Data protection

1. Our Data Privacy Statement

Südwestdeutsche Salzwerke AG takes your personal data privacy very seriously. For this reason, we always treat your personal data confidentially and in accordance with the legally valid provisions for data protection.

It is generally possible to use our website without inputting your personal data. However, as a visitor to our website, if you wish to use specific services of our company via our website, the processing of your personal data is a requirement. If there is a requirement to process your personal data and there is no legal basis for such processing, we generally obtain the consent of the data subject.

Our Data Privacy Statement gives you information about the nature, scope and purpose of data collected, used and processed by us. In addition, in this Data Privacy Statement we show the rights to which the data subject is entitled in conjunction with your personal data.

As the data controller, we have implemented various technical and organisational measures to guarantee as much privacy as possible with regard to the personal data processed on this website. Nevertheless, we wish to advise you that there may be security vulnerabilities with regard to internet-based data transfer, and thus absolute privacy cannot be guaranteed.

 

2. Definitions of terms

In our Data Privacy Statement, we use terms that are also used in the General Data Protection Regulation (hereinafter “GDPR”). In order to facilitate reading and understanding this statement, we summarise the most important terms below:

2.1 Personal data

Personal data is all information that relates to an identified or identifiable natural person (hereinafter “data subject”. A natural person who directly or indirectly, specifically by assignment to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific characteristics that express the physical, physiological, genetic, economic, cultural or social identity of this natural person, is considered as identifiable.

2.2 Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the data controller.

2.3 Processing

Processing is any operation or set of operations carried out with or without the assistance of automated processes in conjunction with personal data such as the collection, recording, organisation, arranging, storage, adapting or amendment, selection, retrieval, use, disclosure by communication, dissemination or other form of provision, adjustment or linking, limitation, deletion or destruction.

2.4 Limitation of processing

Limitation of processing is the selection of stored personal data with the aim of limiting its future processing.

2.5 Profiling

Profiling is any kind of automated processing of personal data consisting of the use of this personal data to evaluate certain personal aspects which relate to a natural person, specifically to analyse or predict aspects regarding work performance, economic situation, health, personal preferences, interests, reliability, behaviour, place of residence or change of location of this natural person.

2.6 Pseudonymisation

Pseudonymisation is the processing of personal data so that the personal data can no longer be attributed to a specific data subject without additional information, if this additional information is specially kept and is subject to technical and organisational measures that guarantee that the personal data is not attributed to an identified or identifiable natural person.

2.7 Data controller

Data controller or data controller is the natural person or legal entity, authority, institution or other body that decides alone or together with others on the purposes and means of processing of personal data. If the purposes and means of processing of personal data are provided for by European Union law or the law of member states, the data controller or the specific criteria of its designation can be provided for according to European Union law or the law of member states.

2.8 Processor

Processor is a natural person or legal entity, authority, institution or other body to which the personal data is disclosed on behalf of the data controller.

2.9 Recipient

Recipient is a natural person or legal entity, authority, institution or other body to which the personal data is disclosed, irrespective of whether it is a third party. Authorities that potentially receive data within the context of a specific request for investigation pursuant to European Union law or the law of member states are not, however, considered recipients.

2.10 Third party

Third party is a natural person or legal entity, authority, institution or body other than the data subject, the data controller, the processor and the persons who are authorised under the direct responsibility of the data controller or the processor to process personal data.

2.11 Consent

Consent is any informed and unequivocal expression of will freely given by the data subject for the specific case in the form of a statement or other clear confirmatory action with which the data subject  indicates that they are in agreement with the processing of the personal data relevant to them.

 

3. Name and address of the data controller

The data controller according to GDPR for data privacy laws otherwise valid in the member states of the European Union and other provisions of a data protection nature is:

Südwestdeutsche Salzwerke AG

Salzgrund 67

74076 Heilbronn

Germany

 

4. Contact data of the Data Protection Officer

The Data Protection Officer has the following address:

Südwestdeutsche Salzwerke AG

Datenschutzbeauftragter (Data Privacy Officer)

Salzgrund 67

74076 Heilbronn

For your queries you can alternatively also use the following email address:

Datenschutz@salzwerke.de

 

5. How we protect your data

We take the protection of your personal data very seriously and implement appropriate technical and organisational measures to protect your data in conjunction with usage of data on this website, against access from unauthorised persons, manipulation, destruction and loss. The security measures used are continually being improved in accordance with technological progress.

