Data protection

1. Our privacy policy

The protection of your personal data is of utmost importance at Südwestdeutsche Salzwerke AG. Therefore, we always treat your personal data confidentially and in accordance with applicable data protection regulations. With this privacy policy, we aim to inform you about the personal data we process about you on our website, for what purpose, and on what legal basis.

Furthermore, we outline the rights of data subjects in connection with the processing of their personal data.

Please note that our websites may contain links that are not covered by this privacy policy.

2. Definitions of terms

We use terms in our privacy policy that are also used in the General Data Protection Regulation: (hereinafter referred to as "GDPR"). Below, we have listed the most important terminology to make it easier for you to read and understand this privacy policy.

2.1 Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of such natural person.

2.2 Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

2.3 Processing

Processing is any operation or set of operations which is carried out on personal data, whether by automated means, e.g. collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.4 Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

2.5 Profiling

Profiling is any form of automated processing of personal data which uses such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location of such natural person.

2.6 Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

2.7 Data controller or entity responsible for processing

The data controller or entity responsible for processing is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of the personal data. If the purposes and methods of such processing are determined by EU or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.

2.8 Commissioned data processor

The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

2.9 Recipient

The recipient is a natural or legal person, public authority, agency or other body to whom personal data is disclosed, regardless of whether the recipient is a third party. However, authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law are not deemed recipients.

2.10 Third parties

A third party is a natural or legal person, public authority, agency or other body in addition to the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or the processor.

2.11 Consent

Consent denotes any specific and informed indication of the data subject's wishes, granted voluntarily, in the form of a statement or other unambiguous affirmative act by whereby the data subject signifies their consent to the processing of their personal data.

3. Name and address of the controller / entity responsible for processing

The controller within the meaning of the GDPR, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is:

Südwestdeutsche Salzwerke AG
Salzgrund 67
74076 Heilbronn
Germany

4. Data Protection Officer contact details

You can contact the Data Protection Officer at the following address:

Südwestdeutsche Salzwerke AG
Data Protection Officer
Salzgrund 67
74076 Heilbronn

Alternatively, use the following email address for any enquiries: Datenschutz@salzwerke.de

5. How we protect your data

We take the protection of your personal data very seriously and implement the appropriate technical and organisational measures to protect your data with respect to the use of this website against access by unauthorised persons, manipulation, destruction and loss. The security measures implemented are continuously improved in line with technological progress.

For example, communication via our website is protected by an HTTPS protocol (HyperText Transfer Protocol Secure). This establishes a secure connection between the server and client that cannot be accessed by unauthorised persons. This serves to protect the transmission of confidential content, such as enquiries you send to us as the site operator.

If we designate service providers to process the services offered on our website and these are designated as processors, we have regulated these contractual relationships to protect your personal data via a processing contract in the sense of Art. 28 GDPR.

6. Links to Other Websites

Our website may contain links to third-party websites, and some of our services may provide you with access to third-party services. We have no control over how third-party websites and services process your personal data. These third-party websites and services are not reviewed by us, and we are not responsible for such third-party websites or their privacy practices. Please read the privacy policies of the third-party websites or services you access through our website. If our websites integrate other services, you will find an explanation in this privacy policy.

7. Collection of general data and information when using our website

During the purely informational use of the website, i.e., without registration in the customer account, use of the contact form for inquiries, or placing an order through our online ticket shop, we only collect the personal data that your browser transmits to our server. When you want to view our website, we collect the following data:

• IP address,
• Date and time of the request,
• Region (not the address) from which the IP address accesses the website,
• Browser language, browser type (e.g., Chrome, Firefox, Safari), and version
• Operating system,
• Device type (e.g., mobile device, desktop computer, tablet),
• Browsing behavior on the website (e.g., when the website was visited, which areas of the website were clicked, how much time was spent on the website),
• The website from which the request comes.

We process and store this data for the purpose of ensuring the functionality of the website, improving the content of the website, creating statistical analyses based on aggregated browsing data, and analyzing the technical operation of the website to ensure the security of our information technology systems.

Our legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR lies in the necessity of displaying this website to you and ensuring its stability, functionality, and security. Furthermore, the storage of server log files, in the context of potential cyber-attacks, serves the purpose of appropriate law enforcement. The retention period is 60 days.

