Data Protection
Data Protection
1. Our Privacy Policy
The protection of your personal data is of utmost importance at Südwestdeutsche Salzwerke AG. Therefore, we always treat your personal data confidentially and in accordance with applicable data protection regulations. With this privacy policy, we aim to inform you about the personal data we process about you on our website, for what purpose, and on what legal basis.
Furthermore, we outline the rights of data subjects in connection with the processing of their personal data. Please note that our websites may contain links that are not covered by this privacy policy.
2. Definitions
In our privacy policy, we use terms that are also used in the General Data Protection Regulation (GDPR). To facilitate your reading and understanding of this statement, we provide the key definitions below.
2.1 Personal Data
Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific factors expressing the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2.2 Data Subject
A data subject is any identified or identifiable natural person whose personal data is processed by the data controller.
2.1 Personal Data
Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific factors expressing the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2.2 Data Subject
A data subject is any identified or identifiable natural person whose personal data is processed by the data controller.
2.3 Processing
Processing is any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction.
2.4 Restriction of Processing
Restriction of processing involves marking stored personal data with the aim of limiting its future processing.
2.5 Profiling
Profiling is any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movement of that natural person.
2.6 Pseudonymization
Pseudonymization is the processing of personal data in a way that the data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
2.7 Controller or Data Controller
The controller or data controller is the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data. If the purposes and means of this processing are determined by Union law or the law of the Member States, the controller, or the specific criteria for their appointment, may be provided for by Union law or the law of the Member States.
2.8 Processor
A processor is a natural or legal person, authority, agency, or other body that processes personal data on behalf of the controller.
2.9 Recipient
A recipient is a natural or legal person, authority, agency, or other body to whom personal data are disclosed, whether or not it is a third party. However, authorities that may receive personal data in the framework of a particular inquiry in accordance with Union law or the law of the Member States shall not be considered recipients.
2.10 Third Party
A third party is a natural or legal person, authority, agency, or other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or processor, are authorized to process personal data.
2.11 Consent
Consent is any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of their personal data.
3. Name and Address of the Data Controller
The data controller, as defined by the GDPR and other data protection laws applicable in the European Union member states and other regulations with a data protection character, is:
Südwestdeutsche Salzwerke AG
Salzgrund 67
74076 Heilbronn
Germany
4. Contact Details of the Data Protection Officer
The Data Protection Officer can be reached at the following address:
Südwestdeutsche Salzwerke AG
Data Protection Officer
Salzgrund 67
74076 Heilbronn
Germany
Alternatively, you can use the following email address for your inquiries: Datenschutz@salzwerke.de
5. How We Protect Your Data
We take the protection of your personal data seriously and implement appropriate technical and organizational measures to protect your data related to the use of these websites from unauthorized access, manipulation, destruction, and loss. The security measures employed are continuously improved in line with technological advancements. For instance, communication through our website is protected via the HTTPS protocol (HyperText Transfer Protocol Secure). This establishes a secure connection between the server and the client that cannot be read by unauthorized individuals. This serves to protect the transmission of confidential content, such as orders or inquiries submitted to us.
When service providers are involved in the processing of services on our websites and qualify as processors, we have regulated these processing relationships to protect your personal data through a data processing agreement in accordance with Art. 28 GDPR.
6. Links to Other Websites
Our website may contain links to third-party websites, and some of our services may provide you with access to third-party services. We have no control over how third-party websites and services process your personal data. These third-party websites and services are not reviewed by us, and we are not responsible for such third-party websites or their privacy practices. Please read the privacy policies of the third-party websites or services you access through our website. If our websites integrate other services, you will find an explanation in this privacy policy.
7. Hosting of Our Website
We host our website exclusively on servers located in Germany through our hosting partner. In accordance with data protection regulations, we have entered into a data processing agreement pursuant to Art. 28 GDPR. For the purpose of providing and delivering the website, connection data is processed. Beyond the mere purpose of delivering and providing the website, the data is not stored. However, our data processor retains the connection data for security purposes. The duration of processing for security purposes is variable and ends when security measures are no longer necessary. Additionally, our data processor anonymizes the collected data immediately after collection and provides us with the anonymized data in the form of statistics for evaluation. We use these statistics for troubleshooting and the continuous improvement of our website.
8. Use of Friendly Captcha for Spam Protection
Our website uses the service "Friendly Captcha" (www.friendlycaptcha.com), provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. Friendly Captcha is an innovative, privacy-friendly protection solution designed to make it more difficult for automated programs and scripts (known as "bots") to use our website. To implement this, we have integrated a program code from Friendly Captcha into our website (e.g., for contact forms). This allows the visitor's device to establish a connection to the servers of Friendly Captcha to receive a computational task. The visitor's device solves the computational task (puzzle), which consumes certain system resources, and sends the result to our web server. Through an interface, our web server then contacts the Friendly Captcha server and receives a response indicating whether the puzzle was correctly solved by the visitor's device. Depending on the result, we can apply security rules to requests made through our website, allowing us to process or reject them accordingly.