Thus, communication via our website is protected by a https protocol (HyperText Transfer Protocol Secure). Thus, a secure connection between server and client is established that cannot be read by unauthorised parties. This serves to protect the transfer of confidential content such as, for example, for orders or queries by you to us as website operator.

When service providers are involved in the handling of services of our website and are categorised as data processors, we have stipulated these contractual relations to protect your personal data with a data processing contract according to Art. 28 GDPR.

 

6. Collection of general data and information when our website is used

Each time our website is accessed, a series of general data and information that is stored in the logfiles of the server is collected by our website. Data that can be collected includes the browser types and versions used, the operating system used, the website from which an accessing system reaches our website (“referrer”), the webpages that are controlled on our website using an accessing system, date and time of access to our website, an internet protocol address (IP address) of the internet service provider of the accessing system. Usage of this general data and information cannot be attributed to the data subject, that is, to you as a visitor to the website. This information is required to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our information technology systems. All anonymous server logfile data is stored separately from all personal data specified by the data subject. The collection of data for the provision of the website and the storage of data in logfiles is absolutely necessary for the operation of the website. This means there is no possibility of objection on the part of the user. The logfile data is deleted when it is no longer required for fulfilling the purpose of its collection. In the event of collection of data for the provision of the website, this is after no later than seven days.

 

7. Data in conjunction with usage of one of the contact forms offered on the website (or establishment of contact via a relevant online function)

If you have questions of any kind, we offer you the option of contacting us using a form provided on the website or a corresponding online function. Thus, it is essential to provide a valid email address so that we know who the request is from and to be able to answer it. Other essential information is indicated with an asterisk on the contact form. According to the subject and type of data and whether you are already a customer, data processing is based on the agreement with you, your consent or your/our legitimate interest in the clarification of the issue according to Art. 6 Section 1 Sentence. 1 a), b) and f) GDPR. If you use the contact form or another relevant online function for establishing contact for the purposes of an order, request or reservation of individual offers or events, please be aware of the notes under no. 12 “Data in conjunction with orders in the Ticketshop and requests and reservations for individual offers and events.”

We will delete your data relating to the request if we are not legally obligated to store or keep it. Insofar as the data is still required for processing outstanding requests, it will be deleted at the earliest after the requests have been processed. Your personal data is not forwarded to any third parties.

 

8. Links to other websites

Our website can include links to websites of third parties and some of our services can potentially enable access to the services of third parties (e.g. social networks). We have no influence on the ways in which websites and third parties process your personal data. The websites and services of third parties are not monitored by us and we are not responsible for these websites and services of third parties or their data protection practices. Please read the Data Privacy Statements of the websites or services of the third parties you access with our website or services. If our website includes other services, you will find an explanation of this in this Data Privacy Statement.

 

9. Cookie statement

9.1 What are cookies?

Cookies are small text files in which the web browser stores information regarding websites visited that are sent from the web server. This can be information regarding sites visited, such as duration, login dates, user input or the like.

These cookies are stored on your computer or mobile device when you visit a website. They need very little storage space and are deleted automatically upon expiry. Certain cookies expire at the end of your internet session, others are stored for a limited period of time.

9.2. Cookie consent using the Cookie Bot via “Cookie Guide“

Our website uses Cybot cookie consent technology to obtain your consent for storage of certain cookies in your browser and to document this in compliance with data protection legislation. The provider of this technology is Cybot A/S - avnegade 39, 1058 Copenhagen, Denmark (hereinafter “Cybot”).

When you enter our website, a Cookiebot cookie is stored in your browser, in which the consent granted by you or refusal of consent is stored. This data is anonymously forwarded to the provider of Cookiebot. Details regarding data processing of Cookiebot cookies can be found at https://www.cookiebot.com/de/privacy-policy/

 

9.3. Cookie Guide

In the Cookie Guide, which is an integral component of this cookie policy, you can see your cookie settings and adjust them to your needs at any time. You can also see there the kinds of cookies there are and the purposes they fulfil.