8. Data within the framework of the use of a contact form provided on the website

If you have any questions, you can use a contact form provided on the website or contact us via the corresponding online function. You must provide a valid email address so we know from whom the request originates and we can then respond to it. Any additional information required is marked with an asterisk in the contact form. Depending on the subject, the type of data and whether you are already a customer, the basis for the processing of data is the contract we have with you, your consent or your/our legitimate interest in responding to the request in accordance with Art. 6 para 1 sentence 1 a), b) and f) GDPR. We will delete your data relating to the request unless we are required by law to continue to store or retain it. Insofar as the data is still required for the processing of outstanding enquiries, it will be deleted at the earliest after these enquiries have been processed. Your personal data will not be disclosed to third parties.

9. Cookie policy

9.1 What are cookies?

Cookies are small text files in which the web browser stores information sent by the web server regarding websites visited. This may be information about the site visit; e.g. duration, login data, user input, etc.

The cookies are stored on your computer or mobile device when you visit a website. They require hardly any storage space and are automatically deleted after expiry. Some cookies expire at the end of your Internet session, and others are stored for a limited period.

We primarily use cookies to make your visit to our website as user-friendly as possible. Additionally, we use cookies for analyzing tracking on the website and for advertising purposes during your future visits to other websites. The types of cookies and their respective purposes are detailed in our COOKIE GUIDE.

9.2 Cookie consent through Cookiebot via “COOKIE GUIDE”

Our website uses the Cookie Consent technology from Usercentrics to obtain your consent for storing certain cookies in your browser and to document this in compliance with data protection regulations. The provider of this technology is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark.

We have entered into a data processing agreement with Usercentrics, in which Usercentrics undertakes to ensure the necessary protection of your data and to process it exclusively on our behalf and in accordance with our instructions, in compliance with applicable data protection regulations. The use of a cookie banner, as well as the management and storage of your consents to the processing of your personal data, is based on our legal obligation to provide a data protection-compliant website (Art. 6 para. 1 lit. c) GDPR in conjunction with § 26 TTDSG). The processing of data to provide a cookie banner is essential for the operation of the website. There is no option for the user to object as long as there is a legal obligation to obtain user consents for certain data processing operations before loading the website.

When you enter our website, a Cookiebot cookie is stored in your browser, which contains the consents you have given or the revocation of these consents. This data is anonymized and transferred to the provider of Cookiebot. Cookiebot processes the following data to provide and manage the cookie banner: 

• our IP address anonymized by Cookiebot (the last three digits are set to "0"),
• Additional information about the browser used and its version,
• Date and time of your visit to our website or your settings via our cookie banner,
• The URL of the accessed website,
• An anonymous, random, and encrypted key (ID),
• Your given consents or individual privacy settings.

Cookiebot uses both local storage and the setting of cookies to store this information locally in your browser. Your individual settings and your ID are stored in a cookie so that your settings are taken into account when you revisit our website.

For more information about the data processing by Cookiebot, please visit: Cookiebot Privacy Policy.

9.3 Cookie Management via "COOKIE GUIDE"

In the COOKIE GUIDE, you can view your cookie settings and adjust them according to your needs at any time. Additionally, you can see the types of cookies and their respective purposes outlined there.

Here is your cookie overview:

10. Personal data in the (online) application procedure

We collect and store your personal data in the context of an (online) application if you send it to us via our website, by email or by post and submit an unsolicited application or an application for a specific job vacancy.

If you apply for a specific job vacancy or apprenticeship, your data can only be viewed and processed by the relevant employees in the HR department of the company advertising the post and by the employees in the respective department. After completion of the application process, your applicant data will remain stored for a period of up to three months based on a legitimate interest and will then be deleted. The legitimate interest here is based on securing a duty of proof in proceedings under the General Act on Equal Treatment (AGG). If you are employed, your personal data will be stored and processed as employee data to the extent necessary in accordance with Art. 88 GDPR and § 26 BDSG-Neu (Federal Data Protection Act as amended).

In the event of a speculative application, we would like to include you in our pool of potential applicants if you are interested, and will contact you in this regard. If you expressly agree to be invited to join our pool of potential applicants, you will be providing us with your personal data with the aim of finding a suitable position within the Südwestdeutsche Salzwerke AG Group. Your data will then be included in the pool of applicants of the Südwestdeutsche Salzwerke AG Group for a period of 12 months and used to search for suitable applicants. Your data can then be viewed by the personnel departments of the Südwestdeutsche Salzwerke AG Group and by the employees of the relevant departments involved in the application process to analyse your profile for potential job offers. Your data will be deleted after the period of 12months has elapsed. You can also revoke your consent to the inclusion of your applicant data in the pool of applicants at any time with effect for the future. In this case, the data in our applicant management system will also be deleted from the time of your revocation.