Friendly Captcha processes and stores the following data in the above process:
- Anonymized IP address of the requesting computer
- Information about the browser and operating system used
- Anonymized counter per IP address for managing cryptographic tasks
- Website from which the access occurred
The data is used exclusively for the protection against spam and bots as described above. Friendly Captcha does not set or read cookies on the visitor's device. IP addresses are stored only in hashed (one-way encrypted) form, preventing us and Friendly Captcha from drawing conclusions about an individual. If personal data is collected, it is deleted no later than 30 days after collection.
We have entered into a data processing agreement with Friendly Captcha GmbH. The data processing by Friendly Captcha is therefore strictly guided by our instructions and carried out on our behalf in accordance with Art. 28 GDPR.
We use Friendly Captcha solely for the detection and prevention of unlawful website use. This data processing is based on Art. 6(1)(f) GDPR. Our legitimate interest is to ensure the security of our web offerings and prevent their misuse for automated spying and spam. For more information about Friendly Captcha and the privacy policy of Friendly Captcha GmbH, please refer to the following link: https://friendlycaptcha.com/de/legal/privacy-end-users/.
9. Collection of General Data and Information when using our Websites
During the purely informational use of the website, i.e., without registration in the customer account, use of the contact form for inquiries, or placing an order through our online ticket shop, we only collect the personal data that your browser transmits to our server. When you want to view our website, we collect the following data:
- IP address
- Date and time of the request
- Region (not the address) from which the IP address accesses the website
- Browser language, browser type (e.g., Chrome, Firefox, Safari), and version
- Operating system
- Device type (e.g., mobile device, desktop computer, tablet)
- Browsing behavior on the website (e.g., when the website was visited, which areas of the website were clicked, how much time was spent on the website)
- The website from which the request comes
We process and store this data for the purpose of ensuring the functionality of the website, improving the content of the website, creating statistical analyses based on aggregated browsing data, and analyzing the technical operation of the website to ensure the security of our information technology systems.
Our legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR lies in the necessity of displaying this website to you and ensuring its stability, functionality, and security. Furthermore, the storage of server log files, in the context of potential cyber-attacks, serves the purpose of appropriate law enforcement. In terms of log file rotation, log files and contained IP addresses are stored until they reach a 100 MB limit, after which they are automatically overwritten or deleted. The retention period is 60 days.
10. Data in the context of using a contact form offered on the website
For any questions, we provide you with the opportunity to contact us through a contact form available on the website. Providing a valid email address is necessary so that we know who the request is from and can respond to it. Other mandatory information is marked with an asterisk in the contact form. Depending on the subject, type of data, and whether you are already a customer or not, the processing of data is based on the contract with you, your consent, or your or our legitimate interest in clarifying the matter according to Art. 6(1)(a), (b), and (f) GDPR.
If you use the contact form or another corresponding online function for the purpose of ordering, inquiry, or reservation for individual offers and events, please also refer to the information in Section 14, "Data in the context of orders in the ticket shop as well as inquiries and reservations for individual offers and events."
We will delete your data related to the inquiry unless we are legally obliged to store or retain it further. If the data is still required to process outstanding inquiries, deletion will occur at the earliest after completing these inquiries. Your personal data will not be disclosed to third parties.
To prevent spam, we use the privacy-friendly solution provided by Friendly Captcha, which is also used when using the contact form. Further explanations can be found in Section 8 of this privacy policy.
11. Cookie Declaration
11.1 What are Cookies and What Are They Used For?
Cookies are small text files in which the web browser stores information about visited websites sent by the web server. This can include information about the duration of the page visit, login data, user inputs, or similar data.
These cookies are stored on your computer or mobile device when you visit a website. They require minimal storage space and are automatically deleted after expiration. Certain cookies expire at the end of your internet session, while others are stored for a limited period.
We primarily use cookies to make your visit to our website as user-friendly as possible. Additionally, we use cookies for analyzing tracking on the website and for advertising purposes during your future visits to other websites. The types of cookies and their respective purposes are detailed in our COOKIE GUIDE.
11.2 Cookie Management - Consent for Non-Functional Cookies
Our website uses the Cookie Consent technology from Usercentrics to obtain your consent for storing certain cookies in your browser and to document this in compliance with data protection regulations. The provider of this technology is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark.
We have entered into a data processing agreement with Usercentrics, in which Usercentrics undertakes to ensure the necessary protection of your data and to process it exclusively on our behalf and in accordance with our instructions, in compliance with applicable data protection regulations. The use of a cookie banner, as well as the management and storage of your consents to the processing of your personal data, is based on our legal obligation to provide a data protection-compliant website (Art. 6 para. 1 lit. c) GDPR in conjunction with § 26 TTDSG). The processing of data to provide a cookie banner is essential for the operation of the website. There is no option for the user to object as long as there is a legal obligation to obtain user consents for certain data processing operations before loading the website.