9.4. Updating of cookie statement

Our cookie statement can change from time to time. For example, to take account of cookies used by us or if this is required for other operational or legal reasons. For this reason, we request that you regularly access this cookie statement to keep updated on our current use.

 

10. Newsletter and informative messages for marketing purposes (Opt-In)

When we send you newsletters or informational message for marketing purposes, this will only be with your prior consent via the Double-Opt-In procedure. This means an email will be sent to you at the email address supplied by you with a registration link. Only after activating the link will you be registered to receive newsletters or informational messages for marketing purposes.

Our newsletters and informational messages for marketing purposes include a simple option to unsubscribe from receiving further messages in the future, such as, for example, a link, via which you can unsubscribe. You can usually find this link at the bottom of the email, newsletter or email message for marketing purposes.

 

11. Your customer account

As a user of our website, you have the option of creating a customer account. This means that you register with us as data controllers by suppling personal data. The personal data that is transferred to us relates to the respective input form that is used for registration. Some individual fields are established as compulsory fields. This is because we cannot fulfil the services associated with registration without this information. The personal data input by you is processed exclusively for specific use. Thus, the customer account serves to handle your orders and all associated services.  In order to handle your orders, we forward the data to other companies only for the proper fulfilment of the contract and only to the extent required. This means data is forwarded to parcel service providers, providers of payment services or other services related to this. The associated service providers also use the personal data exclusively for the handling of your order and only in accordance with our instructions. Your data is not forwarded to third parties without your express consent.

Please direct any relevant claims in conjunction with your customer account to the following contact address: info@salzbergwerk.de

If you have general questions regarding data protection, please use the contact address in Subsection 4 of this statement.

 

12. Data in conjunction with orders in the Ticketshop and also requests and reservations for individual offers and events

Our website offers you the option of obtaining tickets for tours, events and various group offers. We also offer you the option to make requests or reservations for individual offers and events. Specification of personal data is required to the necessary extent. The personal data that is transferred to us relates to the respective input form that is used for registration. Some individual fields are established as compulsory fields. This is because we cannot fulfil the services associated with registration without this information.

After our handling of the contract has been completed, your data is blocked for further use and deleted on the expiry of legal fiscal and commercial regulations, if you have not expressly consented to further use of your data. For individual events or offers that involve processing by cooperation partners, your data is required to be forwarded to these cooperation partners to the necessary extent. The required data is forwarded exclusively for the purposes of processing the contract. No data is forwarded to third parties. Your data is handled confidentially by us at all times. For handling of the payment process, we refer to Section 13 “Data in conjunction with payment handling (credit card, PayPal, Sofortübweisung)” which you can also find within this Data Privacy Statement.

 

13. Data in conjunction with payment handling (credit card, PayPal, direct debit)

For the payment handling of products and services offered via this website, three methods of payment are offered (credit card payment, PayPal, Sofortüberweisung). All payment methods are handled by the all-in-one payment service provider Unzer (Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg) and a contract for processing has been concluded for this purpose. According to the payment method, data relevant to payment is input that is required by the respective payment service for the purposes of the implementation of the payment process. For all payment methods the utmost security is guaranteed by Unzer with regard to the transfer of data.  For the process of credit card data, Unzer is linked with the globally valid PCI DSS IT Standard (Payment Card Industry Date Security Standard). You can find more information here: https://de.pcisecuritystandards.org/minisite/env2/

If you use the PayPal service in conjunction with payment handling, this is integrated via our payment service provider. PayPal is an online payment service provider. Payment is handled using “PayPal accounts“, which represent virtual private or business accounts. PayPal also offers the option of handling virtual payments using credit cards if a user does not have a PayPal account. A PayPal account is processed via an email address and thus there is no traditional account number. PayPal enables online payments to be made to third parties and also allows payments to be received.  PayPal also acts a trustee and offers buyer protection services. The company operating PayPal in Europe is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If the data subject selects PayPal as a payment option during the payment handling process, data is automatically transferred from the data subject to PayPal. By selecting this payment option, the data subject consents to the transfer of personal data required for payment handling.

