Data Protection

11.2 Cookie Management - Consent for Non-Functional Cookies

Our website uses the Cookie Consent technology from Usercentrics to obtain your consent for storing certain cookies in your browser and to document this in compliance with data protection regulations. The provider of this technology is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark.

We have entered into a data processing agreement with Usercentrics, in which Usercentrics undertakes to ensure the necessary protection of your data and to process it exclusively on our behalf and in accordance with our instructions, in compliance with applicable data protection regulations. The use of a cookie banner, as well as the management and storage of your consents to the processing of your personal data, is based on our legal obligation to provide a data protection-compliant website (Art. 6 para. 1 lit. c) GDPR in conjunction with § 26 TTDSG). The processing of data to provide a cookie banner is essential for the operation of the website. There is no option for the user to object as long as there is a legal obligation to obtain user consents for certain data processing operations before loading the website.

When you enter our website, a Cookiebot cookie is stored in your browser, which contains the consents you have given or the revocation of these consents. This data is anonymized and transferred to the provider of Cookiebot. Cookiebot processes the following data to provide and manage the cookie banner: 

• our IP address anonymized by Cookiebot (the last three digits are set to "0"),
• Additional information about the browser used and its version,
• Date and time of your visit to our website or your settings via our cookie banner,
• The URL of the accessed website,
• An anonymous, random, and encrypted key (ID),
• Your given consents or individual privacy settings.

Cookiebot uses both local storage and the setting of cookies to store this information locally in your browser. Your individual settings and your ID are stored in a cookie so that your settings are taken into account when you revisit our website.

For more information about the data processing by Cookiebot, please visit: Cookiebot Privacy Policy.

11.3 Cookie Management via "COOKIE GUIDE"

In the COOKIE GUIDE, you can view your cookie settings and adjust them according to your needs at any time. Additionally, you can see the types of cookies and their respective purposes outlined there.

Here is your cookie overview:

12. Informative Electronic Communications (via Email) to Business Customers

For the dispatch of informative communications (via email) to business customers, we use CleverReach, with whom we have entered into a data processing agreement. CleverReach GmbH & Co. KG is located at Mühlenstr. 43, 26180 Rastede. This service allows us to organize and analyze the newsletter distribution. Your data processed for receiving the informative communication, such as your email address, is stored on CleverReach servers. Server locations are in Germany and Ireland.

The newsletter dispatch with CleverReach enables us to analyze the behavior of the newsletter recipient. The analysis includes, among other things, how many recipients opened their newsletter (informative communication) and the frequency with which links in the newsletter were clicked. CleverReach supports conversion tracking to analyze whether a previously defined action, such as a product purchase, occurred after clicking on a link. Details about data analysis by CleverReach can be found at: https://www.cleverreach.com/en/newsletter-tool/newsletter-reporting/.

Business customers have the option to subscribe to our newsletter on our website using the double opt-in procedure. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent anyone from registering with someone else's email address.

The legal basis for data processing is § 7 (3) UWG and, in cases where newsletter registration is done through our website, consent under Art. 6 (1) lit. a GDPR.

If you no longer wish to receive this information via email in the future, please unsubscribe via the "Unsubscribe" link in the newsletter/informative email. The legality of the data processing operations already carried out remains unaffected by the revocation/unsubscription.

Details of CleverReach's privacy policy can be found at: https://www.cleverreach.com/en/privacy-policy/

13. Your Customer Account

Business customers (B2B) have the option to create a customer account with us. This means registering with us as the data controller, providing personal data. The specific personal data transmitted to us is determined by the respective input mask used for registration. Some fields may be designated as mandatory because, without this information, we cannot provide the services associated with registration. The personal data you enter is processed exclusively for the purpose of use. The customer account is used to handle your orders and all related services. To process your orders, we share the data with other companies solely for proper contract fulfillment and only to the extent necessary. This includes sharing with parcel delivery services, payment service providers, or other service providers integrated into the application (e.g., cooperation partners). The integrated service providers also use the personal data solely for processing your order and only according to our instructions. Your data will not be disclosed to third parties without your explicit consent. Master data stored in the customer account remains stored until you revoke your consent.

