data protection
Data privacy statement of Heidelberg funicular railways
INFORMATION ON DATA PROTECTION FOR CUSTOMERS OF
STADTWERKE HEIDELBERG
Heidelberg funicular railways (collectively referred to below as “funicular railways”, “we” or “us”) hereby provide information on data privacy, in particular the obligations placed on us in connection with our responsibility in the area of data protection as a result of the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; referred to below as “GDPR”) in order to ensure protection of your personal data (as the data subject, we address you in the following as the “customer”, “user” or “you”, for example. Where we decide, either on our own or together with others, as to the purposes and means of data processing, this first and foremost entails an obligation to inform you in a transparent manner about the type, scope and duration of processing and the applicable legal basis (cf. GDPR, Art. 13 and 14). This statement (referred to in the following as “Stadtwerke Heidelberg Data Privacy Statement”) informs you about how your personal data are processed by our company.
Our Data Privacy Statement is modular in structure. As you may not use all the services, it is possible that not all parts of our Data Privacy Statement are of relevance to you. Please refer to the following breakdown of our Data Privacy Statement to find the parts which are relevant for you:
A. GENERAL
A.1 Terminology
The following terms have the following meanings within the Data Privacy Statement of Heidelberger funicular railways:
- "Personal data” means all information relating to an identified or identifiable natural person (the “data subject”). A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier or location data, or with the aid of information relating to their physical, physiological, genetic, psychological, economic, cultural or social identity characteristics. Identifiability may also be possible via the linking of such information or other, additional knowledge. The form or embodiment of the information or the manner in which it has come about are immaterial (photographs, video or audio recordings may also contain personal data).
- “Processing" refers to any process involving the handling of personal data, be it with or without the aid of automated (i.e. technology-enhanced) processes. In particular, this includes the collection (i.e. procurement), recording, organisation, sorting, storage, adaptation, amendment, read-out, retrieval, use, disclosure through transmission, dissemination or provision by other means, matching, linkage, restriction, erasure or destruction of personal data and the changing of an intended usage or purpose originally specified for an instance of data processing.
- A “controller” is a natural or legal person, authority, institution or other body which, either alone or jointly with others, determines the purposes and means of processing personal data.
- A “third party” is any natural or legal person, authority, institution or other body other than the data subject, the controller, the processor and the persons who are authorised to process the personal data under the direct responsibility of the controller or the processor; this also includes other legal entities belonging to the corporation.
- A “processor" is a natural or legal person, authority, institution or other body which processes personal data on behalf of the controller, in particular in accordance with the latter’s instructions (e.g. IT service provider). For the purposes of data protection law, a processor specifically does not constitute a third party.
A.2. Name and address of the data controller
We, Heidelberger Straßen- und Bergbahn GmbH, Kurfürsten-Anlage 42-50, 69115 Heidelberg, Germany, telephone: 06221 513-0, telefax: 06221 513-3333, e-mail: info@swhd.de, are the body responsible for processing your personal data pursuant to GDPR, Art. 4, no. 7.
Please refer to our Legal information for further information on Heidelberg funicular railways.
A.3. Data protection officer’s contact details
Our company data protection officer is available at all times to answer any questions and attend to any issues relating to the topic of data protection. His contact details are: Stadtwerke Heidelberg GmbH, Kurfürsten-Anlage 42-50, 69115 Heidelberg, Germany, e-mail: datenschutz@swhd.de
A.4. Legal basis for data processing
As a general principle, any processing of personal data is prohibited by law and is only permitted where the data processing is justified according to one of the following provisions:
- a) GDPR Art. 6, para. 1. (a) (“Consent"): Where the data subject has voluntarily, in an informed manner and unequivocally made it known by means of a declaration or any other clearly confirmatory act that they agree to the processing of their personal data for one or more specific purposes;
- b) GDPR Art. 6, para. 1 (b): Where processing is necessary to fulfil a contract to which the data subject is a party or to carry out pre-contractual measures at the data subject’s request;
- c) GDPR Art. 6, para. 1 (c): Where processing is necessary to fulfil a legal obligation applying to the controller (e.g. a legal obligation to preserve records);
- d) GDPR Art. 6, para. 1 (d): Where processing is necessary to protect the vital interests of the data subject or another natural person;
- e) GDPR Art. 6, para. 1 (e): Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
- f) GDPR Art. 6, para. 1 (f)(“Legitimate interests"): Where processing is necessary for the purposes of the legitimate interests (in particular of a legal or economic nature) pursued by the controller or a third party, except where such interests are overridden by the interests or rights of the data subject (in particular when a minor is involved).
