Südwestdeutsche Salzwerke AG attaches great importance to the protection of your personal data. We therefore always treat your personal data confidentially and in accordance with the applicable data protection regulations. With this data protection declaration, we explain to you what personal data we process about you on our website, for what purpose and on what legal basis.
We also explain what rights a data subject has in connection with the processing of their personal data.
2. definition of terms
2.1 Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.2 Person concerned
A data subject is any identified or identifiable natural person whose personal data is processed by the controller.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.4 Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of restricting its future processing.
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisierung ist die Verarbeitung personenbezogener Daten in einer Weise, auf welche die personenbezogenen Daten ohne Hinzuziehung zusätzlicher Informationen nicht mehr einer spezifischen betroffenen Person zugeordnet werden können, sofern diese zusätzlichen Informationen gesondert aufbewahrt werden und technischen und organisatorischen Maßnahmen unterliegen, die gewährleisten, dass die personenbezogenen Daten nicht einer identifizierten oder identifizierbaren natürlichen Person zugewiesen werden.
2.7 Controller or controller responsible for the processing
Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients.
2.10 Third party
Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3. name and address of the controller
The controller within the meaning of the GDPR, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is the:
Südwestdeutsche Salzwerke AG
4. contact details of the data protection officer
The data protection officer has the following address:
Südwestdeutsche Salzwerke AG
Data Protection Officer
Alternatively, please use the following e-mail address for your enquiries:
5. how we protect your data
We take the protection of your personal data very seriously and implement appropriate technical and organisational measures to protect your data in connection with the use of this website against access by unauthorised persons, manipulation, destruction and loss. The security measures used are continuously improved in line with technological progress. For example, communication via our website is protected by an HTTPS protocol (HyperText Transfer Protocol Secure). This establishes a secure connection between server and client that cannot be read by unauthorised persons. This serves to protect the transmission of confidential content, such as orders or enquiries that you send to us.
If service providers are involved in the processing of services on our websites and these are to be qualified as processors, we have regulated these contractual relationships to protect your personal data via an order processing contract within the meaning of Art. 28 GDPR.
6. links to other websites
7. hosting of our website
We host our website via our hosting partner exclusively at the server location Germany (server in Germany). In accordance with data protection regulations, we have concluded a contract for order processing in accordance with Art. 28 GDPR. Connection data is processed for the purpose of providing and delivering the website. For the sole purpose of delivering and providing the website, the data is not stored beyond the call. However, the connection data is stored by our processor for security purposes. The duration of processing for security purposes is variable and ends when the security measures become necessary. In addition, our processor anonymises the collected data immediately after collection and provides us with the anonymous data in the form of statistics for evaluation.
8. use of Friendly Captcha for spam protection
Our website uses the "Friendly Captcha" service (www.friendlycaptcha.com). This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. Friendly Captcha is an innovative, data protection-friendly protection solution to make it more difficult for automated programmes and scripts (so-called "bots") to use our website. For this purpose, we have integrated a programme code from Friendly Captcha into our website (e.g. for contact forms) so that the visitor's end device can establish a connection to the Friendly Captcha servers in order to receive a calculation task from Friendly Captcha. The visitor's end device solves the calculation task (puzzle), which requires certain system resources, and sends the calculation result to our web server. This contacts the Friendly Captcha server via an interface and receives a response as to whether the puzzle has been solved correctly by the end device. Depending on the result, we can add security rules to requests via our website and, for example, process or reject them.
Friendly Captcha processes and stores the following data in the above-mentioned process:
- Anonymised IP address of the requesting computer
- Information about the browser and operating system used
- Anonymised counter per IP address to control the cryptographic tasks
- Website from which the access took place.
The data is used exclusively to protect against spam and bots as described above. Friendly Captcha does not set or read any cookies on the visitor's end device. IP addresses are only stored in hashed (one-way encrypted) form and do not allow us or Friendly Captcha to draw any conclusions about an individual person. If personal data is collected, it will be deleted after 30 days at the latest.
We have concluded an order processing contract with Friendly Captcha GmbH. The data processing by Friendly Captcha is therefore carried out exclusively in accordance with our instructions and on our behalf in accordance with Art. 28 GDPR.
