Privacy Policy

In this Privacy Policy we inform you which personal data we process for what purpose, how and where, particularly in connection with our ballenberg.ch website and our other offers. This privacy policy also informs you about the rights of persons whose data we process.

For individual or additional offers and services, special, supplementary or other privacy policies as well as other legal documents such as General Terms and Conditions (GTC), Terms of Use or Conditions of Participation may apply.

Our offer is subject to Swiss data protection law as well as any applicable foreign data protection law, in particular that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission acknowledges that Swiss data protection law guarantees adequate data protection.

1. Contact addresses

Responsible for the processing of personal data:

Ballenberg, Swiss Open-Air Museum

Museumsstrasse 100
3858 Hofstetten b. Brienz Schweiz

marketing@ballenberg.ch

We wish to point out that in individual cases other persons may be responsible for the processing of personal data.

Data protection representative in the European Economic Area (EEA)

We have the following data protection representation, in accordance with Art. 27 DSGVO (Art. 27 GDPR), in the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway as an additional point of contact for supervisory authorities and data subjects for enquiries in connection with the General Data Protection Regulation (GDPR):

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany

info@datenschutzpartner.eu

2. Personal data processing

2.1 Terminology

Personal data are all information that relates to an identified or identifiable person. A data subject is a person about whom personal data are processed. Processing includes any handling of personal data, regardless of the means and procedures usedin particular the storage, disclosure, procurement, collection, erasure, recording, modification, destruction and use of personal data.

The European Economic Area (EAA) includes the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway. The General Data Protection Regulation (GDPR) describes the processing of personal data as processing of personal data.

2.2 Legal bases

We process personal data in accordance with Swiss data protection law, in particular the Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection (OFADP)

We process personal data – if and in so far as the General Data Protection Regulation (GDPR) is applicable – in accordance with at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPRfor the processing of personal data necessary for the completion of a contract with the data subject and for the implementation of pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data in order to protect our rights or third parties’ rights, unless the fundamental freedoms and rights and interests of the data subject prevail. Legitimate interests include in particular our interest in being able to provide our services permanently, user-friendly, securely and reliably and to advertise them if required, information security and protection against misuse and unauthorised use, the enforcement of our own legal claims and compliance with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data in order to fulfil a legal obligation to which we are subject under any applicable laws of member states of the European Economic Area (EEA).
• Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data in order to protect vital interests of the data subject or another natural person.

2.3 Type, scope and purpose

We process those personal data that are necessary to make our offer permanent, user-friendly, secure and reliable. Such personal data can fall into the categories of inventory and contact data, browser and device data, content data, metadata, respectively peripheral data and usage data, location data, sales, contract and payment data.

We process personal data for the period of time required for the respective purpose, respectively respective purposes, or as required by law. Personal data which no longer requires processing will be made anonymous or erased. Persons whose data we process have in principle a right to have it erased.

We process personal data in principle only with the consent of the data subject, unless the processing is permitted for other legal reasons, for example to fulfil a contract with the data subject and for appropriate precontractual measures to protect our predominantly legitimate interests, because the processing is evident from the circumstances or after prior information.

In this context we process in particular information that a data subject voluntarily and personally provides to us when making contact – for example by post, e-mail, contact form social media or telephone – or when registering for a user account. We may store such information in an address book, in a customer relationship management system (CRM system) or with comparable tools. If you transmit any data about other persons to us, you are obliged to guarantee data protection for other persons and to ensure the accuracy of such personal data.

We also process personal data which we receive from third parties, obtain from publicly accessible sources or collect when providing our offer, only if and in so far as such processing is permitted by law.

2.4 Processing of personal data by third parties, including abroad

We may have personal data processed by commissioned third parties or process it together with third parties or with the help of third parties or transmit it to third parties. Such third parties are in particular providers whose services we use. We also guarantee appropriate data protection for such third parties.

Such third parties are in principle located in Switzerland and in the European Economic Area (EEA). However, such third parties may also be located in other states and territories on earth as well as elsewhere in the universe, provided that their data protection law guarantees adequate data protection according to the assessment of the Federal Data Protection and Information Commissioner (FDPIC) and – if and so far as the General Data Protection Regulation (GDPR) is applicable – according to the assessment of the European Commissionor if adequate data protection is guaranteed for other reasons, for example by a corresponding contractual agreement, in particular on the basis of standard contractual clauses, or by appropriate certification. Exceptionally such a third party may be located in a country without adequate data protection, provided that the data protection law conditions are met, such as the express consent of the data subject.