The respective legal bases for the processing operations which we carry out are stated below. Several legal bases may also apply to an instance of processing.
A.5. Erasure of data and duration of storage
With regard to the processing operations which we carry out, it is stated below how long the data concerned are stored and when they are erased or blocked. Where no explicit storage period is stated, your personal data will be erased or blocked as soon as the purpose of or legal basis for storage ceases to apply. As a general principle, your data will be stored solely on our servers in Germany, except where they are forwarded in accordance with the provisions specified in A.7. and A.8.
However, storage may continue beyond the specified period in the event of an (impending) legal dispute with you or any other legal process, or where storage is stipulated by legal provisions to which we are subject as the controller (e.g. Section 257 of the German commercial code (HGB), Section 147 of the German tax code (AO)). The personal data will be blocked or erased on expiry of the storage period prescribed by law, except where further storage by our company is necessary and a corresponding legal basis applies.
A.6. Data security
We use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorized access by third parties (e.g. TLS encryption for our website), with due regard to the state of the art, the implementation costs and the nature, scope, context and purpose of processing as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are subject to ongoing improvement in line with technological developments.
We will be pleased to provide you with further information on request. Please contact our data protection officer in this connection (see under A.3.).
A.7. Cooperation with processors
Like all larger business enterprises, we also use external domestic and foreign service providers to handle our business transactions. These service providers perform their work solely in accordance with our instructions and have been bound by contract to observe the data protection provisions pursuant to GDPR, Art. 28.
Where relevant personal data are forwarded within Stadtwerke Heidelberg as the parent company of Heidelberger Straßen- und Bergbahn (HSB), this takes place for the purposes of the effective performance of tasks and contracts and on the basis of existing contracts on the commissioning of data processing operations (cf. A.1.).
A.8. Conditions pertaining to the transfer of personal data to third countries
In the course of our business relationships, your personal data may be passed on to third-party companies (e.g. IT service providers) and/or disclosed. Such third-party companies may be located outside of the European Economic Area (EEA), that is, in third countries. Such processing takes place solely to fulfil the given contractual and business obligations and to maintain your business relationship with Stadtwerke Heidelberg (the legal basis is provided by GDPR, Art 6, para. 1 (b) or (f), in each case in conjunction with Art. 44 ff.). The details pertaining to the forwarding of data are presented at the relevant points below.
For some third countries, the European Commission certifies that data protection is comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here. In other third countries to which personal data may be transferred, a consistently high level of data protection may be lacking due to inadequate legal provisions. In such cases, we ensure that adequate data protection is provided. This is possible via binding company regulations, standard contractual clauses of the European Commission relating to the protection of personal data, certificates, recognized codes of conduct or self-certification via the EU-US Privacy Shield (corresponding information can be found here). Please contact our data protection officer for further information on this matter.
A.9. No automated decision-making (including profiling)
We have no intention of using personal data collected from you for an automated decision-making process (including profiling).
A.10. No obligation to provide personal data
We do not make the conclusion of contracts with us conditional upon you providing us with personal data beforehand. As a customer, you are under no legal or contractual obligation to provide us with your personal data. However, we may be unable or only partially able to provide certain products and services if you fail to submit the data which are necessary to this end. Specific indications are provided where, by way of exception, this applies to our products presented below.
A.11. Legal obligation to transmit certain data
As a business enterprise, we are subject to various legal obligations which may require us to make your lawfully processed data available (GDPR, Art. 6, para. 1 (c)); such obligations may apply under tax law, community financing law or the commercial code, for example.