As part of the application process, we will contact you in writing or by telephone and provide regular updates on the status of your application.

Südwestdeutsche Salzwerke AG and its affiliated Group companies ensure the protection of your data and comply with the applicable laws and regulations on data protection. Your personal data will not be made available to third parties outside the Südwestdeutsche Salzwerke AG Group.

Please address your rights to request pursuant to Art. 15 - 21 GDPR regarding the application process and your revocation if you are included in the applicant pool directly to the email address: Karriere@salzwerke.de

11. Deletion and blocking of personal data

The controller shall process and store personal data of the data subject only for the period necessary to achieve the purpose of storage or where provided for by the European Directive and Regulation or other legislator in laws or regulations to which the controller is subject.

If the purpose of storage no longer applies or if a storage period prescribed by the European Directive and Regulation or another competent legislator expires, the personal data will be blocked or deleted in accordance with the statutory provisions.

12. Legal basis for the processing of personal data

Art. 6 I lit. a GDPR is our company’s legal basis for processing operations in which we obtain consent for a specific processing purpose; e.g. to use a contact form integrated on the website.

If the processing of personal data is necessary to perform a contract to which the data subject is a party, e.g. to carry out processing operations that are necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Article 6 I lit. b GDPR. The same applies to such processing operations that are necessary to implement pre-contractual measures, e.g. for enquiries about our products or services.

If our company is subject to a legal obligation whereby the processing of personal data is necessary, e.g. to fulfil tax obligations, the processing is based on Art. 6 I lit. c GDPR.

Processing operations may also be based on Art. 6 I lit. f GDPR. This is the case if the processing is necessary to protect a legitimate interest of our company or a third party and provided this does not override the interests, fundamental rights and freedoms of the data subject. We are permitted to carry out such processing operations notably because they have been specifically stipulated by the European legislator. In this respect, a legitimate interest could be assumed if the data subject is a customer of the controller or is in the service of such customer. (Recital 47, sentence 2 GDPR). Where the processing of personal data is based on Art. 6 I lit. f GDPR, our legitimate interest is to conduct our business for the benefit of our shareholders, taking into account the legitimate interests of the data subjects. When considering the respective interests, the focus will be on an appropriate relationship between the data subject and us as a company at all times.

13. Duration for which the personal data is stored

The criterion for the storage period of personal data are legal retention periods which may arise from tax or commercial law and other applicable legal provisions and, in any case, if such legal provisions can be applied to your personal data. After expiry of the deadline, the corresponding data will be deleted if it is no longer required for the fulfilment of the contract, the initiation of the contract or the maintenance of the business relationship. If no retention periods are applicable and you have provided your consent to store and use your personal data, the data will be stored and used for the purpose specified in the consent or until you revoke your consent to its use in the future.

14. Legal or contractual requirements to provide the personal data; necessity to conclude the contract; obligation of the data subject to provide personal data; potential consequences of not providing the data

We would like to inform you that the provision of personal data is sometimes required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner). It may sometimes be necessary for a data subject to provide us with personal data which must subsequently be processed by us to conclude a contract. For example, data subjects are obliged to provide personal data if our company concludes a contract with them. Failure to provide such personal data would mean that it would not be possible to conclude the contract with the data subject.

15. Social media presence on social networks and platforms (YouTube)

We maintain the following channels or fan pages on social media platforms:

• YouTube: (@sudwestdeutschesalzwerkeag) 

with the aim of communicating with active customers, prospects, and users there, and informing them about our services.

The icon displayed for this purpose within our website is a static link. This means that no automatic connection to these social networks is established when our website is loaded. Only when you click on the icon will you be directed to the website of the respective social network.

15.1 YouTube

Principle for using this Website

Our website uses plugins from the YouTube service. The company providing the service in the European Economic Area and Switzerland is Google Ireland Limited, a company registered and operated under Irish law (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. The use of YouTube, and thus the viewing of embedded videos on this website, is only possible with your consent to the so-called marketing cookies. If you have not consented to the use of these cookies, viewing embedded videos is not possible.