9. collection of general data and information when using our websites
When using the website purely for information purposes, i.e. without registering in the customer account, using the contact form for enquiries or placing an order via our online ticket shop, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data:
- the IP address;
- the date and time of the request;
- the region (not the address) from which the IP address accesses the website;
- Browser language, browser type (e.g. Chrome, Firefox, Safari) and version;
- Operating system;
- Device type (e.g. mobile device, desktop computer, tablet);
- browsing behaviour on the website (e.g. when the website was visited, which areas of the website were clicked on, how much time was spent on the website);
- the website from which the request came.
This data is processed and stored by us for the purpose of ensuring the functionality of the website, improving the content of the website, creating statistical analyses based on aggregated browsing data. We also process and store it to analyse the technical operation of the website and to ensure the security of our information technology systems.
Our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR lies in the need to display this website to you and to ensure its stability, functionality and security. Furthermore, the storage of server log files serves the purpose of criminal prosecution against the background of possible cyber attacks. In the sense of log file rotation, log files and the IP addresses contained therein are stored until a 100 MB limit is reached and automatically overwritten or deleted once this limit is reached. The storage period is 60 days.
10. data in the context of the use of a contact form offered on the website
For questions of any kind, we offer you the opportunity to contact us via a contact form provided on the website. It is necessary to provide a valid e-mail address so that we know who sent the enquiry and can answer it. Other required mandatory information is marked with an asterisk in the contact form. Depending on the topic, type of date and whether you are already a customer or not, the processing of the data is based on the contract with you, your consent or your or our legitimate interest in clarifying the request in accordance with Art. 6 para. 1 sentence 1 a), b) and f) GDPR. If you use the contact form or another corresponding online function to contact us for the purpose of an order, enquiry or reservation for individual offers and events, please also note the information under subsection 14 "Data in the context of orders in the ticket shop as well as enquiries and reservations for individual offers and events".
We will delete your data relating to the enquiry unless we are legally obliged to continue to store or retain it. If the data is still required to process outstanding enquiries, it will be deleted at the earliest after these enquiries have been processed. Your personal data will not be passed on to third parties.
11. cookie declaration
11.1 What are cookies and what are they needed for?
Cookies are small text files in which the web browser stores information about visited websites that are sent by the web server. This can be information about the page visit such as duration, login data, user input or similar.
These cookies are stored on your computer or mobile device when you visit a website. They require very little storage space and are automatically deleted when they expire. Certain cookies expire at the end of your internet session, others are stored for a limited period of time.
11.2 Cookie management - consent to non-functional cookies
Our website uses Usercentrics' cookie consent technology to obtain your consent to the storage of certain cookies in your browser and to document this in accordance with data protection regulations. The provider of this technology is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark.
We have concluded an order processing agreement with Usercentrics, under which Usercentrics undertakes to ensure the necessary protection of your data and to process it in accordance with the applicable data protection regulations exclusively on our behalf and in accordance with our instructions. The use of a cookie banner as well as the management and storage of your consent to the processing of your personal data is based on our legal obligation to provide a data protection-compliant website (Art. 6 para. 1 lit. c) GDPR in conjunction with § 26 TTDSG. The processing of data for the provision of a cookie banner is absolutely necessary for the operation of the website. The user has no right to object as long as there is a legal obligation to obtain the user's consent to certain data processing operations before loading the website.
When you enter our website, a Cookiebot cookie is stored in your browser, in which the consent you have given or the revocation of this consent is stored. This data is passed on to the provider of Cookiebot in anonymised form. Cookiebot processes the following data for provision and management:
- Your IP address anonymised during collection by Cookiebot (the last three digits are set to "0"),
- further information on the browser used and the browser version
- the date and time of your visit to our website or the settings you made via our cookie banner
- the URL of the website accessed,
- an anonymous, random and encrypted key (ID),
- your given consent or individual data protection settings.
The cookie banner uses both the local memory (also called "local storage") on your end device and the setting of cookies to store this information locally in your browser. For this purpose, your individual settings and your ID are stored in a cookie so that the settings you have made are taken into account when you visit our website again.
Further information on data processing by Cookiebot can be found at: https://www.cookiebot.com/de/privacy-policy/
11.3 Cookie management by means of "COOKIE GUIDE"
In the COOKIE GUIDE you can view your cookie settings and customise them to your needs at any time. You can also see what types of cookies there are and what purpose they serve.
Here is your cookie overview:
12. informative electronic messages (by e-mail) to business customers
We use CleverReach, with whom we have concluded an order processing contract, to send informative messages (by email) to business customers. CleverReach GmbH & Co. KG has its registered office at Mühlenstr. 43, 26180 Rastede. This service enables us to organise and analyse the sending of newsletters. Your data processed for the purpose of receiving the informative message, such as your email address, is stored on CleverReach's servers for this service. The servers are located in Germany and Ireland.