A.12. Your rights
You can exercise your rights as a data subject in relation to our company at any time, using the contact details stated under A.2. above. As a data subject, you have the right:
- to obtain information about your data which are processed by us, pursuant to GDPR, Art. 15. In particular, you can require information about the purposes of processing, the category of the data, the category of recipients to whom your data have been or are being disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the right to lodge a complaint, the origin of your data, where they have not been collected by us, and information about the existence of any automated decision-making processes, including profiling and, where applicable, meaningful information concerning appurtenant details;
- to request the prompt rectification of any incorrect data or the completion of your data stored by us, pursuant to GDPR, Art. 16;
- to request the erasure of your data stored by us, pursuant to GDPR, Art. 17, except where processing is necessary in order to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
- to require the restriction of processing of your data, pursuant to GDPR, Art. 18, if you contest the accuracy of the data or processing is unlawful;
- to require us to provide you with the data which you have submitted to us in a structured, commonly used and machine-readable format or to transmit such data to another controller, pursuant to GDPR, Art. 20 (“data portability”);
- to object to processing, pursuant to GDPR, Art. 21, where processing takes place on the basis of GDPR, Art. 6, para. 1 (e) or (f). This is the case in particular where processing is not necessary in order to fulfil a contract. Where your objection does not pertain to direct advertising, when lodging such an objection we would request you to state the reasons why we should not process your data as we have done. Where your objection is justified, we will examine the facts of the case and either discontinue or modify the data processing or inform you as to our compelling, legitimate grounds for continuing to carry out processing;
- to withdraw your granted consent – that is, your agreement to the processing of the personal data concerned for one or more specific purposes, which you have expressed voluntarily, in an informed manner and unequivocally – at any time, pursuant to GDPR, Art. 7, para. 3 (including in such cases where consent was granted prior to GDPR entering into force, i.e. before 25 May 2018). We will then no longer be permitted to continue data processing based on this consent in future, and
- to lodge a complaint about the processing of your personal data at our company with a data protection supervisory authority, pursuant to GDPR, Art. 77. The data protection supervisory authority responsible for our company is: The state data protection officer for Baden-Württemberg, Königstrasse 10a, 70173 Stuttgart, e-mail: poststelle@lfd.bwl.de.
A.13. Amendments to the Data Privacy Statement of Heidelberg funicular railways
Our Data Privacy Statement is reviewed on a regular basis in order to assess any requirements for amendments or additional information in the light of developments in the field of data protection law and technological or organisational changes. You will be informed of any changes in particular via this website.
Part | Title | Relevance to you… |
---|---|---|
A | General | ... always relevant. |
B | Web pages and social media content |
... relevant if you use our German internet content, including our social media presence |
C | Business partners | ... relevant if you wish to cooperate with us as a customer, sales partner, supplier or similar, or if you are already or have been in a business relationship with us. |
D | Video surveillance for security purposes | ... relevant if you use one of our facilities, parts of which are under video surveillance for your and our safety and security. |
B. WEB PAGES
B.1. Explanation of functions
Information about our company and the services we offer is available in particular via this homepage and the appurtenant subpages (jointly referred to below as “web pages”). When you visit our web pages, personal data relating to you may be processed.
B.2.What items of data are processed by our company?
When users visit the web pages for informational purposes, we collect, store and process the following categories of personal data:
“Log data": When you visit our website, a so-called log data record (so-called server log files) is temporarily stored on our web server in anonymised form. This comprises:
- the site from which the page was requested (so-called referrer URL),
- the date and time when the page was called up,
- the description of the type of web browser used,
- the IP address of the requesting computer
“Contact form data": When contact forms are used, the resultant transmitted data is processed (e.g. surname and first name, address, company name, e-mail address and the time of transmission).
B.3. For what purpose and on what legal basis (cf. A.4.) are these data processed?
We process the personal data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. Where the processing of personal data is based on Art. 6, para. 1 (f) of the GDPR, the stated purposes also represent our legitimate interests.
Processing of the log data serves statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (the legal basis is provided by GDPR, Article 6, para. 1 (f)).
Contact form data are processed in order to attend to customer inquires (the legal basis is provided by GDPR, Art. 6, para. 1 (a), (b) or (f)).
B.4. Over what period of time will these data be processed?
Processing of your data will only continue for as long as is necessary in order to attain the above-stated purposes of processing; the legal bases specified in relation to the purposes of processing apply accordingly. Please note point A.5. with regard to the use of cookies and their duration of storage.
Third parties whose services are employed by our company will store your data on their systems for as long as is necessary in connection with rendering the services for us under the given contract.
Further information on the duration of storage is to be found under A.5.
B.5. Are these data passed on to third parties and, if so, on what legal basis (cf. A.4.)?
The following categories of recipients, who for the most part take the form of processors (cf. A.7.), may obtain access to your personal data:
- Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data centre services, payment transactions, IT security) (where the recipient is not a processor, the legal basis for transfer is provided by GDPR, Art. 6, para. 1 (b) or (f); where the recipient is a processor, the processing contract forms the the legal basis);
- state agencies/authorities, insofar as this is necessary to fulfil a legal obligation (in this case, the legal basis for transfer is provided by GDPR, Art. 6, para. 1 (c);
- persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in the purchase of companies or the establishment of joint ventures (in this case, the legal basis is provided by GDPR, Art. 6, para. 1 (b) or (f)).