The personal data transferred to PayPal generally consists of first name, surname, address, email address, IP address, telephone number, mobile telephone number or other data required for payment processing. For processing the purchase contract such personal data as relates to the respective order is also required. The aim of the transfer of data is to process the payment and to prevent fraud. The data controller will then transfer to PayPal specific personal data if there is a legitimate interest for the transfer. The personal data exchanged between PayPal and the data controller is potentially transferred by PayPal to credit agencies. The transfer of this data is for the purposes of identity and credit checks.

PayPal forwards the personal data, if necessary, to associated companies and service providers or sub-contractors, if this is required for the fulfilment of the contractual obligations or the data is to be processed on their behalf. The data subject has the option of withdrawing consent for the processing of personal data by PayPal at any time. Such a withdrawal does not affect personal data, which must be handled, used or transferred for processing payments (in accordance with the contract.)

 

The valid data privacy regulations of PayPal can be accessed at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

If you use the “Sofortüberweisung” (direct debit) service in conjunction with payment handling, this is integrated via our payment service provider. Sofort GmbH, a company in the Klarna Group with head office at Theresienhöhe 12, 80339, Munich, is responsible according to data protection law for the collection and processing of your data when using immediate transfer.

For payments using “Sofortüberweisung” , the following personal information is stored: name/account number/postcode/subject/amount/date. The merchant also receives this information in the payment confirmation. This information can also generally be taken by the merchant from its account statement. No other personal data is stored, no other personal data is forwarded to third parties, and also there are no credit checks as a result of historic payment data.

You can also see from the notes that only the account selected by you for the transfer is included in the check. For invoicing purposes with regard to the merchant, and to fulfil legal storage obligations, Sofortüberweisung stores your name, account number, bank sort code, subject, date and amount transferred according to the statutory storage obligations. This is based on § 28 Section 1. Sentence 1 No. 1. BDSG (Federal Data Protection Act). Sofortüberweisung is designed for data minimisation, i.e. you can use Sofortüberweisung without registration, without opening an account, to pay simply and securely with your online banking account. You can consult our data privacy notes to see in detail what is checked automatically by the software:             https://www.sofort.com/payment/wizard/getCmsContent/data_protection/DE/0/de

The valid data protection regulations of Sofortüberweisung can be accessed at   https://www.sofort.com/ger-DE/datenschutzerklaerung-sofort-gmbh/

 

14. Deletion and blocking of personal data

The data controller processes and stores personal data of the data subject only for the period of time required to achieve the purpose of storage or, if this was provided for by the European issuer of guidelines and regulations or another legislator of laws or regulations to which the data controller is subject.

If the purpose of storage no longer applies or a retention period prescribed by the European issuer of guidelines and regulations or another responsible legislator expires, the personal data shall be blocked or deleted according to legal regulations.

 

15. Legal principles of the processing of personal data

Art. 6 I (a) GDPR is the legal basis for processing operations for our company, for which we obtain consent for a specific processing purpose; thus in the case of use of a contact form linked to the website.

If the processing of personal data is required for the fulfilment of a contract whose contracting party is the data subject, and this is, for example, the case for processing operations that are necessary for the supply of goods or the fulfilment of another service or return service, processing is based on Art. 6 I (b) GDPR. The same applies to such processing operations that are required for the implementation of pre-contractual measures, for example in cases of requests for our products or services.

If our company is subject to a legal obligation by which the processing of personal data is required, such as, for example, for the fulfilment of fiscal obligations, processing is based on Art. 6 I (c) GDPR.

Furthermore, processing operations can be based on Art. 6 I (f) GDPR. This is the case if processing is required to protect a legitimate interest of our company or of a third party, if the interests, fundamental rights and freedoms of the data subject do not prevail. We therefore specifically permitted such processing operations as they were specifically mentioned by European legislators. To this extent, they were of the view that a legitimate interest could be accepted, if the data subject is a customer of the data controller or is in its service (Recital 47 Sentence 2 GDPR). If processing of personal data is based on Article 6 I (f) GDPR, it is our legitimate interest to carry out our business activities for the benefit of our shareholders, taking account of the legitimate interests of the data subjects. When considering this interest, the focus is always on an appropriate relationship between the data subject and us as the company.

