware that compared with the EU, the US does not offer an adequate level of data protection due, inter alia, to the reasons mentioned in this section. In the case of the US-based recipients of data (e.g. Google) mentioned in this data protection policy, we ensure that your data is adequately protected; we do so either by means of contractual regulations with these companies or by ensuring that they are certified under the EU or Swiss-US Privacy Shield.

9. Data security

We take the appropriate measures to protect your personal data. We take the technical and organizational measures prescribed under Swiss and European data protection law to prevent unauthorized processing. This includes the following risks in particular:

  • Unauthorized or accidental destruction
  • Accidental loss
  • Technical errors
  • Forgery, theft or misappropriation

Unauthorized modification, copying, access or other use.

Our security measures are continuously updated in line with technological advances. We also take data protection within our own company very seriously. Our employees and contractual service providers are required to maintain confidentiality and comply with the provisions of the data protection laws.

10. Your rights as a user (access, erasure, correction)

You have the right to request information on the processing of your data. Furthermore, you are entitled to request that incorrect data is deleted or that your personal data is erased completely. Any such requests should be sent in writing or by email to web(at)zuerich.com. Sample texts for this purpose are available on the website of the Federal Data Protection and Information Commissioner. We advise you that we reserve the right to request proof of identity and that you may no longer be able to use our services (or not to the full extent) if your data is deleted.

If you have provided your consent to processing of your data in a certain way, you may withdraw your consent to future processing of this data.

Please note that certain data is subject to statutory retention periods and we are required to store such data until expiry of these periods. We lock these files in our system and use them solely for the purpose of fulfilling our legal obligations.

11. Cookies

Cookies are small text files that your browser stores automatically on your hard drive when you visit a website. These cookies enable storage of your settings (e.g. language or currency), so that our website is easier to use. Cookies cannot harm your hard drive. Furthermore, no new personal data is sent to us by the cookies. Most web browsers accept cookies automatically. However, you also have the option of disabling cookies in your browser.

On the following pages, you will find explanations of how to configure the processing of cookies in most common browsers:

However, deleting or blocking cookies may restrict the functionality of the website considerably.

12. Google Analytics, Google Adwords, Google Remarketing (DoubleClick), and Google Tag Manager

On our website, we use the web analysis service Google Analytics provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use Google Analytics to continuously improve our website and tailor it to the needs of the users. To this end, Google Analytics uses cookies (see item 11), which are stored on your computer and enable analysis of your use of the website. The information generated by the cookie about your use of this website, in particular

  • the type and version of the web browser
  • the operating system used
  • the website from which the page was accessed (‘referrer URL’)
  • the IP address of the requesting computer
  • the time of the server request
  • behavior on the website (clicks, downloads, purchases)

is transmitted to a Google server in the US and stored there. Google uses this data to analyze how the website is used, to compile reports about website activity for us, and to provide other services associated with use of the website and the internet. Google may also transfer this information to third parties if legally required to or if third parties process this data on behalf of Google. Google will never associate your IP address with other data held by Google. The IP addresses are anonymized (truncated by three digits), so that they can no longer be associated with your identity. Google is listed as a member of Privacy Shield. The Privacy Shield agreement between the EU and the US guarantees minimum standards of data protection.

We also use Google Remarketing (DoubleClick by Google) and Google Adwords for online advertising and to analyze the use of our website. The combined use of first-party and third-party cookies (e.g. DoubleClick cookies) enables analysis of the relationship between ad impressions and website visits in reports. Third-party providers (including Google) have the option of publishing ads on websites, as well as tailoring and optimizing them according to demographic characteristics and interests on the basis of previous visits (e.g. by age, gender, interests). The data can be obtained from Google or from the visitor data of third parties.

To manage the services for user-oriented advertising, we also use Google Tag Manager. The Tag Manager tool itself is a cookie-less domain and does not record any personal data. Rather, it triggers other tags that may collect your personal data under certain circumstances. If you have deactivated it at domain or cookie level, it will remain in place for all tracking tags implemented with Google Tag Manager.
By using this website, you agree to the data that is collected about you being used by Google in the above-mentioned ways and for the above-mentioned purpose.