3. Rights of data subjects

Data subjects whose personal data we process have rights according to Swiss data protection law. These include the right to disclosure as well as the right to correct, erase or block the processed personal data.

Data subjects whose personal data we process may – if and so far as the General Data Protection Regulation (GDPR) is applicable – obtain confirmation free of charge as to whether we are processing their personal data and, if so, request information on the processing of their personal data, have the processing of their personal data restricted, exercise their right to data transferability and have their personal data corrected, erased (“Right to forget”), blocked or supplemented.

Data subjects whose personal data we process, may - if and so far as the GDPR is applicable - revoke their consent at any time with effect for the future and object to the processing of their personal data at any time.

Data subjects whose personal data we process have a right of appeal to a competent supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner(FDPIC).

4. Data security

We take appropriate and suitable technical and organisational measures to ensure data protection and data security in particular. However, despite such measures, the processing of personal data on the Internet can always have security gaps. We can therefore not guarantee absolute data security.

Access to our online offer is carried out by means of transport encryption (SSL / TLS), in particular with the Hypertext Transfer Protocol Secure, abbreviated to HTTPS. The majority of browsers mark transport encryption with a padlock in the address bar.

Access to our online offer is subject to – as in principle every use of the Internet is – mass surveillance. Mass surveillance and other monitoring by security authorities in Switzerland, the European Union (EU) the United States of America (USA) and other countries, may occur without due cause and without given suspicion. We cannot have any direct influence on the corresponding processing of personal data by secret services, police forces and other security authorities.

5. Use of the website

5.1 Cookies

We may use cookies for our website. Cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (cookies from third parties, respectively third-party cookies) – are data that are stored in your browser. Such stored data need not be limited to traditional text cookies. Cookies cannot execute programmes or transmit malware such as Trojan and viruses.

When you visit our website, cookies can be stored temporarily in your browser as “session cookies” or for a certain period of time as so-called permanent cookies. “Session cookies” are automatically deleted when you close your browser. Permanent cookies have a certain storage period. In particular they make it possible to recognise your browser the next time you visit our website and thus, for example, to measure the reach of our website. Permanent cookies can also be used for online marketing for example.

You can deactivate cookies in your browser settings at any time, either wholly or partially. Without cookies our website may no longer be fully available. We actively ask you – if and where necessary – for your express consent for the use of cookies.

In the case of cookies which are used to measure success and reach measurement or for advertising, a general “opt-out” is possible for many services via the Network Advertising Initiative(NAI), YourAdChoices(Digital Advertising Alliance) or Your Online Choices(European Interactive Digital Advertising Alliance, EDAA.)

5.2 Server logfiles

We may collect the following information each time our website is accessed, as far as this  information is transmitted by your browser to our server infrastructure or can be determined by our web server: date and time including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-pages of our website called up including the amount of data transferred, last website called up in the same browser window (referer/referrer)

We store such information, which may also constitute personal data, in server log files. This information is necessary to make our online service permanent, user-friendly and reliable and to ensure data security and thus in particular the protection of personal data – also by third parties or with the help of third parties.

5.3 Tracking pixels

We may use tracking pixels on our website. Tracking pixels are also known as web beacons. Web beacons are small, usually invisible images that are automatically called up when you visit our website, including those of third parties whose services we use. Tracking pixels can be used to record the same information as in server log files.

6. Notifications and messages

We send notifications and communications such as a newsletter by e-mail and through other means of communication, for example, Instant Messaging.

6.1 Measuring success and reach

Notifications and messages may contain web links or tracking pixels, that record whether an individual message was opened and which web links were clicked on. Such weblinks and tracking pixels can also record the use of notifications and messages on a personal basis. We need this statistical recording of usage to measure success and reach measurement in order to be able to offer notifications and messages effectively and in a user-friendly, permanent, secure and reliable manner based on the needs and reading habits of the recipients.

6.2 Consent and objection

In principle, you must give your express consent to the use of your e-mail address and your other contact addresses unless the use is permitted for other legal reasons. For any consent to receive e-mails we use the “double opt-in” where possible, i.e., you will receive an e-mail with a web link that you must click on to confirm so that no abuse by unauthorised third parties can take place. We may log such consent, including Internet Protocol (IP) address, date and time, for the purpose of evidence and security.