When you enter our website, a Cookiebot cookie is stored in your browser, which contains the consents you have given or the revocation of these consents. This data is anonymized and transferred to the provider of Cookiebot. Cookiebot processes the following data to provide and manage the cookie banner:
- our IP address anonymized by Cookiebot (the last three digits are set to "0"),
- Additional information about the browser used and its version,
- Date and time of your visit to our website or your settings via our cookie banner,
- The URL of the accessed website,
- An anonymous, random, and encrypted key (ID),
- Your given consents or individual privacy settings.
Cookiebot uses both local storage and the setting of cookies to store this information locally in your browser. Your individual settings and your ID are stored in a cookie so that your settings are taken into account when you revisit our website.
For more information about the data processing by Cookiebot, please visit: Cookiebot Privacy Policy.
11.3 Cookie Management via "COOKIE GUIDE"
In the COOKIE GUIDE, you can view your cookie settings and adjust them according to your needs at any time. Additionally, you can see the types of cookies and their respective purposes outlined there.
Here is your cookie overview:
12. Informative Electronic Communications (via Email) to Business Customers
For the dispatch of informative communications (via email) to business customers, we use CleverReach, with whom we have entered into a data processing agreement. CleverReach GmbH & Co. KG is located at Mühlenstr. 43, 26180 Rastede. This service allows us to organize and analyze the newsletter distribution. Your data processed for receiving the informative communication, such as your email address, is stored on CleverReach servers. Server locations are in Germany and Ireland.
The newsletter dispatch with CleverReach enables us to analyze the behavior of the newsletter recipient. The analysis includes, among other things, how many recipients opened their newsletter (informative communication) and the frequency with which links in the newsletter were clicked. CleverReach supports conversion tracking to analyze whether a previously defined action, such as a product purchase, occurred after clicking on a link. Details about data analysis by CleverReach can be found at: https://www.cleverreach.com/en/newsletter-tool/newsletter-reporting/.
Business customers have the option to subscribe to our newsletter on our website using the double opt-in procedure. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent anyone from registering with someone else's email address.
The legal basis for data processing is § 7 (3) UWG and, in cases where newsletter registration is done through our website, consent under Art. 6 (1) lit. a GDPR.
If you no longer wish to receive this information via email in the future, please unsubscribe via the "Unsubscribe" link in the newsletter/informative email. The legality of the data processing operations already carried out remains unaffected by the revocation/unsubscription.
Details of CleverReach's privacy policy can be found at: https://www.cleverreach.com/en/privacy-policy/
13. Your Customer Account
Business customers (B2B) have the option to create a customer account with us. This means registering with us as the data controller, providing personal data. The specific personal data transmitted to us is determined by the respective input mask used for registration. Some fields may be designated as mandatory because, without this information, we cannot provide the services associated with registration. The personal data you enter is processed exclusively for the purpose of use. The customer account is used to handle your orders and all related services. To process your orders, we share the data with other companies solely for proper contract fulfillment and only to the extent necessary. This includes sharing with parcel delivery services, payment service providers, or other service providers integrated into the application (e.g., cooperation partners). The integrated service providers also use the personal data solely for processing your order and only according to our instructions. Your data will not be disclosed to third parties without your explicit consent. Master data stored in the customer account remains stored until you revoke your consent.
For any rights related to your customer account, please contact the following address: info@salzbergwerk.de
If you have general questions about data protection, please contact the address mentioned in section 4 of this statement.
14. Data in the Context of Orders in the Ticket Shop, as well as Inquiries and Reservations for Individual Offers and Events
Through our website, you have the opportunity to purchase tickets for tours, events, and various group offerings. Furthermore, we provide the option to submit inquiries or reservations for individual offers and events. For this purpose, the provision of personal data is necessary to the extent required. The specific personal data transmitted to us depends on the respective input mask used for the order/inquiry/reservation. Some fields may be designated as mandatory because, without this information, processing is not possible.
If personal data is subject to tax and commercial retention periods, it will be stored for this period. Beyond this period, further processing of this data will only occur if you have expressly consented to further use of your data. For individual events or offers where cooperation partners are involved in the process, it is necessary to share your data with these cooperation partners to the extent required. The disclosure of necessary data to these cooperation partners is solely for the purpose of contract fulfillment. There is no further disclosure to third parties. Your data will be treated as confidential by us at all times. For the processing of the payment process, we refer to section
15. Data in the Context of Payment Processing (Credit Card, PayPal, Sofortüberweisung)
For the order processing of products and services offered through this website, three payment methods (credit card payment, PayPal, Sofortüberweisung) are provided. All payment methods are processed through the All-in-One Payment Service Provider Unzer (Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg), and for this purpose, a contract for order processing has been concluded with the service provider. Depending on the payment method (credit card, PayPal, Sofortüberweisung), the entry of payment-relevant data, which is required by the respective payment service for the execution of the payment process, takes place. Unzer ensures the highest security in data transfer for all payment methods. Due to the processing of credit card data, Unzer is bound to the globally applicable PCI DSS IT standard (Payment Card Industry Data Security Standard). Further information on data protection can be found at: https://www.unzer.com/de/datenschutz/.