 

16. Duration for which personal data is stored

The criteria for the duration of storage of personal data are legal retention periods that may arise from tax or commercial law and also from other applicable legal regulations, and, in fact, always when these legal regulations are applicable to your personal data. After the period has expired, the corresponding data is deleted if it is no longer required for fulfilment of the contract, initiation of the contract or maintenance of the business relationship. If no retention period is applicable and you have granted your consent to the storage and use of your personal data, the data will be stored and used with regard to its purpose for as long as specified in conjunction with consent, or until you withdraw your consent to its use in the future.

 

17. Legal or contractual regulations for the provision of personal data; requirement for conclusion of the contract; obligation of the data subject to provide personal data; potential consequences of non-provision of data

We inform you that the provision of personal data is partially legally prescribed (e.g. tax regulations) or may result from contractual regulations (e.g. information to the contracting partner). The conclusion of a contract may require that the data subject provides us with personal data that, as a consequence, must be processed by us. The data subject is, for example, obligated to provide us with personal data if our company concludes an agreement with them. Non-provision of personal data would result in the contract not being able to be concluded with the party concerned.

18. Data protection provisions for the application and use of Google Analytics (with anonymised function)

We have integrated the components of Google Analytics into our website (with anonymised function).

Google Analytics is a web analysis service. Web analysis is the detection, collection and evaluation of data regarding the behaviour of visitors to websites. A web analysis service collects data regarding the website from which the data subject has come to a website (“referrer”), which pages of the website have been accessed or how often and for how long a webpage is viewed. Web analysis is mainly used to optimise a website and for a cost-benefit analysis of internet advertising.

The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Thus, in accordance with data protection we have integrated the add-on "_gat._anonymizeIp" for web analysis using Google Analytics. This add-on shortens and anonymises the IP address of the internet connection of the data subject by Google, if access to our websites is from a member state of the European Union or from another contracting party to the Treaty on the European Economic Area.

The purpose of the Google Analytics component is to analyse the flow of visitors on our website. One of the uses of the data and information acquired by Google is to evaluate the use of our internet site to compile online reports that show the activities on our websites and to fulfil other current services in conjunction with use of our website.

For these purposes we also have a legitimate interest in data processing. The legal principle for usage of Google Analytics is § 15 Section 3 TMG (German Telemedia Act) or Art. 6 Section 1 (f) GDPR. The data sent by us and associated with cookies, usernames or marketing IDs is automatically deleted after 50 months. Data for which the retention period has expired is automatically deleted once a month. More information regarding terms of use of data protection can be found at https://www.google.com/analytics/terms/de.html

https://policies.google.com

Google Analytics deposits a cookie on the information technology system of the data subject. Our cookie statement, which is a component of this Data Privacy Statement, has already explained what cookies are. Google uses this cookie to analyse the use of our website. Each time there is access to one of the individual pages of this website  operated by the data controller and on which a Google Analytics component has been integrated, the internet browser is automatically triggered to access the information technology system of the data subject by the respective Google Analytics components to transfer data to Google for the purposes of online analysis. Within the context of this technical process, Google receives information regarding personal data such the IP address (anonymised) of the data subject, which Google uses to trace the origin of visitors and clicks and, thus, to calculate commission.

Cookies are used to store personal information, for example, time of access, place of access and frequency of visits to our website by the data subject. For each visit to our websites this personal data, including the IP address of the internet connection used by the data subject, is transferred to Google in the United States of America. Google may forward the data collected using this technical process to third parties.

As a visitor to our website, you can use the integrated “Cookie Guide” at any time (see no. 9.3) to decide if you consent to the use of Google Analytics. Consent granted can be withdrawn at any time in the future.

More information and the valid data protection provisions of Google can be accessed at https://www.google.de/intl/de/policies/privacy/ and at          http://www.google.com/analytics/terms/de.html.  Google Analytics is explained in more detail at this link https://www.google.com/intl/de_de/analytics/.

