Privacy Policy

Last amended: 20/07/2020

Introduction

The protection of your personal data is important to us. As such, this privacy policy details what data relating to your visit are used and for which purposes. If you still have questions about how your personal data are handled, please do not hesitate to contact our data protection officer. It might become necessary to make changes to our privacy policy in light of continuous technological advancements, changes to our services or the legal framework or for any other reason. Therefore, we reserve the right to amend this privacy policy at any time and recommend that you revisit it regularly to see the latest version.

View current settings

 

 

Controller / DPO

Controller

Data protection officer
of the controller

Bayerische Zugspitzbahn Bergbahn AG
Olympiastraße 27
82467 Garmisch-Partenkirchen
Germany

Represented by the Management Board
Matthias Stauch

E-mail: zugspitzbahn@zugspitze.de

Bayerische Zugspitzbahn Bergbahn AG
Data protection officer
Olympiastraße 27
82467 Garmisch-Partenkirchen
Germany

E-mail: datenschutz@zugspitze.de

 

General collection of data when you visit our website

When you use our website for informational purposes only, we only collect the personal data that your browser sends to our server. If you want to view our website, we collect the following data which are technically necessary for us to display our website for you and ensure that it remains stable and secure (the legal ground is our legitimate interest pursuant to point (f) of Article 6(1) GDPR). With regard to the balance of interests in accordance with point (f) of Article 6(1) GDPR, we have taken account of and balanced our interest in providing the website and your interest in having your personal data processed in a manner consistent with the data protection regulations. As the following data which are necessary for providing our service are sometimes technically necessary in order to provide you with our website and ensure that it remains stable and secure, especially to protect it against misuse, we have concluded that the data can be processed – with state-of-the-art safeguards in place – in a manner that adequately takes account of your interest in having your data processed in a manner consistent with the data protection regulations. :

Data

Purpose of processing

Duration of storage

Your operating system

To evaluate your device in order to optimise how the website is displayed

The data are erased at the end of each session. IP addresses are erased after seven days at the latest.

Information about your browser type and version

To evaluate your browser in order to optimise our website for it

Your Internet service provider

To identify your Internet service provider

IP address

To display the website on the device in question

Date and time the website was accessed

To ensure that the website runs properly

Manufacturer and model of your smartphone, tablet or other end devices (if applicable)

To identify the device manufacturers and types of mobile device for statistical purposes

Log files

To ensure that the website runs properly

 

The collection of the data in order to make the website available and the storage of the data in log files is absolutely necessary for the operation of the website. Therefore, you have no right to object.

General information about the legal grounds for processing, erasing and deactivating cookies

Unless indicated otherwise in this privacy policy, the following applies to the legal grounds in accordance with point (c) of Article 13(1) GDPR:

  • point (a) of Article 6(1) GDPR and Article 7 GDPR apply if consent is granted
  • point (b) of Article 6(1) GDPR applies for the purposes of performing a contract or taking steps prior to entering into a contract
  • point (c) of Article 6(1) GDPR applies for the purposes of complying with a legal obligation
  • point (f) of Article 6(1) GDPR applies for the purposes of pursuing legitimate interests.

As a rule, tracking tools are used in accordance with point (a) (consent) and/or point (f) (legitimate interest) of Article 6(1) GDPR.
In the sense of the GDPR, we have a legitimate interest in marketing and improving our services and our website. Where our processing is based on a legitimate interest, personal data are generally pseudonymised.
Unless indicated otherwise in this privacy policy, the personal data we process are erased or restricted in accordance with Articles 17 and 18 GDPR. Personal data are erased when they are no longer necessary for the purposes for which they were collected or otherwise processed and their erasure does not conflict with any statutory duties of storage. Processing shall be restricted if the personal data cannot be erased but are strictly necessary for other purposes, especially compliance with duties under tax or commercial law. Generally speaking, cookies can also be deactivated or rejected as a general rule. One option is to visit http://www.youronlinechoices.com/. You can also deactivate cookies in your browser settings.