The use of payment service providers is based on Art. 6 para. 1 lit. b GDPR (contract processing) as well as in the interest of a smooth, convenient, and secure payment process (Art. 6 para. 1 lit. f GDPR). Insofar as your consent is requested for certain actions, Art. 6 para. 1 lit. a GDPR is the legal basis for data processing; consents can be revoked at any time for the future.
We offer the following payment methods through this website:
PayPal
Provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal").
The data transfer to the USA is based on the standard contractual clauses of the European Commission. Details can be found here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full.
For details, please refer to PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
Instant bank transfer
The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereinafter referred to as "Sofort GmbH"), which is a company of the Klarna Group. With the help of the "Instant bank transfer" procedure, we receive a payment confirmation from Sofort GmbH in real time and can immediately begin to fulfil our obligations. If you have decided in favour of the "Sofortüberweisung" payment method, you transmit the PIN and a valid TAN to Sofort GmbH, with which it can log into your online banking account. After logging in, Sofort GmbH automatically checks your account balance and carries out the transfer to us using the TAN you have transmitted. It then immediately sends us a transaction confirmation. After logging in, your turnover, the credit limit of the overdraft facility and the existence of other accounts and their balances are also automatically checked. In addition to the PIN and TAN, the payment data you have entered and your personal data are also transmitted to Sofort GmbH. Your personal data includes your first and last name, address, telephone number(s), e-mail address, IP address and any other data required for payment processing. The transmission of this data is necessary to establish your identity beyond doubt and to prevent attempts at fraud.
A company that integrates the services of Sofort GmbH as a payment method on its website does not have access to your personal online banking access data (such as PIN) and TAN, which you enter in the encrypted payment form, at any time. For details on payment with Sofortüberweisung, please refer to the following links: https://www.sofort.de/datenschutz.html and https://www.klarna.com/sofort/.
Mastercard
The provider of this payment service is Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (hereinafter "Mastercard").
Mastercard may transmit data to its parent company in the USA. The data transfer to the USA is based on Mastercard's Binding Corporate Rules. Details can be found here: Mastercard Privacy Policy (German) and Mastercard BCRs.
VISA
The provider of this payment service is Visa Europe Services Inc., Branch London, 1 Sheldon Square, London W2 6TT, United Kingdom (hereinafter "VISA").
The United Kingdom is considered a data protectionally secure third country. This means that the United Kingdom has a level of data protection equivalent to the level of data protection in the European Union.
VISA may transfer data to its parent company in the USA. The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here: Visa Global Data Protection Notice.
For more information, please refer to the Visa Privacy Center: Visa Privacy Center.
16. Deletion and Blocking of Personal Data
The data controller processes and stores personal data of the data subject only for the period necessary to achieve the purpose of storage or as stipulated by the European legislator or another legislator in laws or regulations to which the data controller is subject.
If the purpose of storage is no longer applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data will be blocked or deleted in accordance with legal requirements.
17. Legal Basis for Processing Personal Data
Article 6(1)(a) of the General Data Protection Regulation (GDPR) serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, such as in the case of processing operations necessary for the delivery of goods or the provision of any other service or consideration, the processing is based on Article 6(1)(b) GDPR. The same applies to such processing operations that are necessary for carrying out pre-contractual measures, such as in cases of inquiries about our products or services.
If our company is subject to a legal obligation by which the processing of personal data is required, such as for compliance with tax obligations, the processing is based on Article 6(1)(c) GDPR.
Furthermore, processing operations may be based on Article 6(1)(f) GDPR. This is the case when the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, provided that the interests or fundamental rights and freedoms of the data subject do not override such interests. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. The legislator considered that a legitimate interest could be assumed if the data subject is a customer of the data controller or is in its service (Recital 47, sentence 2, GDPR). If the processing of personal data is based on Article 6(1)(f) GDPR, our legitimate interest is the conduct of our business activities for the benefit of our shareholders while respecting the legitimate interests of the data subjects. In the balancing of these interests, the focus is always on establishing a fair relationship between the data subject and us as a company.