 

19. Data protection provisions for the application and use of Google AdWords

We have integrated Google AdWords into our website. Google AdWords is a service for internet advertising that permits advertisers to place advertisements both in the search engine results of Google and on the Google advertising network. Google AdWords enable an advertiser to establish certain keywords in advance through which an advertisement is placed on search engine results pages of Google only if the user accesses a search result relevant to the keyword with the search engine. On the Google advertising network, the advertisements are distributed using an automatic algorithm and taking into consideration keywords previously established on websites relevant to the subject.

The operating company of Google AdWords services is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google AdWords is to recruit third party companies to our website by the insertion of advertising relevant to the companies‘ interests into the webpages and the search engine result pages of the Google search engine and to insert third party advertising into our website.

If the data subject accesses our website using a Google advertisement, a “conversion cookie” is deposited on the information technology system by Google. It has already been explained what cookies are. A “conversion cookie” ceases to be valid after 30 days and is not used to identify the data subject. The conversion cookie, if it has not expired, shows if certain webpages, for example the basket of an online shop system, were accessed on our website. The conversion cookie shows both us and Google if the data subject who has accessed our website using an AdWords advertisement, generated a sale and thus has completed or cancelled a purchase.

The data and information from the conversion cookie collected is used by Google to create visit statistics for our website. These visit statistics are again used by us to establish the total number of users who were supplied to us using AdWords advertisements, and thus to establish the success or lack of success of the respective AdWords advertisement and to optimise our AdWords advertising in the future. Neither our company nor other advertising clients of Google-AdWords receive information from Google by which the data subject could be identified.

Conversion cookies are used to store personal information, for example, the websites visited by the data subject. Thus, for every visit to our websites, personal data, including the IP address of the internet connection used by the data subject, is transferred to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may potentially forward the personal data collected to third parties using this technical process.

As a visitor to our website, you can use the integrated “Cookie Guide” at any time (see no. 9.3) to decide if you consent to the use of Google AdWords. Consent granted can be withdrawn at any time in the future.

More information and the valid data protection provisions of Google can be accessed at https://www.google.de/intl/de/policies/privacy/.

 

20. Social media presence on social networks and platforms (Facebook, Instagram)

We have a fan page within the following social networks and platforms:

·         Facebook

·         Instagram

which aims to communicate with customers, interested parties and users using these social networks and to inform them of our services.

There are static links within our website in the area of the footer icons for this. This means that when our website is loaded, there is no automatic connection with these social networks. Only if you click on the icon do you access the website of the relevant social network. Thus, this website can rapidly and simply be shared with social networks and yet also protect your privacy.

Please note that the relevant social networks or platforms always receive information that the data subject has visited our website, if the data subject is logged into the respective social network at the time of accessing our website and activation of the icon (for example, Facebook, Instagram). The consequence of this is that data is stored independently by the devices used by users. If you wish to prevent this, log out of the respective social network first.

Note also that if you visit the websites of these social networks and platforms, your personal data can be processed outside the European Union, and you may be at risk (for instance, in implementing  your rights according to European / German law). Please note that some US providers are certified under the Privacy Shield and have thus undertaken to comply with the data protection standards of the EU.

The data of users is regularly processed for marketing and advertising purposes. For example, user profiles can be created from user behaviour and resulting interests of users. This user profile can again be used, for example, to place advertisements inside and outside the platforms, which are assumed to correspond with the interests of users. For these purposes, cookies are generally stored on the computers of users, on which user behaviour and the interests of users are stored.

More information on the processing of your personal data and also your withdrawal options can be found at the specified links of the respective provider. Rights of information and other rights of the data subject can only be enforced with regard to providers as it is only they who have direct access to the data of users and to the relevant information.

Facebook
Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Data Privacy Statement: www.facebook.com/about/privacy/         
Opt-out: www.facebook.com/settings und www.youronlinechoices.com
Privacy Shield: www.privacyshield.gov/participant.

Instagram
Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA
Data Privacy Statement/ Opt-out: instagram.com/about/legal/privacy/.

