Privacy Policy
Introduction
The protection of your personal data is important to us. As such, this privacy policy details what data relating to your visit are used and for which purposes. If you still have questions about how your personal data are handled, please do not hesitate to contact our data protection officer. It might become necessary to make changes to our privacy policy in light of continuous technological advancements, changes to our services or the legal framework or for any other reason. Therefore, we reserve the right to amend this privacy policy at any time and recommend that you revisit it regularly to see the latest version.
Verantwortlicher / Datenschutzbeauftragter
Controller | Data protection officer of the controller |
Bayerische Zugspitzbahn Bergbahn AG Represented by the Management Board E-mail: zugspitzbahn@zugspitze.de |
Bayerische Zugspitzbahn Bergbahn AG E-mail: datenschutz@zugspitze.de |
When you use our website for informational purposes only, we only collect the personal data that your browser sends to our server. If you want to view our website, we collect the following data which are technically necessary for us to display our website for you and ensure that it remains stable and secure (the legal ground is our legitimate interest pursuant to point (f) of Article 6(1) GDPR). With regard to the balance of interests in accordance with point (f) of Article 6(1) GDPR, we have taken account of and balanced our interest in providing the website and your interest in having your personal data processed in a manner consistent with the data protection regulations. As the following data which are necessary for providing our service are sometimes technically necessary in order to provide you with our website and ensure that it remains stable and secure, especially to protect it against misuse, we have concluded that the data can be processed – with state-of-the-art safeguards in place – in a manner that adequately takes account of your interest in having your data processed in a manner consistent with the data protection regulations.
Data |
Purpose of processing |
Duration of storage |
Your operating system |
To evaluate your device in order to optimise how the website is displayed |
The data are erased at the end of each session. IP addresses are erased after seven days at the latest. |
Information about your browser type and version |
To evaluate your browser in order to optimise our website for it |
|
Your Internet service provider |
To identify your Internet service provider |
|
IP address |
To display the website on the device in question |
|
Date and time the website was accessed |
To ensure that the website runs properly. |
|
Manufacturer and model of your smartphone, tablet or other end devices (if applicable) |
To identify the device manufacturers and types of mobile device for statistical purposes |
|
Log files |
To ensure that the website runs properly |
The collection of the data in order to make the website available and the storage of the data in log files is absolutely necessary for the operation of the website. Therefore, you have no right to object.
Unless indicated otherwise in this privacy policy, the following applies to the legal grounds in accordance with point (c) of Article 13(1) GDPR:
- point (a) of Article 6(1) GDPR and Article 7 GDPR apply if consent is granted
- point (b) of Article 6(1) GDPR applies for the purposes of performing a contract or taking steps prior to entering into a contract
- point (c) of Article 6(1) GDPR applies for the purposes of complying with a legal obligation
- point (f) of Article 6(1) GDPR applies for the purposes of pursuing legitimate interests.
As a rule, tracking tools are used in accordance with point (a) (consent) and/or point (f) (legitimate interest) of Article 6(1) GDPR.
In the sense of the GDPR, we have a legitimate interest in marketing and improving our services and our website. Where our processing is based on a legitimate interest, personal data are generally pseudonymised.
Unless indicated otherwise in this privacy policy, the personal data we process are erased or restricted in accordance with Articles 17 and 18 GDPR. Personal data are erased when they are no longer necessary for the purposes for which they were collected or otherwise processed and their erasure does not conflict with any statutory duties of storage. Processing shall be restricted if the personal data cannot be erased but are strictly necessary for other purposes, especially compliance with duties under tax or commercial law. Generally speaking, cookies can also be deactivated or rejected as a general rule. One option is to visit http://www.youronlinechoices.com/. You can also deactivate cookies in your browser settings.
Cookies are text files which are stored in or by the Internet browser on the computer of the user. When the user visits a website, a cookie can be installed on the operating system of the user. This cookie contains a distinctive character string that makes it possible to unequivocally identify the browser when it visits the website again.
We use cookies to make our website more user-friendly. Some elements of our website require the visiting browser to be identifiable even after a change of page.
Technically necessary cookies are not strictly necessary in order to display the website. However, certain features of the website such as the contact form do not work properly without these cookies. Consequently, you have no right to object to these cookies but can change the settings in your browser to deactivate them.