18. Duration for Which Personal Data is Stored
The criterion for the duration of the storage of personal data is based on legal retention periods, which may arise from tax or commercial law, as well as other applicable legal regulations, whenever these regulations are applicable to your personal data. After the expiration of the specified period, the relevant data will be deleted unless they are still necessary for contract fulfillment, contract initiation, or maintaining the business relationship. If no retention periods are applicable, and you have provided your consent for the storage and use of your personal data, the data will be stored and used for the specified purpose as long as outlined in the consent or until you revoke your consent for future use.
19. Legal or Contractual Requirements for Providing Personal Data; Necessity for Contract Conclusion; Obligation of the Data Subject to Provide Personal Data; Possible Consequences of Non-Provision
We inform you that the provision of personal data is partly required by law (e.g., tax regulations) or may result from contractual provisions (e.g., information about the contracting party). In some cases, it may be necessary for a contract to be concluded that a data subject provides us with personal data that subsequently needs to be processed by us. For instance, the data subject is obligated to provide us with personal data when our company enters into a contract with them. Failure to provide the personal data would result in the contract with the data subject not being concluded.
20. Data Protection Policy for the Use of Google Analytics
If you have given your consent, Google Analytics 4, a web analytics service provided by Google LLC, is used on this website. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Pursuant to Article 28 of the General Data Protection Regulation (GDPR), we have entered into a contract for data processing with Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Scope of Processing
Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected through these cookies about your use of this website is usually transmitted to and stored on a server operated by Google in the United States. We utilize the User-ID feature, allowing us to assign a unique, persistent ID to one or more sessions (and the activities within these sessions) and analyze user behavior across devices.
In Google Analytics 4, IP address anonymization is enabled by default. Due to IP anonymization, your IP address is truncated by Google within member states of the European Union or other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
During your website visit, your user behavior is captured in the form of "events." Events can include:
- Page views
- Initial visit to the website
- Session start
- Your "click path," interaction with the website
- Scrolls (every time a user scrolls to the end of the page (90%))
- Clicks on external links
- Internal search queries
- Interaction with videos
- File downloads
- Viewed/clicked advertisements
- Language settings
Additionally, the following information is collected:
- Your approximate location (data on country, region, city)
- Your IP address (in shortened [anonymized] form)
- Technical information about your browser and the devices you use (e.g., language settings, screen resolution)
- Your internet service provider
- The referrer URL (through which website/ advertising medium you came to this website)
Purposes of Processing
On behalf of the operator of this website, Google will use this information to evaluate your website usage and compile reports on website activities. The reports provided by Google Analytics serve to analyze the performance of our website and the success of our marketing campaigns.
Recipients
Recipients of the data may include:
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a data processor according to Art. 28 GDPR)
- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
- Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
It cannot be ruled out that U.S. authorities may access the data stored at Google.
Third Country Transfer
Where data is processed outside the EU/EEA and there is no data protection level equivalent to the European standard, we have concluded EU Standard Contractual Clauses with the service provider to establish an adequate level of data protection. The parent company of Google Ireland, Google LLC, is headquartered in California, USA. The transfer of data to the USA and access by U.S. authorities to data stored at Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. Legal remedies against access by authorities may not be available.
Retention Period
The data we send and associate with cookies is automatically deleted after 14 months. Data whose retention period has expired is automatically deleted once a month.
Legal Basis
The legal basis for this data processing is your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR.
Revocation
You can revoke your consent at any time with effect for the future by accessing the COOKIE GUIDE and changing your selection there. The legality of processing carried out based on the consent before its withdrawal remains unaffected.
You can also prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may result in limitations to the functionality of this and other websites. Additionally, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) as well as the processing of this data by Google by not giving your consent to the setting of the cookie.
For more information on the terms of use of Google Analytics and data protection at Google, please visit https://marketingplatform.google.com/intl/de/about/analytics/ and https://policies.google.com/privacy?hl=en.
21. Google Tag Manager
For the management of our website and the integration of cookie-based technologies, we use the Tag Manager service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). For this purpose, each time one of our web pages is accessed, your anonymized IP address is transmitted to a server of Google, which may be located in the USA. The IP address is not stored by Google as part of the Tag Manager service and is only used for the integration of technologies managed via the Tag Manager. The Tag Manager itself does not set any cookies. The Google Tag Manager is loaded only after your consent.
22. Social Media Presence on Social Networks and Platforms (Facebook, Instagram, YouTube)
We maintain the following channels or fan pages on social media platforms:
- Facebook: Salzbergwerk Berchtesgaden
- Instagram: salzbergwerk_berchtesgaden
- YouTube: Salzbergwerk Berchtesgaden
with the aim of communicating with active customers, prospects, and users there, and informing them about our services.
The icons displayed for this purpose within our website in the footer area are static links. This means that no automatic connection to these social networks is established when our website is loaded. Only when you click on the icon will you be directed to the website of the respective social network. Please note the explanations in Section 23 - Facebook Custom Audiences (for websites) / Conversion – Facebook Pixel.