For any rights related to your customer account, please contact the following address: info@salzbergwerk.de

If you have general questions about data protection, please contact the address mentioned in section 4 of this statement.

14. Data in the Context of Orders in the Ticket Shop, as well as Inquiries and Reservations for Individual Offers and Events

Through our website, you have the opportunity to purchase tickets for tours, events, and various group offerings. Furthermore, we provide the option to submit inquiries or reservations for individual offers and events. For this purpose, the provision of personal data is necessary to the extent required. The specific personal data transmitted to us depends on the respective input mask used for the order/inquiry/reservation. Some fields may be designated as mandatory because, without this information, processing is not possible.

If personal data is subject to tax and commercial retention periods, it will be stored for this period. Beyond this period, further processing of this data will only occur if you have expressly consented to further use of your data. For individual events or offers where cooperation partners are involved in the process, it is necessary to share your data with these cooperation partners to the extent required. The disclosure of necessary data to these cooperation partners is solely for the purpose of contract fulfillment. There is no further disclosure to third parties. Your data will be treated as confidential by us at all times. For the processing of the payment process, we refer to section 

15. Data in the Context of Payment Processing (Credit Card, PayPal, Sofortüberweisung)

For the order processing of products and services offered through this website, three payment methods (credit card payment, PayPal, Sofortüberweisung) are provided. All payment methods are processed through the All-in-One Payment Service Provider Unzer (Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg), and for this purpose, a contract for order processing has been concluded with the service provider. Depending on the payment method (credit card, PayPal, Sofortüberweisung), the entry of payment-relevant data, which is required by the respective payment service for the execution of the payment process, takes place. Unzer ensures the highest security in data transfer for all payment methods. Due to the processing of credit card data, Unzer is bound to the globally applicable PCI DSS IT standard (Payment Card Industry Data Security Standard). Further information on data protection can be found at: https://www.unzer.com/de/datenschutz/.

The use of payment service providers is based on Art. 6 para. 1 lit. b GDPR (contract processing) as well as in the interest of a smooth, convenient, and secure payment process (Art. 6 para. 1 lit. f GDPR). Insofar as your consent is requested for certain actions, Art. 6 para. 1 lit. a GDPR is the legal basis for data processing; consents can be revoked at any time for the future.

We offer the following payment methods through this website:

PayPal

Provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal").

The data transfer to the USA is based on the standard contractual clauses of the European Commission. Details can be found here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full.

For details, please refer to PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Instant bank transfer

The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereinafter referred to as "Sofort GmbH"), which is a company of the Klarna Group. With the help of the "Instant bank transfer" procedure, we receive a payment confirmation from Sofort GmbH in real time and can immediately begin to fulfil our obligations. If you have decided in favour of the "Sofortüberweisung" payment method, you transmit the PIN and a valid TAN to Sofort GmbH, with which it can log into your online banking account. After logging in, Sofort GmbH automatically checks your account balance and carries out the transfer to us using the TAN you have transmitted. It then immediately sends us a transaction confirmation. After logging in, your turnover, the credit limit of the overdraft facility and the existence of other accounts and their balances are also automatically checked. In addition to the PIN and TAN, the payment data you have entered and your personal data are also transmitted to Sofort GmbH. Your personal data includes your first and last name, address, telephone number(s), e-mail address, IP address and any other data required for payment processing. The transmission of this data is necessary to establish your identity beyond doubt and to prevent attempts at fraud.

A company that integrates the services of Sofort GmbH as a payment method on its website does not have access to your personal online banking access data (such as PIN) and TAN, which you enter in the encrypted payment form, at any time. For details on payment with Sofortüberweisung, please refer to the following links: https://www.sofort.de/datenschutz.html and https://www.klarna.com/sofort/.

Mastercard

The provider of this payment service is Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (hereinafter "Mastercard").

Mastercard may transmit data to its parent company in the USA. The data transfer to the USA is based on Mastercard's Binding Corporate Rules. Details can be found here: Mastercard Privacy Policy (German) and Mastercard BCRs.

VISA

The provider of this payment service is Visa Europe Services Inc., Branch London, 1 Sheldon Square, London W2 6TT, United Kingdom (hereinafter "VISA").