 

20.1 Use of social media button via “Shariff”  (Facebook)

We use the c't-Projekt “Shariff” on our website. It replaces the usual share buttons of social networks and thus protects the surfing behaviours of our website users.

“Shariff” simply integrates the share buttons or social media plugins of social networks to our website as a graphic that includes a link to the respective social network. When you visit our website, these buttons are deactivated as standard practice, i.e. they do not send data to the respective social networks without your intervention. Before you can use the buttons, you have to activate them with a click. The Shariff button then only makes direct contact between social networks and our visitors if the visitor actively clicks on the share button. Only then is your data transferred to the respective social network. On the other hand, if the Shariff button is not clicked, there is no exchange between you and the social networks. In this way, our website fulfils the wishes of many website users: the website can be shared rapidly and simply with social networks. Thus, our social buttons have created the option of using these services, but also of protecting your privacy.

After the Shariff button has been activated, a direct connection with the server of the respective social network is created. The content of the button is then transferred directly to your browser by the social networks and integrated from this into the website.

After activation of a button, the respective social network can already collect data irrespective of whether you interact with the button. If you are logged into a social network, the social network can ascribe your visit to this website to your user account. If you are a member of a social network and do not wish the social network to associate the data collected during your visit to our website with  your stored member data, you must log out of the respective social network before activating the button.

We have no influence over the scope of data that is collected by social networks with their buttons. The purpose and scope of data collection and the further processing and use of data by the respective social networks and also your rights and setting options in this regard to protect your privacy can be found in data protection notes of the respective social networks.

The developer of the components is GitHub, Inc. 88 Colin P. Kelly Junior Street, San Francisco, CA 94107, USA. Other information and the valid Data Privacy Statement of GitHub can be accessed at https://help.github.com/articles/github-privacy-policy/,  Other information on the c’t  Project “Shariff” can be found at https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html

The following social networks with “Shariff” are integrated into our website:

- Facebook (Share Button)

The links to the data protection settings for the social services integrated using ”Shariff” can be found here:

https://www.facebook.com/about/privacy/

 

20.2 Integration of YouTube into our website

Our website uses plugins of the YouTube website. The operator of the sites is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

Use of YouTube and thus watching videos embedded into our website is only possible with your consent to the marketing cookies. If you have not consented to these cookies, it is not possible to watch the embedded videos.

We also only use YouTube with your consent in its extended data protection mode. This mode ensures, according to YouTube, that YouTube does not store any information regarding visitors on this website, before they watch the video. On the other hand, it is not necessarily out of the question for data to be forwarded to YouTube partners by the extended data protection mode. Thus, YouTube establishes a connection with the Google DoubleClick Network irrespective of whether you watch a video.

As soon as you start a YouTube video on our website, a connection is established to the YouTube servers. This means the YouTube server is informed which sites you have visited. If you are logged into your YouTube account, you enable YouTube to ascribe your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.

Moreover, after a video has been started, YouTube can store various cookies on your end device. YouTube can use these cookies to obtain information about visitors to our website. One of the uses to which this information is put is to collect video statistics to improve user-friendliness and to prevent fraud attempts. The cookies remain on your end device until you delete them. Other data processing operations can be triggered after starting a YouTube video, where applicable, over which we have no influence.

More information on data protection with YouTube can be found in their Data Privacy Statement at: https://policies.google.com/privacy?hl=de.

 

21. An overview of your relevant rights  

The data subject has individual claim rights according to GDPR regulations, which can be enforced in conjunction with their personal data. Thus, there exists a right to information, correction, deletion, limitation of processing, data transferability and also individual withdrawal rights and a right of appeal to a supervisory authority. Below we give you an overview of the individual rights and also their time limits.

 

21.1 Time limits for claim rights according to Art. 15-21 GDPR

As the data controller, we respond to any claims according to Art. 15-21 GDPR from those concerned within a period of one month of receipt. This period can be extended by a further two months, if this is required, taking into account the complexity and number of claims. In this event, we shall inform you within one month of receipt of your claim regarding the application of the deadline extension. If the data subject makes the claim electronically, we shall, if possible, respond to them electronically, unless they specify otherwise.

21.2 Methods of claims

Claims can be made by post or email. The contact address can be found at no. 4 of this statement.