Beyond this, we will pass on your personal data to third parties only where you have expressly consented to this in accordance with GDPR, Art. 6, para. 1 (a).
Regarding the guarantees of an adequate level of data protection when transferring data to third countries, see A.8.
B.6. Cookies, plugins and other services on our website
B.6.1.Cookies
We use cookies on our web pages. Cookies are small text files which are stored on your hard drive and assigned via a characteristic string to the browser which you use. Certain items of information then flow through the location set by the cookie. Cookies cannot run programs or transmit viruses to your computer and thus do not cause any damage. They serve to make content on the internet more user-friendly and effective overall, thus offering you a more pleasant online experience.
Cookies may contain data which enable the employed device to be recognised. Some cookies simply contain information on certain settings, which cannot be related to any specific individual. Cookies cannot directly identify a user.
A distinction is made between session cookies, which are deleted as soon as you close your browser, and persistent cookies, which are stored beyond the end of the session concerned. In terms of their functions, cookies are distinguished according to the following types:
Technical cookies: These are essential in order to move around the website, to use basic functions and to ensure the security of the website; they do not collect any information about you for marketing purposes, neither do they track which web pages you have visited;
Performance cookies: These collect information about how you use our website, which pages you visit and, for example, whether any errors occur during use of the website; they do not collect any information which could identify you – all the collected information is anonymous and is used solely to improve our website and find out what our users are interested in;
Advertising cookies, targeting cookies: These serve to offer the webpage user bespoke advertising or third-party products and services and to measure the effectiveness of these measures; advertising and targeting cookies are stored for a maximum of 13 months;
Sharing cookies: These serve to improve the interactivity of our website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.
Most browsers accept cookies automatically. You can set your browser so that it informs you about the placement of cookies, however. This makes the use of cookies transparent to you. Via the appropriate user settings, you can also delete cookies at any time and prevent the setting of new cookies; please refer to your browser provider for further information. You can usually deactivate cookies via deactivation links. Please note that our web pages may not be displayed to optimum effect if cookies are deactivated, and some functions may no longer be available for technical reasons.
The cookies specified below are used when you visit our web pages.
B.6.2. Secure web page connection
Your browser uses cookies to establish a secure connection with internet pages which have an “https” URL; data processing thus takes place on the basis of GDPR, Art. 6, para. 1 (f) (and/or Section 15 (3) of the German Telemedia Act (TMG)). There are different versions of cookies for different security levels.
The following cookies are currently used for this purpose:
Name | Purpose | Expires |
TLSVersion | This provides us with information about the highest TLS version which your browser uses, to enable a decision as to which version is supported. | When you close your browser |
Your selection of cookies
The selection of cookies which you have opted for will be stored for 30 days. If the table below is empty, you have not yet chosen any cookies. Click on the homepage to return to the selection menu.
Date | Categories | Consent |
---|
B.6.4. YouTube-Videos
We embed YouTube videos on some subpages of our website. When you call up these subpages, content will be retrieved from YouTube. As a result, YouTube also receives your IP address, which for technical reasons is required in order to retrieve the content. We have no influence over any further processing by YouTube (further information about the purpose and scope of data collection is available here, for example). When embedding the videos, we activated the enhanced data protection mode which is available from YouTube, however. Data processing takes place on the basis of GDPR, Art. 6, para. 1 (f) (and/or Section 15 (3) of the German Telemedia Act (TMG), as it is not otherwise possible to present the video content.
YouTube sets the following cookies when you visit pages containing YouTube videos:
Name | Purpose | Expires |
_use_hitbox | This is a randomly generated number which identifies your browser. | When you close your browser |
VISITOR_INFO1_LIVE | This allows YouTube to count the number of views for embedded YouTube videos. | After 9 months |
B.6.5. Plugins
We do not use social media plugins on our websites. Where our web pages include symbols of social media providers (e.g. Xing or Facebook), we use these solely for passive linking to the sites of the respective providers.