The United Kingdom is considered a data protectionally secure third country. This means that the United Kingdom has a level of data protection equivalent to the level of data protection in the European Union.

VISA may transfer data to its parent company in the USA. The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here: Visa Global Data Protection Notice.

For more information, please refer to the Visa Privacy Center: Visa Privacy Center.

16. Deletion and Blocking of Personal Data

The data controller processes and stores personal data of the data subject only for the period necessary to achieve the purpose of storage or as stipulated by the European legislator or another legislator in laws or regulations to which the data controller is subject.

If the purpose of storage is no longer applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data will be blocked or deleted in accordance with legal requirements.

17. Legal Basis for Processing Personal Data

Article 6(1)(a) of the General Data Protection Regulation (GDPR) serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, such as in the case of processing operations necessary for the delivery of goods or the provision of any other service or consideration, the processing is based on Article 6(1)(b) GDPR. The same applies to such processing operations that are necessary for carrying out pre-contractual measures, such as in cases of inquiries about our products or services.

If our company is subject to a legal obligation by which the processing of personal data is required, such as for compliance with tax obligations, the processing is based on Article 6(1)(c) GDPR.

Furthermore, processing operations may be based on Article 6(1)(f) GDPR. This is the case when the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, provided that the interests or fundamental rights and freedoms of the data subject do not override such interests. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. The legislator considered that a legitimate interest could be assumed if the data subject is a customer of the data controller or is in its service (Recital 47, sentence 2, GDPR). If the processing of personal data is based on Article 6(1)(f) GDPR, our legitimate interest is the conduct of our business activities for the benefit of our shareholders while respecting the legitimate interests of the data subjects. In the balancing of these interests, the focus is always on establishing a fair relationship between the data subject and us as a company.

18. Duration for Which Personal Data is Stored

The criterion for the duration of the storage of personal data is based on legal retention periods, which may arise from tax or commercial law, as well as other applicable legal regulations, whenever these regulations are applicable to your personal data. After the expiration of the specified period, the relevant data will be deleted unless they are still necessary for contract fulfillment, contract initiation, or maintaining the business relationship. If no retention periods are applicable, and you have provided your consent for the storage and use of your personal data, the data will be stored and used for the specified purpose as long as outlined in the consent or until you revoke your consent for future use.

19. Legal or Contractual Requirements for Providing Personal Data; Necessity for Contract Conclusion; Obligation of the Data Subject to Provide Personal Data; Possible Consequences of Non-Provision

We inform you that the provision of personal data is partly required by law (e.g., tax regulations) or may result from contractual provisions (e.g., information about the contracting party). In some cases, it may be necessary for a contract to be concluded that a data subject provides us with personal data that subsequently needs to be processed by us. For instance, the data subject is obligated to provide us with personal data when our company enters into a contract with them. Failure to provide the personal data would result in the contract with the data subject not being concluded.

20. Data Protection Policy for the Use of Google Analytics

If you have given your consent, Google Analytics 4, a web analytics service provided by Google LLC, is used on this website. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Pursuant to Article 28 of the General Data Protection Regulation (GDPR), we have entered into a contract for data processing with Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

Scope of Processing

Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected through these cookies about your use of this website is usually transmitted to and stored on a server operated by Google in the United States. We utilize the User-ID feature, allowing us to assign a unique, persistent ID to one or more sessions (and the activities within these sessions) and analyze user behavior across devices.

In Google Analytics 4, IP address anonymization is enabled by default. Due to IP anonymization, your IP address is truncated by Google within member states of the European Union or other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

During your website visit, your user behavior is captured in the form of "events." Events can include:

• Page views
• Initial visit to the website
• Session start
• Your "click path," interaction with the website
• Scrolls (every time a user scrolls to the end of the page (90%))
• Clicks on external links
• Internal search queries
• Interaction with videos
• File downloads
• Viewed/clicked advertisements
• Language settings
  

Additionally, the following information is collected:

• Your approximate location (data on country, region, city)
• Your IP address (in shortened [anonymized] form)
• Technical information about your browser and the devices you use (e.g., language settings, screen resolution)
• Your internet service provider
• The referrer URL (through which website/ advertising medium you came to this website)

Purposes of Processing

On behalf of the operator of this website, Google will use this information to evaluate your website usage and compile reports on website activities. The reports provided by Google Analytics serve to analyze the performance of our website and the success of our marketing campaigns.