If you have consented to the use of consent-based cookies, your browser automatically establishes a direct connection to Facebook's server due to the deployed marketing tool ("Facebook Pixel").
22.1 Facebook and Instagram
Principle
As the operator of the above-mentioned Facebook and Instagram accounts, we (Südwestdeutsche Salzwerke AG) are jointly responsible with the operator of the social network Facebook and Instagram (Meta Platforms Ireland Ltd.) within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR). There is joint responsibility according to Article 26 GDPR.
Contact details of the joint controllers:
Südwestdeutsche Salzwerke AG: Contact details of the controller and its data protection officer can be found in sections 3 and 4 of this privacy policy.
Meta Platforms Ireland Ltd:
Contact details: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
Authorized representative: Richard Kelley, Registered in Ireland (Companies Registration Office), Company Registration Number 462932
You can contact the data protection officer for Facebook and Instagram products via this link: Facebook Data Protection Officer Contact.
The terms of use of Facebook and other terms and policies listed at the end are authoritative. Facebook Terms of Service
Information on the scope of data processing: Information on the scope of data processing by our company can be found in this privacy policy.
Information on the scope of data processing and the associated handling of personal data by Facebook can be found here:
Information on the scope of data processing and the associated handling of personal data by Facebook for the Instagram service can be found here:
Agreement on Joint Responsibility
The agreement between us and Facebook regarding joint responsibility for data processing under Article 26 of the GDPR can be accessed here:
Facebook Terms Page Controller Addendum
This agreement has been created for Facebook fan pages and, in our assessment, is applicable to the use of Instagram Insights due to the identical Insights function and identical parties involved:
Facebook Terms Page Controller Addendum
Use of Insights and Cookies in Connection with Facebook and Instagram Accounts
In connection with the operation of the above-mentioned Facebook and Instagram accounts, we use the Insights feature of Facebook to obtain anonymized statistical data about users of our Facebook and Instagram accounts. Facebook stores a cookie on the user's device, who visits our Facebook or Instagram account, for this purpose. The cookie contains a unique user code and is active for a period of two years unless deleted earlier. The user code can be linked to the data of users registered with Facebook.
The information stored in the cookies is received, recorded, and processed by Facebook, especially when the user visits Facebook services, services provided by other members of the Facebook group of companies, and services provided by other companies that use Facebook services. Additionally, other entities such as Facebook partners or even third parties may use cookies on Facebook services to provide services to companies advertising on Facebook.
For more information on the use of cookies by Facebook, please refer to their Cookie Policy.
The Instagram Data Policy contains all information regarding data processing by Facebook when using Instagram: Instagram Data Policy.
We do not have any influence on how and to what extent Facebook and Instagram process this data.
Legal Basis and Legitimate Interests
We operate Facebook and Instagram accounts to present ourselves to users of Facebook and Instagram, as well as other interested individuals who visit our Facebook and Instagram accounts, and to communicate with them. The processing of personal data of users is based on our legitimate interests in an optimized social media presence (Article 6(1)(f) GDPR).
Data Disclosure
It is conceivable that personal data may be processed outside the European Union by Meta Platforms, Inc., based in the USA. However, our contracting party is Meta Platforms Ireland Ltd., based in Ireland, and thus within the European Union. The US parent company, Meta Platforms, Inc., 1 Meta Way, Menlo Park, California 94025-1453, USA, is additionally certified under the EU-U.S. Data Privacy Framework (PDF), so the data transfer to it is permissible based on the European Commission's adequacy decision regarding the USA.
We do not disclose personal data ourselves.
Objection Options
Users of Facebook can influence the extent to which their user behavior during the visit or use of Facebook services, and thus our Instagram account, is recorded through the Ad Preferences settings. Additional options are available through Facebook settings or the objection form.
The processing of information using cookies employed by Facebook and Instagram can be prevented by not allowing third-party cookies or those from Facebook in the browser settings.
22.2 YouTube
Principle for Using this Website
Our website uses plugins from the YouTube service. The company providing the service in the European Economic Area and Switzerland is Google Ireland Limited, a company registered and operated under Irish law (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. The use of YouTube, and thus the viewing of embedded videos on this website, is only possible with your consent to the so-called marketing cookies. If you have not consented to the use of these cookies, viewing embedded videos is not possible.
Upon your consent, a connection is established to YouTube's servers. This informs the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to directly associate your browsing behavior with your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, after starting a video, YouTube may store various cookies on your device. With the help of these cookies, YouTube can obtain information about visitors to our website. This information is used, among other things, to capture video statistics, improve user-friendliness, and prevent fraud. The cookies remain on your device until you delete them. After starting a YouTube video, additional data processing operations may be triggered, over which we have no influence.
22.3 YouTube Channels
Principle
As the operator of the aforementioned YouTube channels on YouTube, we (Südwestdeutsche Salzwerke AG) and the operator of the YouTube service (Google Ireland Limited; hereinafter also referred to as "Google") are joint controllers within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR).