We process your personal data on the basis of point (f) of Article 6(1) GDPR. Technically necessary cookies are necessary for us to be able to provide you with the service and are therefore limited to the most necessary cookies. As such, when you want to use our service, your interests are in alignment with ours. We store cookies for up to one year.
Coverage measurement cookies collect information on how our website is used. These cookies do not store any information that can be used to identify a user. The collected information is always aggregated and is therefore anonymous when analysed.
As a rule, coverage measurement cookies are used in accordance with point (a) (consent) and/or point (f) (legitimate interest) of Article 6(1) GDPR.
Google Analytics
This website uses Google Analytics, a Web analysis service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Responsible for users in the EU / EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Google Analytics uses so-called "cookies", text files that are stored on your computer and that enable your use of the website to be analyzed. The information generated by the cookie about your use of this website is normally sent to a Google server in the USA and stored there. However, as IP anonymisation is active on our website, Google will shorten your IP address in advance within the Member States of the EU or other signatories to the Treaty on the European Economic Area. Only in exceptional cases is the full IP address sent to a Google server in the USA and shortened there. Insofar as data is processed outside the EU/EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection, which permits the transfer of personal data to a third country in individual cases.
Your IP address sent by your browser through Google Analytics will not be associated with any other data held by Google. Google will use this information on behalf of the operator of this website for the purposes of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and Internet usage. The data we send which are associated with cookies, user IDs or advertising IDs are erased automatically after 14 months. All data whose storage period has expired are erased automatically once a month. The legal basis for the described data processing is your consent, Art. 6 para. 1 p. 1 lit. a GDPR. You can give this consent during your first visit to the website. If you have already consented, you can revoke your consent at any time by changing the selection under "Cookie settings". You can find the link to the cookie settings at the bottom of this website. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser add-on. Opt-out cookies prevent the future collection of your data when visiting this website. For more information on the terms of use and privacy, please visit https://www.google.com/analytics/terms/de.html or https://policies.google.com/?hl=de.
You can also purchase various souvenirs, tickets, vouchers and events in our dedicated online shops by submitting orders to us.
The data we process include inventory data, communication data, contract data and payment data; the data subjects include our customers, potential customers and other business partners. We process the data in order to perform contractual services in connection with the operation of an online shop, billing, shipping and customer services. In the process, we use session cookies to store the contents of the basket and persistent cookies to store your log-in status.
Naturally, you can read information about our products on our website without having to make a purchase.
If you opt to purchase one or more articles, they are first added to a basket. You can purchase any item without requiring a customer account. Alternatively, you can create a customer account for online ticketing. When you register, you will be notified of what information must be provided.
After selecting your items, you will need to enter the necessary delivery and billing information. As a customer, you can of course also select customer details which have been saved from a previous order. You will then need to choose your preferred delivery service and payment method. A summary of the order details will then appear for you to confirm.
When you confirm the order details, you will be redirected to your chosen payment method so you can make the payment. The order will then be complete and you will receive an e-mail confirming your order.
We process your personal data here on the basis of point (b) of Article 6(1) GDPR. Your personal data shall be erased when our statutory storage obligations expire, i.e. after ten years at the latest.
We use the services of the payment service provider PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, Germany, offering the payment methods "credit card" (for ticket purchases, event bookings and voucher purchases), "PayPal" and "Sofortüberweisung" (for ticket purchases and event bookings). For these payment methods, your data required in connection with the purchase for payment processing (such as inventory data (name, address, contact details) and contract data (such as order details), are transmitted to PAYONE. The transfer of your data takes place exclusively for the purpose of payment processing. The legal basis is Art. 6 para. 1 p. 1 lit. b GDPR. PAYONE will not pass on your payment data to us. For further information on data protection, please refer to PAYONE's privacy policy. (Link https://www.payone.com/DE-de/dsgvo#andere-zahlverfahren-mit-karte)
When paying by credit card (tickets/events/vouchers), your data will be processed by PAYONE for the purpose of payment processing vis-à-vis the credit institution commissioned with the payment in each case. We do not get access to your full credit card information. Information on data processing by the respective issuing credit institutions and credit card providers.