Recipients

Recipients of the data may include:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a data processor according to Art. 28 GDPR)
• Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
• Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that U.S. authorities may access the data stored at Google.

Third Country Transfer

Where data is processed outside the EU/EEA and there is no data protection level equivalent to the European standard, we have concluded EU Standard Contractual Clauses with the service provider to establish an adequate level of data protection. The parent company of Google Ireland, Google LLC, is headquartered in California, USA. The transfer of data to the USA and access by U.S. authorities to data stored at Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. Legal remedies against access by authorities may not be available.

Retention Period

The data we send and associate with cookies is automatically deleted after 14 months. Data whose retention period has expired is automatically deleted once a month.

Legal Basis

The legal basis for this data processing is your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR.

Revocation

You can revoke your consent at any time with effect for the future by accessing the COOKIE GUIDE and changing your selection there. The legality of processing carried out based on the consent before its withdrawal remains unaffected.

You can also prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may result in limitations to the functionality of this and other websites. Additionally, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) as well as the processing of this data by Google by not giving your consent to the setting of the cookie.

For more information on the terms of use of Google Analytics and data protection at Google, please visit https://marketingplatform.google.com/intl/de/about/analytics/ and https://policies.google.com/privacy?hl=en.

21. Google Tag Manager

For the management of our website and the integration of cookie-based technologies, we use the Tag Manager service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). For this purpose, each time one of our web pages is accessed, your anonymized IP address is transmitted to a server of Google, which may be located in the USA. The IP address is not stored by Google as part of the Tag Manager service and is only used for the integration of technologies managed via the Tag Manager. The Tag Manager itself does not set any cookies. The Google Tag Manager is loaded only after your consent.

22. Social Media Presence on Social Networks and Platforms (Facebook, Instagram, YouTube)

We maintain the following channels or fan pages on social media platforms:

• Facebook: Salzbergwerk Berchtesgaden 
• Instagram: salzbergwerk_berchtesgaden
• YouTube: Salzbergwerk Berchtesgaden 

with the aim of communicating with active customers, prospects, and users there, and informing them about our services.

The icons displayed for this purpose within our website in the footer area are static links. This means that no automatic connection to these social networks is established when our website is loaded. Only when you click on the icon will you be directed to the website of the respective social network. Please note the explanations in Section 23 - Facebook Custom Audiences (for websites) / Conversion – Facebook Pixel.

If you have consented to the use of consent-based cookies, your browser automatically establishes a direct connection to Facebook's server due to the deployed marketing tool ("Facebook Pixel").

22.1 Facebook and Instagram

Principle

As the operator of the above-mentioned Facebook and Instagram accounts, we (Südwestdeutsche Salzwerke AG) are jointly responsible with the operator of the social network Facebook and Instagram (Meta Platforms Ireland Ltd.) within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR). There is joint responsibility according to Article 26 GDPR.

Contact details of the joint controllers:

Südwestdeutsche Salzwerke AG: Contact details of the controller and its data protection officer can be found in sections 3 and 4 of this privacy policy.

Meta Platforms Ireland Ltd:

Contact details: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland

Authorized representative: Richard Kelley, Registered in Ireland (Companies Registration Office), Company Registration Number 462932

You can contact the data protection officer for Facebook and Instagram products via this link: Facebook Data Protection Officer Contact.

The terms of use of Facebook and other terms and policies listed at the end are authoritative. Facebook Terms of Service

Information on the scope of data processing: Information on the scope of data processing by our company can be found in this privacy policy.

