user_mobilelogo

Guest house Brugghof
Weitlaner Andrea

Kematen 44 
I-39032 Sand in Taufers 
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.  
Tel: +39 0474 678004
Tel: +39 3462257141
Fax: +39 0474 686865


VAT 02933530210

 

 

Conception & design by Ausserhofer Webdesign

 

Disclaimer and copyright

Andrea Weitlaner  assumes no liability for the completeness or accuracy of any statements contained in the herein text and files. It is hereby stated that despite the aim to be as current as possible, it is possible that information contained herein is not up to date. 

Further she dissociates herself explicitly from the contents of websites referred to by hyperlinks – including all subpages. Since she has no influence whatsoever regarding the design and contents of these sites. This applies invariably for all hyperlinks include.

 

The content and graphic of this website is protected by copyright.
Written permission must be gained in advance before reproducing any of the web site content. This applies particularly to texts, text extracts and all graphic material.

 

Privacy Policy

 

Thank you for your interest in our company. Privacy is a very high priority for the management at our guest house (hereafter "company"). Fundamentally, use of our website is possible without giving any personal data. However, if a Data Subject wants to take advantage of specific services from our company via our website, processing of some personal data may be required. If processing of personal data is required and there is no legal basis for such processing, we generally obtain consent from the Data Subject.

 

We process personal data, for example a Data Subject’s name, address, email address or phone number, in compliance with the General Data Protection Regulation and the applicable national legislation on data protection. With this Privacy Policy our company aims to inform the public about the type, scope and purpose of the personal data collected, used and processed by us. In addition, this Privacy Policy explains Data Subjects’ rights.

As Controller, Andrea Weitlaner has implemented many technical and organisational measures to ensure the most complete protection possible of personal data processed via this website. However, internet-based data transfers may exhibit security vulnerabilities, so that absolute protection cannot be guaranteed. For this reason, Data Subjects are entitled to provide their personal data by alternative means, such as by phone.

 

1. Definitions

Our Privacy Policy is based on the terminology used by the European legislature in the enactment of the General Data Protection Regulation (GDPR). Our Privacy Policy must be easily read and understood by both the general public and our customers and business partners. For this reason, we would first like to explain the terminology used.

In our Privacy Policy, we use, among others, the following terms:

 

 

a)    Personal data
Personal data means any information relating to an identified or identifiable natural person (hereafter “Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

b)    Data Subject
A Data Subject is any identified or identifiable natural person whose personal data is processed by the Controller.

 

c)    Processing
Processing is any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

d)    Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

 

e)    Profiling
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

 

f)     Pseudonymisation
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be associated with a specific Data Subject without reference to additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

 

g)    Controller
A Controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for their nomination may be provided for by Union or Member State law.

 

h)    Processor
A Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

 

i)      Recipient
A recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, regardless of whether this is a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

 

j)      Third party
A third party is a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process personal data.

 

k)    Consent
Consent is any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, agrees to the processing of personal data relating to him or her.

 

2. Name and address of Controller

The Controller in the sense of the General Data Protection Regulation and other applicable data protection legislation or other data protection-related regulations in the Member States of the European Union is:

Weitlaner Andrea
Kematen 44 
I-39032 Sand in Taufers 
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.  
Tel: +39 0474 678004
Tel: +39 3462257141
Fax: +39 0474 686865

 

 

3. Name and address of Data Protection Officer

The Data Protection Officer for the Controller is:

Weitlaner Andrea
Kematen 44 
I-39032 Sand in Taufers 
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.  
Tel: +39 0474 678004
Tel: +39 3462257141
Fax: +39 0474 686865

 

 

Any Data Subject can contact our Data Protection Officer directly at any time for any questions or concerns about privacy.

  

4. Collection of general data and information

At each visit by a Data Subject or automated system, our website records a range of general data and information. These general data and information are stored in the server logfiles. Data liable to be collected can be (1) the browser type used and versions, (2) the operating system of the accessing system, (3) the website from which the accessing system accesses our website (so-called referrer), (4) the website subpages that are accessed by an accessing system, (5) the date and time of an access to the website, (6) an Internet Protocol address (IP address), (7) the Internet Service Provider of the accessing system and (8) various similar data and information which relate to security in cases of cyberattacks.