When visiting the YouTube channels as outlined in section 22, personal data is processed by the controllers. The following provides information on the types of data processed, the processing methods, and the rights available to you.
Contact Details of Joint Controllers
Südwestdeutsche Salzwerke AG: Contact details of the controller and its data protection officer can be found in sections 3 and 4 of this privacy policy.
Contact details: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
You can contact Google's data protection officer via this link: https://www.youtube.com/t/contact_us
Shared Responsibility
We, as operators of the YouTube channel, and Google, as the platform operator of YouTube, share responsibility for the processing of personal data of subscribers, visitors, and users that takes place on or through the channel.
Information regarding the data processing carried out by our company can be found in this privacy policy. Information about how Google handles personal data for the YouTube service can be found in their privacy policy.
Use of Insights and Cookies in connection with the mentioned YouTube accounts
In connection with the operation of the YouTube channel, Google provides an analytics function that we use to obtain anonymized statistical data about the users and interactions on our channel. For this purpose, Google stores a cookie on the user's device who visits our channel. The cookie contains a unique user code, which can be linked to the data of users registered on YouTube.
The information stored in the cookies is received, recorded, and processed by Google. Additionally, other entities, such as Google partners, may use cookies to provide services to companies advertising on YouTube or other Google services. For more information on the use and deployment of cookies by Google, please visit: https://policies.google.com/technologies/cookies?hl=de
Legal Basis and Legitimate Interests
We operate this YouTube channel to present ourselves to YouTube users and other interested individuals who visit our YouTube channel, aiming to engage in communication with them. The processing of personal data of users is based on our legitimate interests in optimizing the presentation of SSG (Article 6(1)(f) GDPR).
Data Disclosure
It is possible that some personal data may be processed outside the European Union or the European Economic Area by Google LLC, the parent company of Google Ireland Ltd., located in the United States. Specific details from Google on this matter can be found in Google's privacy policy. However, our contracting partner is Google Ireland Limited, a company based in Ireland and therefore within the European Union.
The U.S. parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA, is also certified under the EU-U.S. Data Privacy Framework (PDF), making the data transfer to the U.S. permissible under the adequacy decision of the European Commission regarding the USA.
We do not share any personal data ourselves.
Opt-out Options
YouTube users can influence the extent to which their user behavior is recorded when visiting or using Google services, including our YouTube channel, through the settings of their accounts.
23. Facebook Custom Audiences (for Websites) / Conversion – Facebook Pixel:
This website utilizes the "Facebook Pixel" from the social network "Facebook" by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta) for the following purposes:
We use the Facebook Pixel for remarketing purposes to reach out to you within 180 days. This allows users of the website to be presented with interest-based advertisements ("Facebook Ads") during visits to the social network "Facebook" or other websites that also use the same procedure. Our goal is to display ads that are of interest to you, making our website or offers more appealing.
Facebook Conversion
Additionally, we aim to ensure, with the help of the Facebook Pixel and the Conversions API, that our Facebook Ads align with the potential interests of users and do not appear intrusive. The Facebook Pixel enables us to track the effectiveness of Facebook Ads for statistical and market research purposes by determining whether users were redirected to our website after clicking on a Facebook Ad (so-called "Conversion").
Due to the use of marketing tools (Facebook Pixel & Conversions API), your browser automatically establishes a direct connection with Facebook's server once you have consented to the use of consent-required cookies. By integrating the Facebook Pixel & the Conversions API, Facebook receives information that you have accessed the respective page on our website or clicked on an ad from us. If you are registered with a Facebook service, Facebook can associate the visit with your account.
Data processing by Facebook is conducted in accordance with Facebook's Data Policy. Specific information and details about the Facebook Pixel, the Conversions API and its functionality are also available in the Facebook Help Center.
We (Südwestdeutsche Salzwerke AG) share responsibility with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta), for the collection and transmission of data in the context of this process. This applies to the following purposes:
- Creating personalized or matching ads
- Optimizing the delivery of commercial and transaction-related messages (e.g., via Messenger)
Processes beyond data collection and transmission fall under the sole responsibility of Meta.
For this shared responsibility, we have entered into an agreement with Facebook, accessible here: Facebook Controller Addendum. This agreement defines the respective responsibilities for fulfilling obligations under the GDPR regarding shared responsibility.
The contact details of the responsible company and Facebook's data protection officer can be found here: Facebook Privacy. We have agreed with Meta that Meta can be contacted for the exercise of data subject rights. However, this does not limit the authority of data subject rights.
For further information on how Meta processes personal data, including the legal basis and additional information on data subject rights, please visit: Facebook Data Policy. We transmit data within the framework of shared responsibility based on legitimate interests under Art. 6(1)(f) GDPR.