If you select payment via PayPal, your data will be transmitted to the payment service provider PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg - for ticket purchases and event bookings through PAYONE and for voucher purchases directly through our online store. Your data will only be passed on for the purpose of payment processing and only to the extent necessary for this purpose. The legal basis is Art. 6 para. 1 p. 1 lit. b GDPR. When paying with PayPal, the bank data you have deposited with PayPal will be used by PayPal for payment. For more information on data protection, please refer to PayPal's privacy policy (https://www.paypal.com/de/webapps/mpp/ua/privacy-full).
If you choose the payment method "Instant bank transfer", your data will be transmitted to the payment service provider SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany - for ticket purchases and event bookings through PAYONE and for voucher purchases directly through our online store. SOFORT is part of the Klarna Group (Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden). SOFORT offers a direct transfer procedure, where the transfer is filled out during the order process and executed for you by SOFORT vis-à-vis your bank. Your data will only be passed on for the purpose of payment processing and only to the extent necessary for this purpose. The legal basis is Art. 6 para. 1 p. 1 lit. b GDPR. For further information on data protection, please refer to Klarna's privacy policy (https://www.klarna.com/de/datenschutz/).
If you subscribe to our newsletter, we will send you a newsletter containing news and current information about our mountains.
We use the double opt-in procedure for newsletter subscriptions. This means that after you enter your e-mail address, we will send a confirmation e-mail to that address prompting you to confirm that you wish to receive the newsletter. If you do not provide confirmation within 24 hours, your subscription will be deleted automatically.
If you confirm that you do wish to receive the newsletter, we shall store your e-mail address until you unsubscribe from the newsletter. The sole purpose of storing your e-mail address is to send you the newsletter. Furthermore, when you subscribe and confirm your subscription, we shall store your IP addresses and the dates and times in order to prevent your personal data from being misused. Only your e-mail address is mandatory information for subscribing to the newsletter. Other details which are marked separately are voluntary and shall only be used to personalise the newsletter. These data too shall be erased completely when you unsubscribe. You can unsubscribe from the newsletter at any time. You can unsubscribe by clicking on the link in each newsletter e-mail, sending an e-mail to our address or sending a message to our data protection officer. We shall not share the data you provide with third parties. We process your data in connection with our newsletter on the basis of your consent (point (a) of Article 6(1) GDPR).
We base the double opt-in procedure on a legitimate interest pursuant to point (f) of Article 6(1) GDPR as we are required to keep evidence that you have given consent (Article 7(1) GDPR).
We shall use the e-mail address we collect when you purchase a good or service on our website to send direct advertising for our own and similar products and/or services. If you no longer wish to receive direct advertising, you can object to the use of your e-mail address for this purpose at any time. Every newsletter contains an unsubscribe link for this purpose.
Our website contains third-party content such as the Facebook page facebook.com/zugspitze.de, YouTube videos, online catalogues from Issuu, maps and route calculation tools from Google Maps and images from other websites on the basis of point (f) of Article 6(1) GDPR. One prerequisite is always that the providers of this content (“third-party providers”) obtain your IP address. Without your IP address, they cannot send the content to your browser. Consequently, the IP address is necessary in order to display this content. We endeavour only to use content whose providers only use IP addresses to deliver the content. However, we have no control over whether the third-party providers store the IP address, e.g. for statistical purposes. Where we have knowledge of this, we shall notify you.
The third-party content is not incorporated into our website directly. In particular, this has been done to prevent the third-party providers from profiling. If you wish to see third-party content regardless, you must first click on the preview image (this is known as a two-click solution). Only after you have acknowledged the notice or logged in can you view the content. Data are only transferred at this point.
This website uses the Facebook “Like” button in the form of plug-ins. You can use this button to show that you like our products and services on Facebook. For more data security, we use the buttons as a modified “two-click solution” by means of the jQuery plugin Social Share Privacy from Heise.de. Deviating from Facebook’s standard practice, personal data are only sent to Facebook after you voluntarily activate the plug-in by clicking on the button and not simply when you visit the website. After you activate the plug-in, your browser will establish a direct connection with Facebook and send your IP address along with the information that you have visited our page. If you are logged in on Facebook at the same time, Facebook will associate the data with your profile and you can share links to content on our website there.