Upon your consent, a connection is established to YouTube's servers. This informs the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to directly associate your browsing behavior with your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, after starting a video, YouTube may store various cookies on your device. With the help of these cookies, YouTube can obtain information about visitors to our website. This information is used, among other things, to capture video statistics, improve user-friendliness, and prevent fraud. The cookies remain on your device until you delete them. After starting a YouTube video, additional data processing operations may be triggered, over which we have no influence.

15.2 YouTube Channel

Principle

As the operator of the aforementioned YouTube channels on YouTube, we (Südwestdeutsche Salzwerke AG) and the operator of the YouTube service (Google Ireland Limited; hereinafter also referred to as "Google") are joint controllers within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR).

When visiting the YouTube channels as outlined in section 22, personal data is processed by the controllers. The following provides information on the types of data processed, the processing methods, and the rights available to you.

Contact Details of Joint Controllers

Südwestdeutsche Salzwerke AG: Contact details of the controller and its data protection officer can be found in sections 3 and 4 of this privacy policy.

Contact details: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

You can contact Google's data protection officer via this link: https://www.youtube.com/t/contact_us

Shared Responsibility

We, as operators of the YouTube channel, and Google, as the platform operator of YouTube, share responsibility for the processing of personal data of subscribers, visitors, and users that takes place on or through the channel.

Information regarding the data processing carried out by our company can be found in this privacy policy. Information about how Google handles personal data for the YouTube service can be found in their privacy policy.

Use of Insights and Cookies in connection with the mentioned YouTube accounts

In connection with the operation of the YouTube channel, Google provides an analytics function that we use to obtain anonymized statistical data about the users and interactions on our channel. For this purpose, Google stores a cookie on the user's device who visits our channel. The cookie contains a unique user code, which can be linked to the data of users registered on YouTube.

The information stored in the cookies is received, recorded, and processed by Google. Additionally, other entities, such as Google partners, may use cookies to provide services to companies advertising on YouTube or other Google services. For more information on the use and deployment of cookies by Google, please visit: https://policies.google.com/technologies/cookies?hl=de

Legal Basis and Legitimate Interests

We operate this YouTube channel to present ourselves to YouTube users and other interested individuals who visit our YouTube channel, aiming to engage in communication with them. The processing of personal data of users is based on our legitimate interests in optimizing the presentation of SSG (Article 6(1)(f) GDPR).

Data Disclosure

It is possible that some personal data may be processed outside the European Union or the European Economic Area by Google LLC, the parent company of Google Ireland Ltd., located in the United States. Specific details from Google on this matter can be found in Google's privacy policy. However, our contracting partner is Google Ireland Limited, a company based in Ireland and therefore within the European Union.

The U.S. parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA, is also certified under the EU-U.S. Data Privacy Framework (PDF), making the data transfer to the U.S. permissible under the adequacy decision of the European Commission regarding the USA.

We do not share any personal data ourselves.

Opt-out Options

YouTube users can influence the extent to which their user behavior is recorded when visiting or using Google services, including our YouTube channel, through the settings of their accounts.

16. Data protection provisions regarding the use and application of MATOMO

We use the web analysis tool "Matomo" to customise the design of our website. We only carry out web analyses using Matomo if you, as a visitor to our website, have given your consent to this by means of a cookie banner. We have activated the "Replace user ID with a pseudonym" function when analysing using Matomo in order to ensure a high level of data protection. Matomo thus creates user profiles on the basis of pseudonyms. Matomo uses so-called cookies. These are text files that are stored on your computer and enable Matomo to analyse the use of its website. For this purpose, the usage information obtained by means of cookies is transmitted to the server and stored so that usage behaviour can be evaluated. Your IP address is immediately anonymised, so that you remain anonymous as a user. The information generated by the cookie about your use of this website is not passed on to third parties. In this way, we are able to recognise and count returning visitors. The analysis data in the log files is automatically deleted after 365 days.

Data processing is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR, provided that you have given your consent to processing via our cookie banner. You can revoke your consent at any time. Please make the appropriate settings via our cookie banner. Further information on Matomo's terms of use and data protection regulations can be found at: https://matomo.org/privacy/

17. Your rights as a data subject at a glance

A data subject has individual rights to request under the GDPR that can be asserted with respect to their personal data. Data subjects can therefore exercise their right of access, to rectification, erasure, to a restriction of processing, to data portability and individual rights to object to processing and a right to lodge a complaint with a supervisory authority. The following contains an overview of the individual rights and their deadlines.