Sending newsletters with CleverReach allows us to analyse the behaviour of newsletter recipients. The analysis shows, among other things, how many recipients have opened their newsletter (informative message) and how often links in the newsletter were clicked. CleverReach supports conversion tracking in order to analyse whether a previously defined action, such as a product purchase, has taken place after clicking on a link. Details on data analysis by CleverReach can be found at: https://www.cleverreach.com/de-de/newsletter-tool/newsletter-reporting/.
Business customers have the option of registering for our newsletter on our website using the double opt-in procedure. This means that after registering you will receive an e-mail asking you to confirm your registration. This confirmation is necessary to ensure that no-one can register with other people's e-mail addresses.
The legal basis for data processing is Section 7 (3) UWG and, in cases where a newsletter subscription is made via our website, consent pursuant to Art. 6 (1) (a) GDPR.
If you no longer wish to receive this information by e-mail in the future, please unsubscribe via the "Unsubscribe" link in the newsletter/informative message by e-mail. The legality of the data processing operations already carried out remains unaffected by the cancellation/unsubscription.
13. your customer account
Business customers (B2B) have the option of creating a customer account with us. This means registering with us as the controller by providing personal data. The personal data that is transmitted to us is determined by the respective input screen used for registration. In some cases, individual fields are mandatory. This is because we cannot provide the services associated with registration without this information. The personal data you enter will only be processed for the intended purpose. For example, the customer account is used to process your orders and all associated services. In order to process your orders, we only pass on the data to other companies for the proper fulfilment of the contract and only to the extent necessary. For example, data is passed on to parcel service providers, payment service providers or other service providers involved in the application (e.g. cooperation partners). The service providers involved also use the personal data exclusively to process your order and only in accordance with our instructions. Your data will not be passed on to third parties without your express consent. Master data stored in the customer account remains stored until it is cancelled.
Please address any data subject rights in connection with your customer account to the contact address: firstname.lastname@example.org
If you have any general questions about data protection, please contact the address given in section 4 of this declaration.
14. data in the context of orders in the ticket shop as well as enquiries and reservations for individual offers and events
You can purchase tickets for guided tours, events and various group offers via our website. We also offer the opportunity to make enquiries or reservations for individual offers and events. This requires the provision of personal data to the extent necessary. Which personal data is transmitted to us is determined by the respective input mask used for the respective order/enquiry/reservation. In some cases, individual fields are mandatory. This is because processing is not possible without this information.
15. data in the context of payment processing (credit card, PayPal, instant bank transfer)
Three payment methods (credit card payment, PayPal, instant bank transfer) are offered for processing orders for the products and services offered via this website. All payment methods are processed via the all-in-one payment service provider Unzer (Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg, Germany) and an order processing contract is concluded with the service provider for this purpose. Depending on the payment method (credit card, PayPal, instant bank transfer), the payment-relevant data required by the respective payment service to carry out the payment process is entered. For all payment methods, Unzer guarantees maximum security during data transmission. Due to the processing of credit card data, Unzer is bound by the globally valid PCI DSS IT standard (Payment Card Industry Date Security Standard). Further information on data protection can be found at: https://www.unzer.com/de/datenschutz/.
The payment service providers are used on the basis of Art. 6 para. 1 lit. b GDPR (contract processing) and in the interest of a smooth, convenient and secure payment process (Art. 6 para. 1 lit. f GDPR). Insofar as your consent is requested for certain actions, Art. 6 para. 1 lit. a GDPR is the legal basis for data processing; consent can be revoked at any time for the future.
We offer the following payment methods on this website:
The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal").
The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full.
Instant bank transfer
The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereinafter referred to as "Sofort GmbH"), which is a company of the Klarna Group. With the help of the "Instant bank transfer" procedure, we receive a payment confirmation from Sofort GmbH in real time and can immediately begin to fulfil our obligations. If you have decided in favour of the "Sofortüberweisung" payment method, you transmit the PIN and a valid TAN to Sofort GmbH, with which it can log into your online banking account. After logging in, Sofort GmbH automatically checks your account balance and carries out the transfer to us using the TAN you have transmitted. It then immediately sends us a transaction confirmation. After logging in, your turnover, the credit limit of the overdraft facility and the existence of other accounts and their balances are also automatically checked. In addition to the PIN and TAN, the payment data you have entered and your personal data are also transmitted to Sofort GmbH. Your personal data includes your first and last name, address, telephone number(s), e-mail address, IP address and any other data required for payment processing. The transmission of this data is necessary to establish your identity beyond doubt and to prevent attempts at fraud.