Information on the scope of data processing and the associated handling of personal data by Facebook can be found here:

Facebook Data Policy

Information on the scope of data processing and the associated handling of personal data by Facebook for the Instagram service can be found here:

Instagram Data Policy

Agreement on Joint Responsibility

The agreement between us and Facebook regarding joint responsibility for data processing under Article 26 of the GDPR can be accessed here:

Facebook Controller Addendum

Facebook Terms Page Controller Addendum

This agreement has been created for Facebook fan pages and, in our assessment, is applicable to the use of Instagram Insights due to the identical Insights function and identical parties involved:

Facebook Controller Addendum

Facebook Terms Page Controller Addendum

Use of Insights and Cookies in Connection with Facebook and Instagram Accounts

In connection with the operation of the above-mentioned Facebook and Instagram accounts, we use the Insights feature of Facebook to obtain anonymized statistical data about users of our Facebook and Instagram accounts. Facebook stores a cookie on the user's device, who visits our Facebook or Instagram account, for this purpose. The cookie contains a unique user code and is active for a period of two years unless deleted earlier. The user code can be linked to the data of users registered with Facebook.

The information stored in the cookies is received, recorded, and processed by Facebook, especially when the user visits Facebook services, services provided by other members of the Facebook group of companies, and services provided by other companies that use Facebook services. Additionally, other entities such as Facebook partners or even third parties may use cookies on Facebook services to provide services to companies advertising on Facebook.

For more information on the use of cookies by Facebook, please refer to their Cookie Policy.

The Instagram Data Policy contains all information regarding data processing by Facebook when using Instagram: Instagram Data Policy.

We do not have any influence on how and to what extent Facebook and Instagram process this data.

Legal Basis and Legitimate Interests

We operate Facebook and Instagram accounts to present ourselves to users of Facebook and Instagram, as well as other interested individuals who visit our Facebook and Instagram accounts, and to communicate with them. The processing of personal data of users is based on our legitimate interests in an optimized social media presence (Article 6(1)(f) GDPR).

Data Disclosure

It is conceivable that personal data may be processed outside the European Union by Meta Platforms, Inc., based in the USA. However, our contracting party is Meta Platforms Ireland Ltd., based in Ireland, and thus within the European Union. The US parent company, Meta Platforms, Inc., 1 Meta Way, Menlo Park, California 94025-1453, USA, is additionally certified under the EU-U.S. Data Privacy Framework (PDF), so the data transfer to it is permissible based on the European Commission's adequacy decision regarding the USA.

We do not disclose personal data ourselves.

Objection Options

Users of Facebook can influence the extent to which their user behavior during the visit or use of Facebook services, and thus our Instagram account, is recorded through the Ad Preferences settings. Additional options are available through Facebook settings or the objection form.

The processing of information using cookies employed by Facebook and Instagram can be prevented by not allowing third-party cookies or those from Facebook in the browser settings.

22.2 YouTube

Principle for Using this Website

Our website uses plugins from the YouTube service. The company providing the service in the European Economic Area and Switzerland is Google Ireland Limited, a company registered and operated under Irish law (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. The use of YouTube, and thus the viewing of embedded videos on this website, is only possible with your consent to the so-called marketing cookies. If you have not consented to the use of these cookies, viewing embedded videos is not possible.

Upon your consent, a connection is established to YouTube's servers. This informs the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to directly associate your browsing behavior with your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, after starting a video, YouTube may store various cookies on your device. With the help of these cookies, YouTube can obtain information about visitors to our website. This information is used, among other things, to capture video statistics, improve user-friendliness, and prevent fraud. The cookies remain on your device until you delete them. After starting a YouTube video, additional data processing operations may be triggered, over which we have no influence.

22.3 YouTube Channels

Principle

As the operator of the aforementioned YouTube channels on YouTube, we (Südwestdeutsche Salzwerke AG) and the operator of the YouTube service (Google Ireland Limited; hereinafter also referred to as "Google") are joint controllers within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR).

When visiting the YouTube channels as outlined in section 22, personal data is processed by the controllers. The following provides information on the types of data processed, the processing methods, and the rights available to you.

Contact Details of Joint Controllers

Südwestdeutsche Salzwerke AG: Contact details of the controller and its data protection officer can be found in sections 3 and 4 of this privacy policy.

Contact details: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

You can contact Google's data protection officer via this link: https://www.youtube.com/t/contact_us

Shared Responsibility

We, as operators of the YouTube channel, and Google, as the platform operator of YouTube, share responsibility for the processing of personal data of subscribers, visitors, and users that takes place on or through the channel.

Information regarding the data processing carried out by our company can be found in this privacy policy. Information about how Google handles personal data for the YouTube service can be found in their privacy policy.