When using this general data and information, we draw no conclusions about the Data Subject. Instead, this information is used to (1) correctly deliver the content of our website, (2) optimise the website contents and advertisement, (3) ensure continuing functionality of our information technology systems and our website’s technology and (4) provide law enforcement agencies with the information that they require for prosecution in the case of a cyberattack. These anonymously-collected data and information are therefore evaluated by us both statistically and with the aim of improving data protection and data security in our company, ultimately to ensure the best possible protection for the personal data processed by us. The anonymous data in the server logfiles are stored separately from all personal data given by a Data Subject.

 

5. Subscription to our Newsletter

On our website, users have the option to subscribe to our company newsletter. The personal data transmitted to the Controller upon subscription are those which are on the input screen used for this purpose.

At regular intervals, we inform customers and business partners of company offers via a newsletter. Our company newsletter can therefore only be received by the Data Subject if (1) the Data Subject has a valid email address and (2) the Data Subject has registered to have the newsletter sent. For legal reasons, the Data Subject is initially sent a confirmation email to the address entered as a double opt-in process, to verify that the owner of the email account, as Data Subject, has authorised the sending of the newsletter.

With a new newsletter subscription, we also store the IP address of the computer system used at the time of subscription, as given by the Internet Service Provider (ISP), and the date and time of subscription. Collection of these data is required to identify (potential) misuse of a Data Subject’s email address at a later time and therefore serves as a legal safeguard for the Controller.

The personal data collected at the time of subscription are used solely for sending our newsletter. Furthermore, newsletter subscribers can be informed by email, if this is required for managing the newsletter service of for related registration, as could be the case if there are changes to the newsletter offer or modification to technical factors. Personal data collected as part of the newsletter service are not transmitted to a third party. Subscription to our newsletter can be terminated at any time by the Data Subject. Consent to retention of personal data which the Data Subject has granted to us for delivery of the newsletter can be withdrawn at any time. Each newsletter contains a link for withdrawal of consent. Furthermore, there is also an option to unsubscribe from the newsletter directly on the website of the Controller or to communicate this to the Controller by other means.

 

6. Contact options via website

For legal reasons, our website contains information allowing fast electronic contact with our company and direct communication with us, which also includes a general address for electronic mail (email address). If a Data Subject gets in contact with the Controller by email or contact form, the personal data transmitted by the Data Subject will automatically be stored. These personal data, transmitted voluntarily by a Data Subject to the Controller are stored for the purposes of processing or for contacting the Data Subject. These personal data are not shared with third parties.

 

7. Routine deletion and locking of personal data

The Controller processes and retains the Data Subject’s personal data only for the period required to fulfil the purpose of retaining it or for the period intended under European directives and regulations or the laws and regulations of another legislature to which the Controller is subject.

If the purpose of retaining it no longer applies, or the retention period under European directives and regulations or those of another relevant legislature expires, the personal data will be locked or deleted routinely and in accordance with applicable laws and regulations.

 

8. Rights of the Data Subject

 

a)    Right to confirmation
All Data Subjects have the right, granted by the European directives and regulations, to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed. If a Data Subject wishes to exercise this right to confirmation, he or she can do so at any time by contacting an employee of the Controller.

 

b)    Right of access
All Data Subjects have the right, granted by the European directives and regulations, at any time to receive from the Controller free access to the personal data stored about them and to receive a copy of this information. Moreover, European directives and regulations grant the Data Subject access to the following information:

the purposes of the processing

the categories of personal data concerned

the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations

where possible, the envisaged period for which the personal data will be retained, or, if not possible, the criteria used to determine that period

the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing

the right to lodge a complaint with a supervisory authority

where the personal data are not collected from the Data Subject: any available information as to their source

the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject

 

Furthermore, the Data Subject has the right to be informed whether personal data are transferred to a third country or to an international organisation. If this is the case, the Data Subject also has the right to be informed of the appropriate safeguards relating to the transfer.
If a Data Subject wishes to exercise this right of access, he or she can do so at any time by contacting an employee of the Controller.

 

 

c)    Right to rectification
All Data Subjects have the right, granted by the European directives and regulations, to obtain the rectification without undue delay of inaccurate personal data concerning them. Furthermore, the Data Subject has the right, taking into account the purposes of the processing, to have incomplete personal data completed, including by means of providing a supplementary statement.
If a Data Subject wishes to exercise this right to rectification, he or she can do so at any time by contacting an employee of the Controller.