A company that integrates the services of Sofort GmbH as a payment method on its website does not have access to your personal online banking access data (such as PIN) and TAN, which you enter in the encrypted payment form, at any time. For details on payment with Sofortüberweisung, please refer to the following links: https://www.sofort.de/datenschutz.html and https://www.klarna.com/sofort/.
The provider of this payment service is Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (hereinafter referred to as "Mastercard").
Mastercard may transfer data to its parent company in the USA. The data transfer to the USA is based on Mastercard's Binding Corporate Rules. Details can be found here: https://www.mastercard.de/de en/datenschutz.html and https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.
The provider of this payment service is Visa Europe Services Inc, London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom (hereinafter referred to as "VISA").
The United Kingdom is considered a secure third country under data protection law. This means that Great Britain has a level of data protection that corresponds to the level of data protection in the European Union.
VISA may transfer data to its parent company in the USA. The data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung/mitteilung-zu-zustandigkeitsfragen-fur-den-ewr.html.
16. deletion and blocking of personal data
The controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject to.
If the storage purpose no longer applies or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data will be blocked or erased in accordance with the statutory provisions.
17. Legal bases for the processing of personal data
Art. 6 I lit. a GDPR serves our company as the legal basis for processing operations for which we obtain consent for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service or consideration, the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services.
If our company is subject to a legal obligation which requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR.
Furthermore, processing operations may be based on Art. 6 I lit. f GDPR. This is the case if the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller or is employed by the controller. (Recital 47 sentence 2 GDPR). Where the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is to carry out our business activities for the benefit of our shareholders, taking into account the legitimate interests of the data subjects. When weighing up this interest, the focus is always on an appropriate relationship between the data subject and us as a company.
18. duration for which the personal data is stored
The criterion for the duration of the storage of personal data are statutory retention periods, which may result from tax or commercial law as well as other applicable legal provisions, whenever these legal provisions are applicable to your personal data. After the period has expired, the corresponding data will be deleted if it is no longer required to fulfill the contract, initiate the contract or maintain the business relationship. If no retention periods are applicable and you have given us your consent to store and use your personal data, the data will be stored and used for the purpose specified in the consent or until you revoke your consent for future use.
19. legal or contractual provisions for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision
We would like to inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner). Sometimes it may be necessary for a contract to be concluded for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with them. Failure to provide the personal data would mean that the contract with the data subject could not be concluded.
20. Data protection provisions about the application and use of Google Analytics
If you have given your consent, Google Analytics 4, a web analysis service of Google LLC, is used on this website. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). In accordance with Art. 28 GDPR, we have concluded an order processing contract with Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Scope of processing
In Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
During your website visit, your user behavior is recorded in the form of "events". Events can be:
- Page views
- First visit to the website
- Start of the session
- Your "click path", interaction with the website
- Scrolls (whenever a user scrolls to the end of the page (90%)
- Clicks on external links
- Internal search queries
- Interaction with videos
- file downloads
- Viewed / clicked ads
- language setting
- Your approximate location (data on country, region, city)
- Your IP address (in abbreviated form [anonymized form])
- Technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
- Your internet provider
- the referrer URL (via which website/advertising medium you came to this website)
Purposes of the processing
Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.
Recipients of the data are/may be
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (as a processor in accordance with Art. 28 GDPR)
- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
- Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
It cannot be ruled out that US authorities will access the data stored by Google.
Third country transfer
Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.
The data sent by us and linked to cookies is automatically deleted after 14 months. Data that has reached the end of its retention period is automatically deleted once a month.
The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.
Withdrawal of consent
You can withdraw your consent at any time with effect for the future by accessing the cookie settings via the COOKIE GUIDE and changing your selection there. This does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
You can also prevent the storage of cookies from the outset by setting your browser software accordingly. However, if you configure your browser to reject all cookies, this may limit the functionality of this and other websites. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by not giving your consent to the setting of the cookie.