Use of Insights and Cookies in connection with the mentioned YouTube accounts

In connection with the operation of the YouTube channel, Google provides an analytics function that we use to obtain anonymized statistical data about the users and interactions on our channel. For this purpose, Google stores a cookie on the user's device who visits our channel. The cookie contains a unique user code, which can be linked to the data of users registered on YouTube.

The information stored in the cookies is received, recorded, and processed by Google. Additionally, other entities, such as Google partners, may use cookies to provide services to companies advertising on YouTube or other Google services. For more information on the use and deployment of cookies by Google, please visit: https://policies.google.com/technologies/cookies?hl=de

Legal Basis and Legitimate Interests

We operate this YouTube channel to present ourselves to YouTube users and other interested individuals who visit our YouTube channel, aiming to engage in communication with them. The processing of personal data of users is based on our legitimate interests in optimizing the presentation of SSG (Article 6(1)(f) GDPR).

Data Disclosure

It is possible that some personal data may be processed outside the European Union or the European Economic Area by Google LLC, the parent company of Google Ireland Ltd., located in the United States. Specific details from Google on this matter can be found in Google's privacy policy. However, our contracting partner is Google Ireland Limited, a company based in Ireland and therefore within the European Union.

The U.S. parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA, is also certified under the EU-U.S. Data Privacy Framework (PDF), making the data transfer to the U.S. permissible under the adequacy decision of the European Commission regarding the USA.

We do not share any personal data ourselves.

Opt-out Options

YouTube users can influence the extent to which their user behavior is recorded when visiting or using Google services, including our YouTube channel, through the settings of their accounts.

23. Facebook Custom Audiences (for Websites) / Conversion – Facebook Pixel:

This website utilizes the "Facebook Pixel" from the social network "Facebook" by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta) for the following purposes:

We use the Facebook Pixel for remarketing purposes to reach out to you within 180 days. This allows users of the website to be presented with interest-based advertisements ("Facebook Ads") during visits to the social network "Facebook" or other websites that also use the same procedure. Our goal is to display ads that are of interest to you, making our website or offers more appealing.

Facebook Conversion

Additionally, we aim to ensure, with the help of the Facebook Pixel, that our Facebook Ads align with the potential interests of users and do not appear intrusive. The Facebook Pixel enables us to track the effectiveness of Facebook Ads for statistical and market research purposes by determining whether users were redirected to our website after clicking on a Facebook Ad (so-called "Conversion").

Due to the use of marketing tools (Facebook Pixel), your browser automatically establishes a direct connection with Facebook's server once you have consented to the use of consent-required cookies. By integrating the Facebook Pixel, Facebook receives information that you have accessed the respective page on our website or clicked on an ad from us. If you are registered with a Facebook service, Facebook can associate the visit with your account.

Data processing by Facebook is conducted in accordance with Facebook's Data Policy. Specific information and details about the Facebook Pixel and its functionality are also available in the Facebook Help Center.

We (Südwestdeutsche Salzwerke AG) share responsibility with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta), for the collection and transmission of data in the context of this process. This applies to the following purposes:

• Creating personalized or matching ads
• Optimizing the delivery of commercial and transaction-related messages (e.g., via Messenger)

Processes beyond data collection and transmission fall under the sole responsibility of Meta.

For this shared responsibility, we have entered into an agreement with Facebook, accessible here: Facebook Controller Addendum. This agreement defines the respective responsibilities for fulfilling obligations under the GDPR regarding shared responsibility.

The contact details of the responsible company and Facebook's data protection officer can be found here: Facebook Privacy. We have agreed with Meta that Meta can be contacted for the exercise of data subject rights. However, this does not limit the authority of data subject rights.

For further information on how Meta processes personal data, including the legal basis and additional information on data subject rights, please visit: Facebook Data Policy. We transmit data within the framework of shared responsibility based on legitimate interests under Art. 6(1)(f) GDPR.

Information on data security terms can be found here: Facebook Data Security Terms, and information on processing based on standard contractual clauses can be found here: EU Data Transfer Addendum.

You can disable the tool through the cookie settings, which you can control via the COOKIE GUIDE and for logged-in users at Facebook Ad Settings.