Our website contains social bookmarks (e.g. from Facebook, Twitter and YouTube). Social bookmarks are online bookmarks with which the users of such a service can collect links and notification messages. These are integrated into our website only as links to the corresponding services. When you click on the embedded image, you will be redirected to the website of that provider; user information is only transferred to that provider at this point. For information about how your personal data are handled when you use these websites, please see the privacy policy of each provider.
You can contact us at our e-mail address or by using our contact form.
Naturally, we shall only use the personal data transferred to us in this manner for the purpose for which you sent them to us when you contacted us. If we ask for information which is not necessary in order to contact us in our contact form, it shall always be marked as optional. We use this information to make your enquiry more specific and improve how it is handled. This information is always provided on an expressly voluntary basis and with your consent. If the information is about communication channels (e.g. your e-mail address or phone number), you also authorise us to potentially contact you on those communication channels in order to respond to your enquiry. Naturally, you can withdraw this consent at any time with future effect. If you wish to do so, please contact our data protection officer.
We can also process your personal data in order to process enquiries on the basis of point (b) of Article 6(1) GDPR. Otherwise, we provide the contact form as we have a legitimate interest in simple, secure communication (point (f) of Article 6(1) GDPR). After we have responded to your enquiry, we shall erase the data if they are no longer necessary and we are not prevented from doing so by any statutory obligations to store the data.
You can apply to our company electronically. We shall only use your data to process your application and shall not share them with third parties (Section 26 of the German Federal Data Protection Act (BDSG)). Please note that unencrypted e-mails are not secure against third parties when sent.
If you apply using our portal for applicants, your data will be encrypted and then sent to us. In this regard, we shall process your application using the application management system provided by rexx systems GmbH (Süderstrasse 77, 20097 Hamburg) in particular. This company acts as a processor in the sense of Article 28 GDPR.
At the moment, we do not provide any means of sending us applications by encrypted e-mail. As such, it is always possible that unauthorised third parties might gain access to your application documents while they are being sent. Please therefore only send us your application by e-mail if you are aware of this risk.
If we do not offer you employment, your personal data shall be erased after six months at most unless you have given your express consent to allow us to store the data for longer.
If an employment relationship is established between us, in accordance with Section 26(1) BDSG, we can continue to process the personal data we have already received from you if necessary in order to execute or terminate the employment relationship or exercise or fulfil the rights and duties to represent the interests of our employees arising from a law or collective agreement.
Your personal data shall not be shared with third parties for any other purpose than those described in this privacy policy.
We shall only share your personal data with third parties if
- you have given your express consent;
- the disclosure is necessary for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data;
- we have a legal obligation to disclose the data;
- the disclosure is legally admissible and necessary in order to execute contractual relationships with you.
Unless we are permitted to do so by law or a contract, we only process data or have data processed in a third country if the specific requirements of Article 44 ff. GDPR have been met. This means, for example, that data are processed on the basis of special guarantees such as the officially recognised identification of a level of data protection befitting the European Union, or with consideration for special contractual obligations (known as standard contractual clauses).
Every data subject has the right to access information pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. The right to access information and the right to erasure are subject to the restrictions of Sections 34 and 35 BDSG.
Additionally, you are entitled to file a complaint about our processing of your personal data with the relevant supervisory authority.
You can withdraw consent which you have given to the processing of personal data at any time. This also applies to withdrawing consent given to us before 25 May 2018 when the GDPR took effect. Please note that the withdrawal is only effective going forward. It does not affect processing which took place before your withdrawal of consent.
Pursuant to Article 21(2) GDPR, you have the right to object to processing of personal data concerning you at any time. If you object to processing for direct marketing purposes, we shall no longer process your personal data for such purposes. Please note that the objection is only effective going forward. It does not affect processing which took place before you withdrew your consent.
Where we process your personal data on the basis of a balance of interests, you can object to the processing. If you exercise your right to object, please provide us with the reasons why we should no longer process your personal data as described in this privacy policy. If you file a legitimate objection, we shall examine the case and either discontinue processing the data, change how we process the data or provide you with an explanation of our compelling legitimate grounds.
Our website can contain links to other websites owned by other providers. Please note that this privacy policy only applies to the website owned by our company. We have no influence or control over whether or not other providers comply with the relevant data protection regulations.
We reserve the right to alter this privacy policy at any time, with consideration for the applicable data protection regulations.