C. Business partners
C.1. Explanation
Your personal data may undergo processing if you enter into a business relationship with us as a customer, sales partner, supplier or similar (collectively referred to below as “business partner”), if you are already in a business relationship with us or have had such a relationship with us in the past (collectively referred to below as “cooperation”). With regard to business relationships which have already ended, any processing will concern solely the personal data which is already in our possession.
C.2. Which data do we process?
As part of our cooperation, we collect, store and process the following categories of personal data:
“Log data": When you visit our website, a so-called log data record (so-called server log files) is temporarily stored on our web server in anonymised form. This comprises:
- the site from which the page was requested (so-called referrer URL),
- the date and time when the page was called up,
- the description of the type of web browser used,
- the IP address of the requesting computer
“Contact data": Surname and first name of the business partner and, where appropriate, a different contact partner, birthday, (business) address, (business) e-mail address(es), (business) telephone, fax and mobile phone number(s)
C.3. For what purpose and on what legal basis (see A.4.) are these data processed?
We process the personal data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. Where the processing of personal data is based on Art. 6, para. 1 (f) of the GDPR, the stated purposes also represent our legitimate interests.
- Processing of the contact data serves primarily to plan, manage and carry out our cooperation with you; in particular, it ensures trouble-free communication and the provision of other services (the legal basis is provided by GDPR, Art. 6, para. 1, sentence 1 (a) and (f)).
C.4. Over what period of time will these data be processed?
Your data will only be processed for as long as this is necessary to achieve the above-stated purposes or to meet statutory retention periods; the legal bases specified in the context of the processing purposes apply accordingly. Advertising measures will not be carried out beyond a period of 1.5 years after the end of the cooperation.
Third parties whose services are employed by our company will store your data on their systems for as long as is necessary in connection with rendering the services for us under the given contract.
Further information on the duration of storage is to be found under A.5.
C.5. Are these data passed on to third parties and, if so, on what legal basis (cf. A.4.)?
The following categories of recipients, who for the most part take the form of processors (cf. A.7.), may obtain access to your personal data:
- Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data centre services, payment transactions, IT security) (the legal basis transfer of the data is provided by the processing contract and/or GDPR, Art. 6, para. 1 (b) or (f));
- state agencies or authorities, insofar as this is necessary to fulfil a legal obligation (the legal basis for transfer of the data is provided by the processing contract and/or GDPR, Art. 6, para 1(c));
- persons employed to carry out our business operations, e.g. auditors, banks, insurance companies, legal advisors, mailing service providers or similar (the legal basis for transfer of the data is provided by the processing contract and/or GDPR, Art. 6, para. 1 (b) or (f)).
Beyond this, we will pass on your personal data to third parties only where you have expressly consented to this in accordance with GDPR, Art. 6, para. 1 (a).
D. Video surveillance for security purposes
D.1. Explanation
We use video cameras to keep a visual record of activities in security-relevant areas of the funicular railways. In particular, this involves areas which are exposed to special hazards or in which special assets need to be protected. Areas under video surveillance are always indicated by a corresponding sign featuring a camera symbol.
D.2. What items of data are processed by our company?
The following personal data are recorded, stored and, where appropriate, transferred by our company in the course of video surveillance: Your image and – as a moving image – your behaviour in the area concerned.
D.3. For what purpose and on what legal basis (see A.4.) are these data processed?
We process the personal data specified above in accordance with the provisions of the GDPR and the other relevant data protection regulations. Data processing by way of recording and storing personal data serves to control access to our premises, to prevent criminal offences and to preserve evidence relating to criminal offences (the legal basis is provided by GDPR, Art. 6, para 1, sentence 1 (f)).
D.4. Over what period of time will these data be processed?
Processing of your data will only continue for as long as is necessary in order to check the video recordings for any security-relevant behaviour. As a general rule, a period of 48 hours applies for this purpose. The legal bases specified in relation to the purposes of processing apply accordingly.
Further information on the duration of storage is to be found under A.5.
D.5. Are these data passed on to third parties and, if so, on what legal basis (cf. A.4.)?
The transfer of personal data to competent authorities (such as law enforcement agencies) takes place where and to the extent to which we are legally obliged to effect transfer (in this case, the legal basis is provided by GDPR, Art. 6, para. 1, sentence 1 (c)), where transfer is necessary in order to protect vital interests (in this case, the legal basis is provided by GDPR, Art. 6, para. 1, sentence 1 (d)), or where transfer is in the public interest (in this case, the legal basis is provided by GDPR, Art. 6, para. 1, sentence 1 (e)).