Cookie Lifespan: Up to 180 days after the last interaction. This applies only to cookies set through this website.

24. Your Rights Overview

An affected person has application rights under the provisions of the GDPR, which can be asserted in connection with their personal data. These rights include the right to information, correction, deletion, restriction of processing, data portability, as well as specific objection rights and the right to lodge a complaint with a supervisory authority. Below, we provide you with an overview of the individual rights and their deadlines.

24.1 Deadlines for the so-called Application Rights according to Art. 15 - 21 GDPR

As the data controller, we will respond to any requests under Articles 15 - 21 of the GDPR within one month of receipt. This period can be extended by an additional two months if necessary, taking into account the complexity and the number of requests. In this case, we will inform you of the extension within one month of receiving your request. If the affected person submits the request electronically, we will respond electronically if possible, unless otherwise specified.

24.2 Application Channels

You can submit requests by postal mail or email. The contact address can be found in section 4 of this statement. Please direct all requests under Articles 15-21 GDPR related to your customer account to: Info@salzbergwerk.de.

24.3 Right to Information of the Data Subject according to Art. 15 GDPR

An affected person has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed. If this is the case, they have the right to information about this personal data, as well as further information as described in Art. 15 GDPR. Please note that the data controller can only provide information if there are no concerns about the identity of the data subject. The data controller will use all reasonable means to verify the identity of a data subject seeking information.

24.4 Right to Rectification according to Art. 16 GDPR

An affected person has the right to request the data controller to promptly correct any inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement.

24.5 Right to Erasure according to Art. 17 GDPR

An affected person has the right to request the data controller to erase personal data concerning them without undue delay, and the data controller is obligated to erase personal data without undue delay if the conditions listed in Art. 17 GDPR are met.

24.6 Right to Restriction of Processing according to Art. 18 GDPR

The data subject has the right to request the data controller to restrict the processing if the conditions set out in Art. 18 GDPR are met.

24.7 Right to Data Portability according to Art. 20 GDPR

The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a format described in Art. 20 GDPR, or to have this data transmitted to another controller as instructed by the data subject, provided the conditions described in Art. 20 GDPR are met.

24.8 Right to Object according to Art. 21 GDPR

The data subject has the right to object at any time, for reasons arising from their particular situation, to the processing of personal data concerning them based on Art. 6(1)(e) GDPR (processing is carried out in the public interest or in the exercise of official authority) or Art. 6(1)(f) GDPR (processing is based on the legitimate interests pursued by the controller or a third party).

In such cases, the data controller shall no longer process the personal data unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing serves the establishment, exercise, or defense of legal claims.

24.9 Right to Withdraw Consent according to Art. 13(2)(c) GDPR

If the processing of personal data of a data subject by the data controller is based on Art. 6(1)(a) GDPR (the data subject has given consent to the processing of their personal data for one or more specific purposes) or Art. 9(2)(a) GDPR (the data subject has given consent to the processing of their special categories of personal data for one or more specific purposes), the data subject has the right to withdraw consent at any time without affecting the lawfulness of the processing based on consent before its withdrawal.

You can declare your withdrawal by mail or email. The contact address can be found in section 4 of this statement. For all requests under Art. 15-21 GDPR related to your customer account, please direct them to: Info@salzbergwerk.de

25. Right to Lodge a Complaint with a Supervisory Authority according to Art. 77 GDPR

Every data subject has the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy, if the data subject considers that the processing of personal data concerning them violates the GDPR. In general, you can contact the supervisory authority at your habitual residence, place of work, or the location of the alleged infringement.

The supervisory authority to which the complaint has been lodged shall inform the complainant about the progress and the outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

The supervisory authority responsible for Südwestdeutsche Salzwerke AG is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg

Physical Address: Lautenschlagerstraße 20 70173 Stuttgart Germany

Mailing Address: Postfach 10 29 32 70025 Stuttgart Germany

For more information, please visit www.baden-wuerttemberg.datenschutz.de.

26. Up-to-dateness of this Privacy Policy

For legal or technical reasons, adjustments to our privacy policy may be necessary. We reserve the right to make corresponding changes at any time and therefore recommend that you regularly check this privacy policy for the current status.

As of: November 2023