Nähere Informationen zu Nutzungsbedingungen von Google Analytics und zum Datenschutz bei Google finden Sie unter https://marketingplatform.google.com/intl/de/about/analytics/ and https://policies.google.com/privacy?hl=en
21. Google Tag Manager
We use the Tag Manager service offered by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google") to manage our website and to integrate cookie-based technologies. For this purpose, your anonymized IP address is transmitted to a Google server, which may also be located in the USA, each time you visit one of our websites. The IP address is not stored by Google as part of the Tag Manager service and is only used to integrate the technologies managed via the Tag Manager. The Tag Manager itself does not set any cookies. The Google Tag Manager is only loaded with your consent.
22. social media presence in social networks and platforms (Facebook, Instagram, YouTube)
We maintain the following channels and fan pages on social media platforms:
- Facebook: Alte Saline
- Instagram: altesaline_badreichenhall
- YouTube: Alte Saline Bad Reichenhall
with the aim of communicating with the customers, interested parties and users active there and informing them about our services.
The icons displayed for this purpose in the footer area of our website are static links. This means that no automatic connection to these social networks is established when our website is loaded. Only when you click on the icon will you be taken to the website of the corresponding social network. Please note the explanations in subsection 23 - Facebook Custom Audiences (for websites) / Conversion - Facebook Pixel.
22.1 Facebook and Instagram
As the operator of the above-mentioned Facebook and Instagram accounts, we (Südwestdeutsche Salzwerke AG) are jointly responsible with the operator of the social network Facebook and Instagram (Meta Platforms Ireland Ltd.) within the meaning of Art. 4 No. 7 of the General Data Protection Regulation (GDPR). There is joint responsibility pursuant to Art. 26 GDPR.
Contact details of the joint controllers
Meta Platforms Ireland Ltd:
Contact details: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, IrelandAuthorized representative: Richard Kelley, registered in Ireland (Companies Registration Office), commercial register number 462932
You can contact the data protection officer for the Facebook and Instagram products via this link: https://www.facebook.com/help/contact/540977946302970
Information on the scope of data processing
Information on the scope of data processing and the associated handling of personal data by Facebook can be found here:
Information on the scope of data processing and the associated handling of personal data by Facebook for the Instagram service can be found here:
Agreement on joint responsibility
You can access the agreement between us and Facebook on joint responsibility for data processing in accordance with Art. 26 GDPR here:
This agreement was created for Facebook fan pages and, in our opinion, is also applicable to the use of Instagram Insights due to the identical Insights function and identical parties involved:
Use of insights and cookies in connection with the above-mentioned Facebook and Instagram accounts
In connection with the operation of the above-mentioned Facebook and Instagram accounts, we use Facebook's Insights function to obtain anonymized statistical data on the users of our Facebook and Instagram accounts. For this purpose, Facebook stores a cookie on the end device of the user who visits our Facebook or Instagram account. The cookie contains a unique user code and is active for a period of two years unless it is deleted beforehand. The user code can be linked to the data of users who are registered with Facebook.
The Instagram Data Policy contains all information on data processing by Facebook when using Instagram:
We ourselves have no influence on how and to what extent Facebook and Instagram process this data.
Legal basis and legitimate interests
We operate the Facebook and Instagram accounts in order to present ourselves to and communicate with Facebook and Instagram users and other interested parties who visit our Facebook and Instagram accounts. The processing of users' personal data is based on our legitimate interests in an optimized social media presence (Art. 6 (1) (f) GDPR).
Transfer of data
It is conceivable that personal data may be processed outside the European Union by Meta Platforms, Inc. based in the USA. However, our contractual partner is Meta Platforms Ireland Ltd. based in Ireland and therefore within the European Union.
The US parent company Meta Platforms, Inc. 1 Meta Way, Menlo Park, California 94025-1453, USA is also certified under the EU-U.S. Data Privacy Framework (PDF), so that the data transfer there is permitted via the European Commission's adequacy decision regarding the USA.
We do not pass on any personal data ourselves.
Options to object
Under the settings for advertising preferences, Facebook users can influence the extent to which their user behavior may be recorded when visiting or using Facebook services and thus also our Instagram account.
Further options are offered by the Facebook settings or the form for the right to object.
The processing of information by means of the cookies used by Facebook and Instagram can be prevented by not allowing third-party cookies or cookies from Facebook in your browser settings.
Principle for the use of this website
Our website uses plugins from the YouTube service.
The company providing the service in the European Economic Area and Switzerland is Google Ireland Limited, a company incorporated and operated under Irish law (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland.