Information on data security terms can be found here: Facebook Data Security Terms, and information on processing based on standard contractual clauses can be found here: EU Data Transfer Addendum.
You can disable the tool through the cookie settings, which you can control via the COOKIE GUIDE and for logged-in users at Facebook Ad Settings.
Cookie Lifespan: Up to 180 days after the last interaction. This applies only to cookies set through this website.
24. Your Rights Overview
An affected person has application rights under the provisions of the GDPR, which can be asserted in connection with their personal data. These rights include the right to information, correction, deletion, restriction of processing, data portability, as well as specific objection rights and the right to lodge a complaint with a supervisory authority. Below, we provide you with an overview of the individual rights and their deadlines.
24.1 Deadlines for the so-called Application Rights according to Art. 15 - 21 GDPR
As the data controller, we will respond to any requests under Articles 15 - 21 of the GDPR within one month of receipt. This period can be extended by an additional two months if necessary, taking into account the complexity and the number of requests. In this case, we will inform you of the extension within one month of receiving your request. If the affected person submits the request electronically, we will respond electronically if possible, unless otherwise specified.
24.2 Application Channels
You can submit requests by postal mail or email. The contact address can be found in section 4 of this statement. Please direct all requests under Articles 15-21 GDPR related to your customer account to: Info@salzbergwerk.de.
24.3 Right to Information of the Data Subject according to Art. 15 GDPR
An affected person has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed. If this is the case, they have the right to information about this personal data, as well as further information as described in Art. 15 GDPR. Please note that the data controller can only provide information if there are no concerns about the identity of the data subject. The data controller will use all reasonable means to verify the identity of a data subject seeking information.
24.4 Right to Rectification according to Art. 16 GDPR
An affected person has the right to request the data controller to promptly correct any inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement.
24.5 Right to Erasure according to Art. 17 GDPR
An affected person has the right to request the data controller to erase personal data concerning them without undue delay, and the data controller is obligated to erase personal data without undue delay if the conditions listed in Art. 17 GDPR are met.
24.6 Right to Restriction of Processing according to Art. 18 GDPR
The data subject has the right to request the data controller to restrict the processing if the conditions set out in Art. 18 GDPR are met.
24.7 Right to Data Portability according to Art. 20 GDPR
The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a format described in Art. 20 GDPR, or to have this data transmitted to another controller as instructed by the data subject, provided the conditions described in Art. 20 GDPR are met.
24.8 Right to Object according to Art. 21 GDPR
The data subject has the right to object at any time, for reasons arising from their particular situation, to the processing of personal data concerning them based on Art. 6(1)(e) GDPR (processing is carried out in the public interest or in the exercise of official authority) or Art. 6(1)(f) GDPR (processing is based on the legitimate interests pursued by the controller or a third party).
In such cases, the data controller shall no longer process the personal data unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing serves the establishment, exercise, or defense of legal claims.
24.9 Right to Withdraw Consent according to Art. 13(2)(c) GDPR
If the processing of personal data of a data subject by the data controller is based on Art. 6(1)(a) GDPR (the data subject has given consent to the processing of their personal data for one or more specific purposes) or Art. 9(2)(a) GDPR (the data subject has given consent to the processing of their special categories of personal data for one or more specific purposes), the data subject has the right to withdraw consent at any time without affecting the lawfulness of the processing based on consent before its withdrawal.
You can declare your withdrawal by mail or email. The contact address can be found in section 4 of this statement. For all requests under Art. 15-21 GDPR related to your customer account, please direct them to: Info@salzbergwerk.de
25. Right to Lodge a Complaint with a Supervisory Authority according to Art. 77 GDPR
Every data subject has the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy, if the data subject considers that the processing of personal data concerning them violates the GDPR. In general, you can contact the supervisory authority at your habitual residence, place of work, or the location of the alleged infringement.
The supervisory authority to which the complaint has been lodged shall inform the complainant about the progress and the outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
The supervisory authority responsible for Südwestdeutsche Salzwerke AG is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Physical Address: Lautenschlagerstraße 20 70173 Stuttgart Germany
Mailing Address: Postfach 10 29 32 70025 Stuttgart Germany
For more information, please visit www.baden-wuerttemberg.datenschutz.de.
26. Up-to-dateness of this Privacy Policy
For legal or technical reasons, adjustments to our privacy policy may be necessary. We reserve the right to make corresponding changes at any time and therefore recommend that you regularly check this privacy policy for the current status.
As of: November 2023
Privacy Information for Visitors to the Salt Mine in Berchtesgaden and the Old Saltworks in Bad Reichenhall
According to the regulations of the General Data Protection Regulation (GDPR),
Simply click on the button below labeled "Privacy Information.pdf" to view the privacy information for visitors to our two excursion destinations.
We look forward to your visit and wish you a pleasant stay and an exciting underground tour.