All claims according to Art. 15-21 GDPR in conjunction with your customer account should be made directly to: info@salzbergwerk.de" info@salzbergwerk.de

21.3 Right of information of the data subject according to Art. 15 GDPR

The data subject has the right to request confirmation from the data controller as to whether personal data concerning them is being processed. If this is the case, they have a right to information regarding this personal data and also further information as described in Art. 15 GDPR.

Please note that the data controller can only give information if there are no reservations regarding the identity of the data subject. The data controller will use all reasonable means to check the identity of the data subject seeking information.

21.4 Right to correction according to Art. 16 GDPR                                 

The data subject has the right to request that incorrect personal data about them is corrected promptly by the data controller. Taking account of the purposes of processing, the data subject has the right to request the completion of incomplete personal data – also using an additional statement.

21.5 Right to deletion according to Art. 17 GDPR                                    

The data subject has the right to request that personal data regarding them is deleted promptly by the data controller, and the data controller shall undertake to delete personal data promptly if the conditions as specified in Art. 17 GDPR  are fulfilled.

21.6 Right to limitation of processing according to Art. 18 GDPR     

The data subject has the right to request that processing be limited by the data controller if the conditions of Art. 18 GDPR are met.

21.7 Right to data transferability according to Art. 20 GDPR

The data subject has the right to obtain the personal data regarding them that they have supplied to the data controller in a format as described in Art. 20 GDPR or to have transferred to another data controller by the data subject according to instructions, if the conditions are met as described in Art. 20 GDPR.

21.8 Right of objection according to Art. 21 GDPR

The data subject has the right, for reasons due to their special situation, to object to the processing of their personal data, which was collected as a result of Art. Section 1 (e) GDPR [processing of data within the context of a task assigned to the data controller in the public interest or in the exercise of official authority] or Art. 6 Section 1 (f) GDPR [processing of data on the basis of a legitimate interest on the part of the data controller or a third party].

The data controller shall no longer process the personal data in these cases, unless it can prove compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject, or that processing serves the assertion, exercise or defence of legal claims.

If personal data is processed by the data controller, to carry out direct marketing, the data subject has the right to object to the processing of their personal data for the purposes of marketing at any time; this also applies to profiling, if this is in conjunction with such direct marketing.

21.9 Right of objection according to Art. 13 Section 2 (c) GDPR

If the processing of personal data of the data subject by the data controller is based on Art. 6 Section 1 (a) GDPR [the data subject has given their consent to the processing of their personal data for one or more specific purposes] or Art. 9 Section 2 (a) GDPR [the data subject has given their consent to the processing of their personal data in special categories for one or more specific purposes], the data subject has the right to withdraw consent at any time, without the legality of the resulting processing due to consent until withdrawal being affected.

You can withdraw your consent by post or by email. The contact address can be found under no. 4 of this Statement.

Please direct all submissions according to Art. 15-21 GDPR in conjunction with your customer account to: info@salzbergwerk.de

 

22. Right of appeal to a supervisory authority according to Art. 77 GDPR

All data subjects, irrespective of any other regulatory or administrative legal remedy, have the right to appeal to a supervisory authority, if the data subject is of the view that the processing of their personal data infringes GDPR. You can generally contact the supervisory authority of your usual place of residence or work or the company head office for this.

The supervisory authority to whom the appeal was submitted shall inform the appellant regarding the status and results of the appeal and also of the possibility of legal remedy according to Art. 78 GDPR.

The data protection authority responsible for us is:

The Commissioner for Data Protection and Freedom of Information, Baden-Württemberg

Postal address:                                                           PO Box address:

Königstraße 10a                                                        PO Box 10 29 32

70173 Stuttgart                                                         70025 Stuttgart

Germany                                                                         Germany

More information can be found on the internet at: www.baden-wuerttemberg.datenschutz.de .

 

23. Topicality of this Data Privacy Statement

For legal or technical reasons, adjustments to our Data Privacy Statement may be required. We reserve the right to make amendments at any time and thus request that you consult this Data Privacy Statement regularly to keep informed of its current status.

Status: October 2020