The use of YouTube, and thus the viewing of embedded videos on this website, is only possible after your consent to the so-called marketing cookies. If you have not consented to the setting of these cookies, you will not be able to watch the embedded videos.
Once you have given your consent, a connection to the YouTube servers will be established. The YouTube server will be informed which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, YouTube can store various cookies on your end device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to our website. This information is used, among other things, to record video statistics, improve user-friendliness and prevent fraud attempts. The cookies remain on your end device until you delete them. If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no influence.
22.3 YouTube channels
As the operator of the above YouTube channels on YouTube, we (Südwestdeutsche Salzwerke AG) are jointly responsible with the operator of the YouTube service (Google Ireland Limited; hereinafter also referred to as "Google") within the meaning of Art. 4 No. 7 of the General Data Protection Regulation (GDPR).
When you visit the YouTube channels as described in section 22, personal data is processed by the controller.
In the following, we will inform you about what data is involved, how it is processed and what rights you have in this regard.
Contact details of the joint controllers
Contact details: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
You can contact Google's data protection officer via this link: https://www.youtube.com/t/contact_us
We as the operator of the YouTube channel and Google as the platform operator of YouTube are jointly responsible for the data processing of the personal data of subscribers, visitors and users that takes place on or via the channel.
Information on the handling of personal data by Google for the YouTube service can be found in their https://policies.google.com/privacy?hl=de.
Use of insights and cookies in connection with the above YouTube accounts
In connection with the operation of the YouTube channel, Google offers an analysis function that we use to obtain anonymized statistical data on the users and the interactions of our channel. For this purpose, Google stores a cookie on the end device of the user who visits our channel. The cookie contains a unique user code. The user code can be linked to the data of users who are registered with YouTube.
Legal basis and legitimate interests
We operate this YouTube channel to present ourselves to YouTube users and other interested parties who visit our YouTube channel and to communicate with them. The processing of users' personal data is based on our legitimate interests in an optimized presentation of SSG (Art. 6 (1) (f) GDPR).
Transfer of data
The US parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA is also certified under the EU-U.S. Data Privacy Framework (PDF), so that the transfer of data there is permitted via the European Commission's adequacy decision regarding the USA.
We do not pass on any personal data ourselves.
Options to object
In their account settings, YouTube users can influence the extent to which their user behavior may be recorded when visiting or using Google services and thus also our YouTube channel.
23. Facebook Custom Audiences (for Websites) / Conversion – Facebook Pixel
This website uses the so-called "Facebook Pixel" of the social network "Facebook" of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta) for the following purposes:
We use the Facebook pixel for remarketing purposes in order to be able to address you again within 180 days. This allows users of the website to be shown interest-based advertisements ("Facebook ads") when they visit the social network "Facebook" or other websites that also use the process. In this way, we pursue the interest of showing you advertising that is of interest to you in order to make our website or offers more interesting for you.
With the help of Facebook Pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and are not annoying. With the help of the Facebook pixel, we can track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion").
Facebook processes the data in accordance with Facebook's data usage policy. Specific information and details about the Facebook pixel and how it works can also be found in Facebook's help section.
We (Südwestdeutsche Salzwerke AG) are jointly responsible with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta) for the collection and transmission of data as part of this process. This applies for the following purposes:
The creation of individualized or suitable ads, as well as for their optimization Delivery of commercial and transactional messages (e.g. via Messenger) The following processing operations are therefore not covered by joint processing:
The processing that takes place after collection and transmission is the sole responsibility of Meta.
We have concluded a corresponding agreement with Facebook for joint responsibility, which can be accessed here: https://www.facebook.com/legal/controller_addendum. This defines the respective responsibilities for fulfilling the obligation under the GDPR with regard to joint responsibility.
The contact details of the responsible company, as well as the data protection officer of Facebook, can be found here: https://www.facebook.com/about/privacy. We have agreed with Meta that Meta can be contacted for the exercise of data subject rights. Nevertheless, the jurisdiction of data subject rights is not restricted.
Further information on how Meta processes personal data, including their legal basis, and additional details about data subject rights can be found here: https://www.facebook.com/about/privacy. We transmit the data as part of joint responsibility based on the legitimate interest according to Art. 6 (1) f GDPR.
Information about data security terms can be found here: https://www.facebook.com/legal/terms/data_security_terms, and information about processing based on standard contract clauses can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum.