 

 

d)    Right to erasure (Right to be forgotten)
All Data Subjects have the right, granted by the European directives and regulations, to obtain from the Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies and if processing is not compulsory:

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

The Data Subject withdraws consent on which the processing is based according to letter (a) of Article 6 (1) of the GDPR, or letter (a) of Article 9 (2) of the GDPR, and where there is no other legal ground for the processing.

The Data Subject objects to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21 (2) of the GDPR.

The personal data have been unlawfully processed.

The personal data have to be erased for compliance with a statutory obligation in Union or Member State law to which the Controller is subject.

The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) of the GDPR.

 

If one of the grounds above applies and a Data Subject wishes to obtain deletion of personal data stored, he or she can at any time apply to an employee of the Controller for this. The employee will arrange for the deletion without undue delay.
Where we have made the personal data public and our company as Controller under Article 17 (1) of the GDPR is obliged to erase the personal data, (X), taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform any other Controllers involved in the processing of such data that the Data Subject has requested the erasure of any links to, or copy or replication of, those personal data, unless that processing is required by law. The employee will take the necessary steps on a case-by-case basis.

 

e)    Right to restriction of processing
All Data Subjects have the right, granted by the European directives and regulations, to obtain from the Controller restriction of processing where one of the following applies:

 

The accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data.

The processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead.

The Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims.

The Data Subject has objected to processing pursuant to Article 21 (1) of the GDPR, pending verification of whether the legitimate interests of the Controller override those of the Data Subject.

 

If one of the provisions above applies and a Data Subject wishes to obtain restriction of personal data stored, he or she can at any time apply to an employee of the Controller for this. The employee will arrange for the restriction of processing without undue delay.

 

f)     Right to data portability


All Data Subjects have the right, granted by the European directives and regulations, to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format. They also have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where the processing is based on consent pursuant to letter (a) of Article 6 (1) of the GDPR or letter (a) of Article 9 (2) of the GDPR or on a contract pursuant to letter (b) of Article 6 (1) of the GDPR; and the processing is carried out by automated means, unless processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
Furthermore, in exercising his or her right to data portability under Article 20 (1) of the GDPR, the Data Subject has the right to have those personal data transmitted directly from one Controller to another, where technically feasible, and where the rights and freedoms of others are not adversely affected.
To exercise the right to data portability, the Data Subject can apply at any time to an employee.

 

g)    Right to object


All Data Subjects have the right, granted by the European directives and regulations, to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on letter (e) or (f) of Article 6 (1) of the GDPR. This also applies to profiling based on those provisions.
In cases of objection, we will no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed by us for direct marketing purposes, the Data Subject has the right to object at any time to processing of their personal data for such purposes. This also applies to profiling to the extent that it is related to direct marketing activities. Where the Data Subject objects to processing by us for direct marketing purposes, we will no longer process the personal data for such purposes.
Moreover, the Data Subject has the right, on grounds relating to his or her particular situation, to object to the processing of personal data concerning them which are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To exercise the right to object, the Data Subject can apply directly to an employee. The Data Subject is also free, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise his or her right to object by automated means using technical specifications.

 

h)    Automated individual decision-making, including profiling


All Data Subjects have the right, granted by the European guidelines and regulations, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the decision (1) is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller, or (2) is authorised by European Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests or (3) is based on the Data Subject's explicit consent.
If the decision (1) is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller or (2) is based on the Data Subject's explicit consent, (X) shall implement suitable measures to safeguard the Data Subject's rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express their point of view and to contest the decision.
If a Data Subject wishes to exercise their rights relating to automated individual decision-making, he or she can do so at any time by contacting an employee of the Controller.

 

i)      Right to withdraw consent
All Data Subjects have the right, granted by the European guidelines and regulations, to withdraw consent at any time to the processing of personal data.
If Data Subjects wish to exercise their right to withdraw consent, they can do so at any time by contacting an employee of the Controller.

 

9. Privacy policy for implementation and use of Facebook

The Controller has incorporated tools from Facebook into this website. Facebook is a social network.

A social network is a social meeting point run on the internet, an online community which generally lets users communicate among each other and interact in a virtual space. A social network can act as a platform for the exchange of opinions and experiences or allow the internet community to provide personal or company-related information. Among other things, Facebook allows users of the social network to set up private profiles, upload photos, and network via friend requests.