Cookies – General information Our website uses cookies

Cookies are text files which are stored in or by the Internet browser on the computer of the user. When the user visits a website, a cookie can be installed on the operating system of the user. This cookie contains a distinctive character string that makes it possible to unequivocally identify the browser when it visits the website again.
Cookies – Different types of cookie

a) Technically necessary cookies

We use cookies to make our website more user-friendly. Some elements of our website require the visiting browser to be identifiable even after a change of page.
Technically necessary cookies are not strictly necessary in order to display the website. However, certain features of the website such as the contact form do not work properly without these cookies. Consequently, you have no right to object to these cookies but can change the settings in your browser to deactivate them.
We process your personal data on the basis of point (f) of Article 6(1) GDPR. Technically necessary cookies are necessary for us to be able to provide you with the service and are therefore limited to the most necessary cookies. As such, when you want to use our service, your interests are in alignment with ours. We store cookies for up to one year.

b) Cookies for coverage measurement

Coverage measurement cookies collect information on how our website is used. These cookies do not store any information that can be used to identify a user. The collected information is always aggregated and is therefore anonymous when analysed.
As a rule, coverage measurement cookies are used in accordance with point (a) (consent) and/or point (f) (legitimate interest) of Article 6(1) GDPR.

Google Analytics

This website uses Google Analytics, a Web analysis service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses cookies; these are text files which are stored on your computer and make it possible to analyse how you use the website.
The information generated by the cookie about your use of this website is normally sent to a Google server in the USA and stored there. However, as IP anonymisation is active on our website, Google will shorten your IP address in advance within the Member States of the EU or other signatories to the Treaty on the European Economic Area. Only in exceptional cases is the full IP address sent to a Google server in the USA and shortened there. Your IP address sent by your browser through Google Analytics will not be associated with any other data held by Google. Google will use this information on behalf of the operator of this website for the purposes of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and Internet usage. We also have a legitimate interest in processing data for these purposes. Section 15(3) of the German Telemedia Act (TMG) and point (f) of Article 6(1) GDPR serve as the legal grounds for the use of Google Analytics. The data we send which are associated with cookies, user IDs or advertising IDs are erased automatically after 14 months. All data whose storage period has expired are erased automatically once a month. For more information on terms of service and data protection, please visit https://www.google.com/analytics/terms/us.html and https://www.google.de/intl/en-GB/policies/.
You can prevent cookies from being stored in the cookie banner under “Settings” when you first visit the website. You can also prevent the installation of cookies by adjusting the settings of your browser software accordingly. However, we would like to point out that, if you should choose to do so, you might not be able to use all of the features of this website. Additionally, you can prevent Google from collecting or processing the data generated by the cookie concerning your use of our website (including your IP address) by downloading and installing the browser add-on. Opt-out cookies prevent the collection of your data when you visit this website in future.

Orders in our online shop

You can also purchase various souvenirs, tickets, vouchers and events in our dedicated online shops by submitting orders to us.
The data we process include inventory data, communication data, contract data and payment data; the data subjects include our customers, potential customers and other business partners. We process the data in order to perform contractual services in connection with the operation of an online shop, billing, shipping and customer services. In the process, we use session cookies to store the contents of the basket and persistent cookies to store your log-in status.
Naturally, you can read information about our products on our website without having to make a purchase.
If you opt to purchase one or more articles, they are first added to a basket. You can purchase any item without requiring a customer account. Alternatively, you can create a customer account for online ticketing. When you register, you will be notified of what information must be provided.
After selecting your items, you will need to enter the necessary delivery and billing information. As a customer, you can of course also select customer details which have been saved from a previous order. You will then need to choose your preferred delivery service and payment method. A summary of the order details will then appear for you to confirm.
When you confirm the order details, you will be redirected to your chosen payment method so you can make the payment. The order will then be complete and you will receive an e-mail confirming your order.
We process your personal data here on the basis of point (b) of Article 6(1) GDPR. Your personal data shall be erased when our statutory storage obligations expire, i.e. after ten years at the latest.

Payment service providers: PayPal

If you select the payment service provider PayPal during the order process, your data shall be transferred to the payment service provider automatically. By selecting PayPal as a payment option, you consent to the transfer of personal data as necessary in order to process the payment. The provider is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. Data which are necessary in order to process the payment shall be transferred. This includes, for example, your first name, surname, address, e-mail address, IP address, phone number, mobile phone number and order details. The privacy policy of PayPal is available at https://www.paypal.com/uk/webapps/mpp/ua/privacy-full. You will also find information there about the length of time for which the service provider will store your data. You can withdraw your consent from PayPal at any time. You cannot revoke data which are strictly necessary in order to process the payment. PayPal does not share your payment data with us.
We process your personal data here on the basis of point (b) of Article 6(1) GDPR. Your personal data shall be erased when our statutory storage obligations expire, i.e. after ten years at the latest.