You can in principle unsubscribe from notifications and messages, such as newsletters, at any time. We reserve the right to send notifications and messages that are absolutely necessary for our offer. By unsubscribing, you can in particular object to the statistical recording of usage for measuring success and reach.

6.3 Service provider for notifications and messages

We send notifications and messages about services provided by third parties or with the help of service providers. Cookies may also be used in this process. We guarantee adequate data protection for such services as well.

We use in particular:

Mailchimp: communication platform; provider: The Rocket Science Group LLC d/b/a Mailchimp (USA); data protection information: Datenschutzerklärung (Privacy Policy); «Mailchimp und Daten-Export aus Europa» (Mailchimp and European Data Transfers).

7. Social media

We are present on social media platforms and other online platforms, in order to communicate with interested people and to be able to inform them about our offer. At the same time personal data may also be processed outside Switzerland and the European Economic Area (EEA). 

The General Terms and Conditions (GTC) and Conditions of Use as well as Privacy Policies and other provisions of individual operators of such online platforms also apply in each case.

These provisions provide information in particular about the rights of data subjects which includes in particular the right to disclosure.

We are responsible for our social media presence on Facebook includingthe so-called page insights, if and in so far as the GDPR is applicable, together with Facebook Ireland Limited in Ireland. Page insights give information on how visitors interact with our Facebook presence. We use page insights to make our social media presence on Facebook effective and user-friendly.

Further information about type, scope and purpose of data processing, information on the rights of data subjects as well as contact data of Facebook and the Facebook privacy officer can be found in Facebook’s Privacy Policy (“Data Policy”).We have concluded with Facebook the so-called “Controller addendum”and have thus agreed in particular that Facebook is responsible for guaranteeing the rights of the data subjects. Corresponding information for the so-called page insights can be found on the pages “Information about page insights”including “Page insights controller addendum” and Facebook “Information about page insights data”

8. Measuring success and reach

8.1 Google Analytics

We use Google Analytics to analyse how our website is used, whereby we can for instance measure the reach of our website and the success of linking third parties to our website.

This is a service of American Google LLC. Google Ireland Limitedis responsible for users in the European Economic Area (EEA) and in Switzerland.

Google also tries to track individual users to our website, when they use different browsers or devices (cross-device tracking). Cookies are also used for this purpose. Google Analytics needs your Internet Protocol (IP) address, but it is not combined with other data from Google.

In any case, we will have your Internet Protocol (IP) address anonymised by Google before the analysis. As a result, your complete IP address is in principle not transmitted to Google in the USA.

We use Google Analytics with Google Signals. This provides us with enhanced statistics about visitors to our website, who have activated personalised advertising as logged-in users of Google. Despite these extended statistics we cannot establish any connection to individual accounts.

Further information on type, scope and purpose of data processing can be found in the Privacy and Security Principles and in the Privacy Policy in each case from Google, in the Google Product Privacy Guide(including Google Analytics), in How Google uses information from sites that use our services  and in How Google uses cookies. Furthermore, there is the possibility to use theGoogle Analytics opt-out browser add-onand also raise an objection to personalized advertising.

8.2 Google Tag Manager

We use Google Tag Manager, to integrate and manage analytics or advertising services from Google and also from third parties on our website. This is a service from American Google LLC. For users in the European Economic Area (EEA) and Switzerland the Irish Google Ireland Limitedis responsible. No cookies are used, but cookies may be used within the framework of the services integrated and managed by it. We provide information about the processing of personal data by such services in this privacy policy.

9. Third-party services

We use third-party services to make our offer permanent, user-friendly, secure and reliable. Such services also serve to embed content into our website. Such services – for example hosting and storage services, video services and payment services – require your Internet Protocol (IP) address, otherwise such services cannot transmit the corresponding content. Such services may be located outside Switzerland and the European Economic Area (EEA), provided that adequate data protection is guaranteed.

For their own security-relevant, statistical and technical purposes, third parties whose services we use may also process data in connection with our offer and from other sources – including cookies, log files and tracking pixels – in aggregated, anonymised or pseudonymised form.

9.1 Digital infrastructure

We use the services of third parties in order to be able to take advantage of the digital infrastructure required for our services. These include, for example, hosting and storage services from specialised providers.