The operating company for Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. For Data Subjects who live outside the USA and Canada, the Controller for personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Every time the Data Subject visits one of the individual pages of this website, which is managed by the Controller and on which a Facebook tool (Facebook Plug-In) has been incorporated, the web browser of the Data Subject’s IT system is automatically prompted by that Facebook tool to download a copy of the corresponding tool from Facebook. An overview of all Facebook plugins can be found at: https://developers.facebook.com/docs/plugins. As part of this technical process, Facebook receives information on which specific sub-page of our website is visited by the Data Subject.

If the Data Subject is logged in to Facebook, with each visit to our website Facebook recognises which specific subpages are visited by the Data Subject for as long as they stay on our website. This information is collected by Facebook tools and Facebook associates it with the respective Facebook account of the Data Subject. If the Data Subject clicks one of the Facebook buttons incorporated into our website, for example a “Like” button, or if the Data Subject makes a comment, Facebook assigns this information to the Data Subject’s personal Facebook account and retains these personal data.

Facebook therefore receives information via the Facebook tools that the Data Subject has visited our website if the Data Subject is logged in to Facebook at the same time; this takes place independently of whether the Data Subject clicks the Facebook tool or not. If the Data Subject does not want to transmit such information to Facebook, he or she can prevent transmission by being logged out of his or her Facebook account before visiting our website.

Facebook’s published data policy, which is available at https://facebook.com/about/privacy/, gives more information about the collection, processing and use of personal data by Facebook. It also explains which settings Facebook offers for protecting the Data Subject’s privacy. In addition, various applications are available which can be used by the Data Subject to suppress data transmission to Facebook.

  

10. Legal basis for processing

Article 6 (1) letter (a) of the GDPR serves as our company’s legal basis for processing activities done for such purposes for which we require the Data Subject’s consent. If the processing of personal data is necessary for fulfilling a contract in which the Data Subject is a party, e.g. the processing of data necessary for the delivery of goods or provision of other services or considerations, processing will be based on Article 6 (1) letter (b) of the GDPR. The same applies to the processing of data which is necessary for carrying out pre-contractual measures, e.g. in cases of enquiries about our products or services. If our company is subject to a statutory duty that requires the processing of personal, such as for example compliance with tax requirements, processing is based on Article 6 (1) letter (c) of the GDPR. In rare cases, processing of personal data could be necessary to protect the vital interests of the Data Subject or another natural person. For example, this could be the case if a visitor to our business were injured and their name, health insurance data or other vital information had to be passed to a doctor, hospital or other third party. Then processing would be based on Article 6 (1) letter (d) of the GDPR. Lastly, processing may be based on Article 6 (1) letter (f) of the GDPR. This is the legal basis for processing activities which are not covered by any of the previous legal bases, if processing is necessary for the safeguarding of a legitimate interest of our company or of a third party, insofar as the interests, rights and freedoms of the Data Subject are not overridden. Such processing activities are allowed as specifically provided for by the European legislators. In this regard, the view was taken that a legitimate interest could be assumed if the Data Subject is a customer of the Controller (GDPR recital 47, second sentence).

 

11. Legitimate interests for processing which are pursued by the Controller or a third party

Where the processing of personal data is based on Article 6 (1) letter (f) of the GDPR, it is in our legitimate interest to carry out our business for the benefit of all our employees and shareholders. 

 

12. Personal data retention period

Personal data are stored and retained for a period the duration of which is based on the current statutory retention period. After this time has elapsed, the corresponding data are routinely deleted, provided that they are no longer necessary for contract performance or conclusion.

 

13. Statutory or contractual requirements for provision of personal data; contract requirements; obligation of the Data Subject to provide personal data; possible consequences of failure to provide data

We should like to make it clear that the provision of certain personal data is a statutory requirement (e.g. tax laws) or can result from contractual obligations (e.g. information about the contracting party). In some cases, it may be necessary for a Data Subject to make personal data available to us, the processing of which is necessary in relation to a contract. The Data Subject is, for example, obliged to provide us with personal data if our company enters into a contract with him or her. Failure to provide the personal data would result in the parties being unable to enter into or perform the contract. Before providing any personal data, the Data Subject must apply to one of our employees, who will clarify to the Data Subject, on a case-by-case basis, whether the provision of personal data is a legal or contractual requirement and necessary for entering into a contract, and what consequences may arise from failure to provide personal data.

 

14. Existence of automated decision-making

As a responsible company, we do not undertake automated decision-making or profiling activities.