You can prevent analysis of your data by Google Analytics by downloading a browser plugin via the following link. You can also disable the use of cookies for Google AdWords conversion tracking, Google Remarketing and Tag Manager here.

More information about Google can be found on its website.

13.    Microsoft BingAds

We use BingAds on our website, a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. BingAds collects and stores data that is then used to create user profiles under pseudonyms. BingAds will place a cookie on your computer for this purpose if you reached our website via a Microsoft Bing ad (see item 11 Cookies). This allows us and Microsoft Bing to see that someone has clicked an ad and been forwarded to our website and a predetermined ‘conversion page’. We see only the total number of users that have clicked a Bing ad and then been forwarded to a conversion page. No personal information about the identity of the user is shared. If you do not want to participate in the tracking process, you may reject cookies, which are also needed for this purpose (see item 11). Further information about Microsoft Bing can be found on the website of Microsoft.

14. Social media functions

We use social media functions on our website; this includes in particular sharing information on social networks. Sharing is done via the AddToAny tool provided by the company AddToAny. According to its data protection policy, AddToAny does not store any personal data. The relevant functions of AddToAny are marked as share buttons; i.e. they appear as squares containing the symbols of the different social media platforms (e.g. an ‘F’ for Facebook).

We provide you with social media functions for the following social networks:

  • Facebook operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
  • Twitter operated by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
  • Google+ operated by Google Inc, Amphitheatre Parkway, Mountain View, Ca 94043, USA
  • WhatsApp operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • LinkedIn operated by LinkedIn Ireland Unlimited Company, Dublin 2, Ireland

If you click on the symbols of the social networks, you will be connected to the social network to perform the selected function; e.g. to share content on Facebook or to tweet on Twitter. However, you must log into your user account for this purpose if you are not already logged in.

If you choose one of the available functions and click the symbol of the social network, a direct connection is established between your browser and the server of the social network. This informs the server that you have visited our website with your IP address and have clicked on the link. If you click on a link to a network while logged into your account for that network, the content of our pages may be linked to your profile on the network; thus, the network can directly associate your visit to our website with your user account. If you wish to prevent this, you should log out before clicking on any such links. Your visit will be associated with your user account if you log into the network after clicking on the link.

Further information on use of your data and your options and rights to adequately protect your privacy can be found in the data protection policies of Facebook, Google, LinkedIn ans Twitter.

15.    Social plugins

Social plugins may be incorporated in our website. It is thus possible that the IP addresses of all visitors to our website may be forwarded to the servers of the corresponding providers. In such case, the data protection policies of those providers will apply; these can be found via the following links:

  • Pin it Button (Pinterest)
    operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA. Its data protection policy can be found via the following link: https://policy.pinterest.com/en-gb/privacy-policy
  • Twitter
    operated by Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. Its data protection policy can be found via the following link: https://twitter.com/en/privacy
  • YouTube
    operated by Google Inc. Amphitheatre Parkway, Mountain View, Ca 94043, USA. Its data protection policy can be found via the following link: https://policies.google.com/privacy?hl=de&gl=de
  • Google+
    operated by: Google Inc. Amphitheatre Parkway, Mountain View, Ca 94043, USA. Its data protection policy can be found via the following link: https://policies.google.com/privacy?hl=de
  • Facebook
    operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Its data protection policy can be found via the following link: https://www.facebook.com/about/privacy/
  • Instagram
    operated by Instagram Inc., 1601 Willow Road, Meno Park, CA 94025, USA. Its data protection policy can be found via the following link: https://help.instagram.com/155833707900388
  • TripAdvisor
    operated by TripAdvisor Inc., 400 1st Avenue, Needham, 02494 MA, USA. Its data protection policy can be found via the following link: https://tripadvisor.mediaroom.com/UK-privacy-policy
  • WhatsApp operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Its data protection policy can be found via the following link: https://www.whatsapp.com/legal/
  • LinkedIn operated by LinkedIn Ireland Unlimited Company, Dublin 2, Ireland. Its data protection policy can be found via the following link: https://privacy.linkedin.com/

16. Links to our social media profiles

Our website contains links to our social media profiles. The links lead to the following networks:

  • Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA
  • Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA
  • YouTube, operated by Google Inc. Amphitheatre Parkway, Mountain View, Ca 94043, USA.
  • Google Inc. Amphitheatre Parkway, Mountain View, Ca 94043, USA
  • Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA
  • Instagram Inc., 1601 Willow Road, Meno Park, CA 94025, USA
  • TripAdvisor Inc., 400 1st Avenue, Needham, 02494 MA, USA
  • WhatsApp operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • LinkedIn operated by LinkedIn Ireland Unlimited Company, Dublin 2, Ireland

If you click on the symbol for a social network, you will be forwarded automatically to our profile on that network. To use the functions of the network there, you may have to log into your user account. When you click on a link to one of our social media profiles, a direct connection is established between your browser and the server of the social network. The network is thereby informed that you have visited our website with your IP address and have clicked on the link. If you click on a link to a network while logged into your account for that network, the content of our pages may be linked to your profile, which means that the network can directly associate your visit to our website with your user account. If you wish to prevent this, you should log out before clicking on any such links. Your visit will be associated with your user account if you log into the network after clicking on the link.

17.    Hotjar

On our website, we use the Hotjar tool provided by Hotjar Ltd, St. Julian’s Business Centre, Elia Zammit Street 3, St. Julian’s STJ 1000, Malta. Hotjar can be used to generate heatmaps, visitor recordings and funnel charts, conduct form analysis, collect feedback and hold polls and surveys. Heatmaps show in anonymous form which elements of a website are clicked by users. Visitor recordings show which users are actually using the website, and summarize the areas in which they click and move the mouse. All personal information is anonymized. Form analysis shows us at which point in a form the user stops entering information. The tool also enables pop-up polls and surveys about different websites. The information generated by the tracking code and cookie about the use of your website is stored by Hotjar on a European server in Ireland.

If you do not want Hotjar to be used when you visit our website, click here.

18.    Facebook Custom Audience (with or without Facebook Pixel)

We use Facebook Custom Audience, a service provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. With Custom Audience, a non-reversible, non-personal checksum (hash value) is generated from your usage data and may be sent to Facebook for analysis and marketing purposes.

If you provide your consent, we will also use the Facebook service Facebook Pixel, which allows us to track the behavior of users after they have viewed or clicked a Facebook ad. We can thereby determine the effectiveness of the Facebook ad for statistical purposes. The data collected in this way is anonymous; however, it is stored and processed by Facebook. Facebook may link this data to your Facebook account and also use it for its own marketing purposes.

More information about how Facebook Pixel works and about the publication of Facebook ads in general can be found in the data protection policy of Facebook.

If you wish to object to Facebook Pixel and use of your data to display Facebook ads, click here to access the corresponding Facebook page and follow the instructions relating to settings for user-oriented advertising.

19.    CleanTalk

We use the anti-spam plugin CleanTalk, a service provided by CleanTalk Inc, 711 S Carson Street, Suite 4, Carson City, 89701 NV, USA. CleanTalk helps to prevent spam from being sent, such as via contact forms. To this end, parameters such as certain words, IP addresses, email addresses or domain names are sent to a server in the US and reconciled there. If CleanTalk identifies sent content as spam, we are notified and the information is stored in the US. More information about CleanTalk can be found here.

20.    CrowdRiff

We use CrowdRiff, a service provided by CrowdRiff Inc, 116 Spadina Ave., Suite 600, Toronto, ON M5KV 2K6, Canada. CrowdRiff is a marketing tool and technical solution that enables us to analyze whether our users like the visual content, in particular the images on our website, or which images are of particular interest. The analysis is performed using the same method as for tracking cookies (logging of IP addresses). To deactivate cookies, see item 11. More information about CrowdRiff can be found here.

21.    Amendments to the data protection policy

Zürich Tourismus reserves the right to occasionally amend its data protection policy as required (e.g. in light of new legislation, technical developments). Any changes come into effect after they have been introduced. We therefore recommend that you check this data protection policy regularly.

22.    Contact

If you have any questions about our website or data protection policy, or for inquiries relating to data access or erasure, please contact web(at)zuerich.com.

Zurich, 24.05.2018