9.2 Payments

We use payment service providers in order to process payments from our customers securely and reliably.  The terms of the relevant payment service provider such as General Terms and Conditions (GTC) or Privacy Policies apply to the processing in every case.

We use in particular:

• PostFinance: E-Payment solutions; provider: PostFinance AG (Schweiz); details about data protection: «Rechtliche Hinweise und Barrierefreiheit» (Legal information and accessibility), «Datenschutz» (einschliesslich «Datenschutzerklärung») (Data protection, including Privacy Policy).
• SIX Payment Services (including Saferpay): processing payments; providers: SIX Payment Services AG (Schweiz) / SIX Payment Services (Europe) S.A. (Luxembourg) / SIX Payment Services (Germany) GmbH ; details about data protection: Datenschutzerklärung (Privacy Policy) Kundeninformation zum Datenschutz (customer information about data protection).

9.3 Advertising

9.3.1 Facebook Ads

We use Facebook Ads, to specifically advertise our products and services on Facebook. Facebook Ads is an offer of Facebook Ireland Ltd. in Ireland respectively of the American Facebook Inc.  Facebook Ads also uses cookies.

We such advertising we would like to reach in particular people who are interested in our online offer or who already use our online offer. For this purpose, we transmit, notably with the so-called Facebook-Pixel, corresponding – possibly also personal – data to Facebook (Custom Audiences including Lookalike Audiences). We can also determine, whether our advertising is successful, i.e., whether it leads to visits to our websites (Conversion Tracking).

Further information on the type, scope and purpose of data processing can be found in the Facebook “Data policy”.In addition, Facebook users can use their advertising preferences to influence which advertisements they see on Facebook and which advertisements they will see on Facebook in the future.

9.3.2 Google Ads

We use Google Ads (formerly AdWords), to advertise our offer on the Google search engine and elsewhere on the Internet, for example on other websites, among other things on the basis of search queries. Google Ads is an offer from American Google LLC. For users in the European Economic Area (EEA) and Switzerland, Irish Google Ireland Limitedis responsible. Google Ads also uses cookies. Google uses various domain names – in particular doubleclick.net, googleadservices.com and googlesyndication.com – for Google Ads.

With such advertising we would like to reach in particular people who are interested in our online offer or who already use our online offer. Therefore, we transmit corresponding – possibly also personal – data to Google (Remarketing). We can also determine whether our advertising is successful, i.e., whether it leads to visits to our website (Conversion Tracking).

Further information about the type, scope and purpose of data processing can be found in the Privacy and Security Principlesand in the Privacy Policyin each case from Google, in How Google uses information from sites that use our servicesand in How Google uses cookies. Furthermore, there is the possibility to raise an objection to personalized advertising.

9.3.3 Instagram Ads

We use Instagram Ads to be able to advertise specifically for our offer on Instagram. Instagram Ads is an offer from Facebook Ireland Limited in Ireland respectively of American Facebook Inc. Cookies  can  also  be  used.

With such kind of advertising we would like to reach in particular people who are interested in our online offer or who already use our online offer. For this purpose we transmit corresponding – possibly also personal - data to Facebook (Custom Audiences including Lookalike Audiences) in particular using  the  so-called  Facebook-Pixel. We can also determine, whether our advertising is successful, i.e., whether it leads to visits to our website (Conversion Tracking).

Further details about the type, scope and purpose of data processing can be found in theInstagram Data Policyand in the Privacy Policy (Data Policy) of Facebook. In addition, users can useInstagram Ad Preferencesto check which interests the advertisement relates to and can use the Facebook Ad Preferencesto influence, which advertisement is displayed to them.

10. Extensions to the website

We use Google reCAPTCHA, to protect input forms from Bots and Spam, while at the same time enabling reliable input from humans. Cookies can also be used. It is a service of American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish Google Ireland Limitedis responsible. Further information on type, scope and purpose of data processing can be found in the Privacy and Security Principles and in the Privacy Policyin each case from Google as well as in How Google uses cookies.

11. Final provisions

We have created this Privacy Policy using the Data Protection Generator from ‘Datenschutzpartner’.

We may amend and supplement this Privacy Policy at any time. We will provide information about such adaptations and additions in a suitable form, in particular by publishing the respective current Privacy Policy on our website.