Payment service providers: Wirecard

If you opt to pay by credit card during the order process, your data shall be transferred to the payment service provider automatically. By selecting a credit card as a payment option, you consent to the transfer of personal data as necessary in order to process the payment. The service is provided by Wirecard Central Eastern Europe GmbH, Reininghausstrasse 13a, 8020 Graz, Austria. Data which are necessary in order to process the payment shall be transferred. This includes, for example, your first name, surname, address, e-mail address, IP address, phone number, mobile phone number and order details. The privacy policy of Wirecard is available at https://www.wirecard.at/en/privacy-policy/. You will also find information there about the length of time for which the service provider will store your data. You can withdraw your consent from Wirecard at any time. You cannot revoke data which are strictly necessary in order to process the payment. Wirecard does not share your payment data with us.
We process your personal data here on the basis of point (b) of Article 6(1) GDPR. Your personal data shall be erased when our statutory storage obligations expire, i.e. after ten years at the latest.

Newsletter

If you subscribe to our newsletter, we will send you a newsletter containing news and current information about our mountains.
We use the double opt-in procedure for newsletter subscriptions. This means that after you enter your e-mail address, we will send a confirmation e-mail to that address prompting you to confirm that you wish to receive the newsletter. If you do not provide confirmation within 24 hours, your subscription will be deleted automatically.
If you confirm that you do wish to receive the newsletter, we shall store your e-mail address until you unsubscribe from the newsletter. The sole purpose of storing your e-mail address is to send you the newsletter. Furthermore, when you subscribe and confirm your subscription, we shall store your IP addresses and the dates and times in order to prevent your personal data from being misused. Only your e-mail address is mandatory information for subscribing to the newsletter. Other details which are marked separately are voluntary and shall only be used to personalise the newsletter. These data too shall be erased completely when you unsubscribe. You can unsubscribe from the newsletter at any time. You can unsubscribe by clicking on the link in each newsletter e-mail, sending an e-mail to our address or sending a message to our data protection officer. We shall not share the data you provide with third parties. We process your data in connection with our newsletter on the basis of your consent (point (a) of Article 6(1) GDPR).
We base the double opt-in procedure on a legitimate interest pursuant to point (f) of Article 6(1) GDPR as we are required to keep evidence that you have given consent (Article 7(1) GDPR).

Consent to direct advertising pursuant to Section 7(3) of the German Act against Unfair Competition (UWG)

We shall use the e-mail address we collect when you purchase a good or service on our website to send direct advertising for our own and similar products and/or services. If you no longer wish to receive direct advertising, you can object to the use of your e-mail address for this purpose at any time. Every newsletter contains an unsubscribe link for this purpose.

Integration of third-party content

Our website contains third-party content such as the Facebook page facebook.com/zugspitze.de, YouTube videos, online catalogues from Issuu, maps and route calculation tools from Google Maps and images from other websites on the basis of point (f) of Article 6(1) GDPR. One prerequisite is always that the providers of this content (“third-party providers”) obtain your IP address. Without your IP address, they cannot send the content to your browser. Consequently, the IP address is necessary in order to display this content. We endeavour only to use content whose providers only use IP addresses to deliver the content. However, we have no control over whether the third-party providers store the IP address, e.g. for statistical purposes. Where we have knowledge of this, we shall notify you.
The third-party content is not incorporated into our website directly. In particular, this has been done to prevent the third-party providers from profiling. If you wish to see third-party content regardless, you must first click on the preview image (this is known as a two-click solution). Only after you have acknowledged the notice or logged in can you view the content. Data are only transferred at this point.

Facebook “Like” button – Two-click solution

This website uses the Facebook “Like” button in the form of plug-ins. You can use this button to show that you like our products and services on Facebook. For more data security, we use the buttons as a modified “two-click solution” by means of the jQuery plugin Social Share Privacy from Heise.de. Deviating from Facebook’s standard practice, personal data are only sent to Facebook after you voluntarily activate the plug-in by clicking on the button and not simply when you visit the website. After you activate the plug-in, your browser will establish a direct connection with Facebook and send your IP address along with the information that you have visited our page. If you are logged in on Facebook at the same time, Facebook will associate the data with your profile and you can share links to content on our website there.

Social bookmarks

Our website contains social bookmarks (e.g. from Facebook, Twitter and YouTube). Social bookmarks are online bookmarks with which the users of such a service can collect links and notification messages. These are integrated into our website only as links to the corresponding services.  When you click on the embedded image, you will be redirected to the website of that provider; user information is only transferred to that provider at this point. For information about how your personal data are handled when you use these websites, please see the privacy policy of each provider.