The lifespan of the cookies is up to 180 days after the last interaction. This applies only to cookies that were set through this website.
24. Your Rights as a Data Subject – Overview
According to the provisions of the GDPR, a data subject has request rights that can be asserted in connection with their personal data. These rights include the right to information, rectification, deletion, restriction of processing, data portability, as well as specific rights of objection and the right to lodge a complaint with a supervisory authority. Below, we provide an overview of each right and their respective deadlines.
24.1 Deadlines for the so-called request rights according to Art. 15 - 21 GDPR
As the data controller, we will respond to any requests under Articles 15 - 21 of the GDPR within one month of receipt. This period can be extended by an additional two months if necessary, taking into account the complexity and number of requests. In such cases, we will inform you of the extension within one month of receiving your request. If the data subject submits the request electronically, we will, if possible, respond electronically, unless you specify otherwise.
24.2 Ways to Submit Requests
You can submit any requests by mail or email. The contact address can be found in section 4 of this statement. For all requests under Articles 15-21 of the GDPR related to your customer account, please address them directly to: email@example.com.
24.3 Right to Information of the Data Subject according to Art. 15 GDPR
A data subject has the right to obtain confirmation from the controller as to whether personal data concerning them is being processed. If this is the case, they have the right to access this personal data, as well as additional information as described in Art. 15 GDPR.
Please note that the controller can only provide information if there are no concerns about the identity of the data subject. The controller will use all reasonable means to verify the identity of a data subject seeking information.
24.4 Right to Rectification according to Art. 16 GDPR
A data subject has the right to request the correction of inaccurate personal data concerning them from the controller without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
24.5 Right to Erasure according to Art. 17 GDPR
A data subject has the right to request the erasure of personal data concerning them without undue delay, and the controller is obligated to erase personal data without undue delay if the conditions listed in Art. 17 GDPR are met.
24.6 Right to Restriction of Processing according to Art. 18 GDPR
The data subject has the right to request the restriction of processing from the controller if the conditions specified in Art. 18 GDPR are met.
24.7 Right to Data Portability according to Art. 20 GDPR
A data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and have the right to transmit this data to another controller, as described in Art. 20 GDPR, provided the conditions specified in Art. 20 GDPR are met.
24.8 Right to Object according to Art. 21 GDPR
A data subject has the right to object at any time, for reasons arising from their particular situation, to the processing of personal data concerning them based on Art. 6(1)(e) GDPR (processing is carried out in the public interest or in the exercise of official authority) or Art. 6(1)(f) GDPR (processing is based on legitimate interests pursued by the controller or a third party). In such cases, the controller shall no longer process the personal data unless compelling legitimate grounds for the processing override the interests, rights, and freedoms of the data subject or the processing serves the establishment, exercise, or defense of legal claims.
24.9 Right to Object according to Art. 13(2)(c) GDPR
If the processing of personal data of a data subject by the controller is based on Art. 6(1)(a) GDPR (the data subject has given consent to the processing of their personal data for one or more specific purposes) or Art. 9(2)(a) GDPR (the data subject has given consent to the processing of their special categories of personal data for one or more specific purposes), the data subject has the right to withdraw their consent at any time without affecting the lawfulness of the processing based on consent before its withdrawal.
You can declare your withdrawal by mail or email. The contact address can be found in section 4 of this statement. For all requests under Articles 15-21 of the GDPR related to your customer account, please address them directly to: firstname.lastname@example.org.
25. Right to Lodge a Complaint with a Supervisory Authority according to Art. 77 GDPR
Any data subject has the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy, if the data subject considers that the processing of personal data concerning them violates the GDPR. Typically, you can contact the supervisory authority of your habitual residence, place of work, or the location of the alleged infringement.
The supervisory authority to which the complaint has been submitted shall inform the complainant about the progress and the outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
The supervisory authority responsible for Südwestdeutsche Salzwerke AG is: The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Physical Address: Mailing Address:
Lautenschlagerstraße 20 Postfach 10 29 32
70173 Stuttgart 70025 Stuttgart
For more information, you can visit www.baden-wuerttemberg.datenschutz.de.
As of: November 2023
Privacy Information for Visitors to the Salt Mine in Berchtesgaden and the Old Saltworks in Bad Reichenhall
According to the regulations of the General Data Protection Regulation (GDPR),
Simply click on the button below labeled "Privacy Information.pdf" to view the privacy information for visitors to our two excursion destinations.