17.1 Deadlines for the rights to request pursuant to Art. 15 - 21 GDPR

As the controller, we will respond to any requests from the data subject pursuant to Art. 15 - 21 GDPR within one month after receipt. This period may be extended by a further two months if this is necessary, taking into account the complexity and number of applications. In this case, we will inform you within one month after receipt of your request regarding the extension. If the data subject makes the request electronically, we will respond to such electronically where possible, unless you indicate otherwise.

17.2 Channels for requests to exercise rights

Requests to exercise rights may be sent by surface post or email. The contact address is available in section 4 of this policy.

Please address all applications pursuant to Art. 15-21 GDPR in connection with the (online) application process directly to the email address provided under the heading "Personal data in the (online) application process".

17.3 Right of access by the data subject pursuant to Art. 15 GDPR

A data subject has the right to obtain confirmation from the controller as to whether their personal data is being processed; if so, they have a right of access to such data and further information as described in Art. 15 GDPR.

Please note that the controller may only provide information if there are no doubts about the identity of the data subject. The controller will use all reasonable means to verify the identity of a data subject who is seeking information.

17.4 Right to rectification pursuant to Art. 16 GDPR                                        

A data subject shall have the right to obtain rectification from the controller of any inaccurate personal information without delay. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including via a supplementary statement.

17.5 Right to erasure pursuant to Art. 17 GDPR                                             

A data subject has the right to require the controller to erase their personal data without undue delay and the controller shall erase personal data without undue delay if the conditions stipulated in Art. 17 GDPR are satisfied.

17.6 Right to restriction of processing pursuant to Art. 18 GDPR      

The data subject shall have the right to obtain from the controller restriction of processing if the conditions in Art. 18 GDPR are satisfied.

17.7 Right to data portability pursuant to Art. 20 GDPR  

A data subject has the right to obtain the personal data concerning them which they have provided to a controller in a format stipulated in Art. 20 GDPR or to request such data to be transferred to another controller as instructed by the data subject, provided the conditions in Art. 20 GDPR are satisfied.

17.8 Right to object pursuant to Art. 21 GDPR

A data subject shall have the right to object at any time on grounds relating to their specific situation, to the processing of personal data concerning them which has been collected based on Art. 6 para 1 lit. e GDPR [the processing is to perform a task carried out in the public interest or in the exercise of official authority vested in the controller] or Article 6 para 1 lit. f GDPR [processing is carried out based on the legitimate interest of the controller or a third party].

The controller shall cease processing the personal data in such cases, unless it can demonstrate compelling legitimate grounds for such processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If personal data is processed by the controller for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of their personal data for such marketing; this shall also apply to profiling insofar as it relates to such direct marketing.

17.9 Right to withdraw consent pursuant to Art. 13 para 2 lit. c GDPR

If the processing of a data subject's personal data by the controller is based on Art. 6 para 1 lit. a GDPR [the data subject has consented to the processing of their personal data for one or more specific purposes] or Art. 9 para 2 lit. a GDPR [the data subject has consented to the processing of specific categories of their personal data for one or more specific purposes], the data subject has the right to withdraw their consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent up the date of such withdrawal.

You can request withdrawal by surface post or email. The contact address is available in section 4 of this policy.

Please address all applications pursuant to Art. 15-21 GDPR in connection with the (online) application process directly to the email address provided under the heading "Personal data in the (online) application process".

18. Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR

Every data subject has the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy, if the data subject considers that the processing of personal data concerning them violates the GDPR. In general, you can contact the supervisory authority at your habitual residence, place of work, or the location of the alleged infringement.

The supervisory authority to which the complaint has been lodged shall inform the complainant about the progress and the outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

The supervisory authority responsible for Südwestdeutsche Salzwerke AG is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg

Physical Address:                                      Mailing Address:

Lautenschlagerstraße 20                           Postfach 10 29 32
70173 Stuttgart                                          70025 Stuttgart
Germany                                                    Germany

For more information, please visit www.baden-wuerttemberg.datenschutz.de.

19. Topicality of this privacy policy

Amendments to our privacy policy may become necessary for legal or technical reasons. We reserve the right to make the relevant amendments at any time and therefore request that you consult this privacy policy at regular intervals to ensure you are aware of the current status of such.

Date: April 2024