Contact form

You can contact us at our e-mail address or by using our contact form.
Naturally, we shall only use the personal data transferred to us in this manner for the purpose for which you sent them to us when you contacted us. If we ask for information which is not necessary in order to contact us in our contact form, it shall always be marked as optional. We use this information to make your enquiry more specific and improve how it is handled. This information is always provided on an expressly voluntary basis and with your consent. If the information is about communication channels (e.g. your e-mail address or phone number), you also authorise us to potentially contact you on those communication channels in order to respond to your enquiry. Naturally, you can withdraw this consent at any time with future effect. If you wish to do so, please contact our data protection officer.
We can also process your personal data in order to process enquiries on the basis of point (b) of Article 6(1) GDPR. Otherwise, we provide the contact form as we have a legitimate interest in simple, secure communication (point (f) of Article 6(1) GDPR). After we have responded to your enquiry, we shall erase the data if they are no longer necessary and we are not prevented from doing so by any statutory obligations to store the data.

Applications

You can apply to our company electronically. We shall only use your data to process your application and shall not share them with third parties (Section 26 of the German Federal Data Protection Act (BDSG)). Please note that unencrypted e-mails are not secure against third parties when sent.
If you apply using our portal for applicants, your data will be encrypted and then sent to us. In this regard, we shall process your application using the application management system provided by rexx systems GmbH (Süderstrasse 77, 20097 Hamburg) in particular. This company acts as a processor in the sense of Article 28 GDPR.
At the moment, we do not provide any means of sending us applications by encrypted e-mail. As such, it is always possible that unauthorised third parties might gain access to your application documents while they are being sent. Please therefore only send us your application by e-mail if you are aware of this risk.
If we do not offer you employment, your personal data shall be erased after six months at most unless you have given your express consent to allow us to store the data for longer.
If an employment relationship is established between us, in accordance with Section 26(1) BDSG, we can continue to process the personal data we have already received from you if necessary in order to execute or terminate the employment relationship or exercise or fulfil the rights and duties to represent the interests of our employees arising from a law or collective agreement

Disclosure of data

Your personal data shall not be shared with third parties for any other purpose than those described in this privacy policy.
We shall only share your personal data with third parties if

  • you have given your express consent;
  • the disclosure is necessary for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data;
  • we have a legal obligation to disclose the data;
  • the disclosure is legally admissible and necessary in order to execute contractual relationships with you.

Unless we are permitted to do so by law or a contract, we only process data or have data processed in a third country if the specific requirements of Article 44 ff. GDPR have been met. This means, for example, that data are processed on the basis of special guarantees such as the officially recognised identification of a level of data protection befitting the European Union, or with consideration for special contractual obligations (known as standard contractual clauses).

Rights of the data subject

Every data subject has the right to access information pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. The right to access information and the right to erasure are subject to the restrictions of Sections 34 and 35 BDSG.

Right to complain

Additionally, you are entitled to file a complaint about our processing of your personal data with the relevant supervisory authority.

Withdrawing consent

You can withdraw consent which you have given to the processing of personal data at any time. This also applies to withdrawing consent given to us before 25 May 2018 when the GDPR took effect. Please note that the withdrawal is only effective going forward. It does not affect processing which took place before your withdrawal of consent.

Your right in cases of data processing for direct marketing purposes

Pursuant to Article 21(2) GDPR, you have the right to object to processing of personal data concerning you at any time. If you object to processing for direct marketing purposes, we shall no longer process your personal data for such purposes. Please note that the objection is only effective going forward. It does not affect processing which took place before you withdrew your consent.

Right to object to processing based on a balance of interests

Where we process your personal data on the basis of a balance of interests, you can object to the processing. If you exercise your right to object, please provide us with the reasons why we should no longer process your personal data as described in this privacy policy. If you file a legitimate objection, we shall examine the case and either discontinue processing the data, change how we process the data or provide you with an explanation of our compelling legitimate grounds.

Links to other websites

Our website can contain links to other websites owned by other providers. Please note that this privacy policy only applies to the website owned by our company. We have no influence or control over whether or not other providers comply with the relevant data protection regulations.

Amendments to the privacy policy

We reserve the right to alter this privacy policy at any time, with consideration for the applicable data protection regulations.