Privacy Policy

In this Privacy Policy, we inform you which personal data we process in connection with our activities and operations, including our ballenberg.ch website. In particular, we inform you of why, how and where we process personal data. We also inform you about the rights of persons whose data we process.

Other privacy policies as well as other legal documents such as the General Terms and Conditions (GTC), Terms of Use or Conditions of Participation may apply for individual or additional activities and operations.

We are subject to Swiss data protection law as well as any applicable foreign data protection law, in particular that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission acknowledges that Swiss data protection law guarantees adequate data protection.

1. Contact addresses

Responsible for the processing of personal data:

Ballenberg, Swiss Open-Air Museum
Museumsstrasse 100
3858 Hofstetten b. Brienz Schweiz

marketing@ballenberg.ch

We wish to point out that other persons may be responsible for the processing of personal data in individual cases.

2. Terminology and legal bases

2.1 Terminology

Personal data is all information that relates to an identified or identifiable natural person. A data subject is a person about whom personal data is processed.

Processing includes any handling of personal data, regardless of the means and procedures used, such as the consultation, alignment, adaptation, archiving, storage, retrieval, communication, procurement, collection, recording, erasure, disclosure, structuring, organisation, retention, modification, dissemination, combining, destruction and use of personal data.

The European Economic Area (EAA) includes the Member States of the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway. The General Data Protection Regulation (GDPR) describes the processing of personal data as the processing of data relating to data subjects.

2.2 Legal bases

We process personal data in accordance with Swiss data protection law, in particular the Federal Act on Data Protection (FADP) and the Ordinance on Data Protection (DPO). We process personal data in accordance with the General Data Protection Regulation (GDPR) if and insofar as the GDPR is applicable.

•     Art. 6(1)(b) GDPR for the processing of personal data necessary for the completion of a contract with the data subject and for the implementation of pre-contractual measures.

•     Art. 6(1)(f) GDPR for the necessary processing of personal data in order to protect our rights or third parties’ rights, unless the fundamental freedoms, rights and interests of the data subject prevail. Legitimate interests include in particular our interest in being able to permanently, securely and reliably carry out our activities and operations in a user-friendly manner, communicate with regard to these activities and operations, protect information security, protect against misuse, enforce our own legal claims and comply with Swiss law.

•     Art. 6(1)(c) GDPR for the necessary processing of personal data in order to fulfil a legal obligation to which we are subject under any applicable laws of member states of the European Economic Area (EEA).

•     Art. 6(1)(e) GDPR for the necessary processing of personal data for the performance of a task in the public interest.

•     Art. 6(1)(a) GDPR for the processing of personal data with the consent of the data subject.

•     Art. 6(1)(d) GDPR for the necessary processing of personal data in order to protect vital interests of the data subject or another natural person.

3. Type, scope and purpose

We process those personal data that are necessary to make our activities and operations permanent, user-friendly, secure and reliable. Such personal data can in particular fall into the categories of inventory and contact data, browser and device data, content data, metadata and peripheral data, usage data, location data, sales data as well as contract and payment data.

We process personal data for the period of time required for the respective purpose or purposes, or as required by law. Personal data that no longer requires processing will be made anonymous or erased.

We process in particular information that a data subject voluntarily provides to us when making contact – for example by post, email, instant messaging, contact form social media or telephone – or when registering for a user account. We may store such information in an address book, in a customer relationship management system (CRM system) or with comparable tools. If any data about other persons is conveyed to us, the persons conveying such data to us are obliged to guarantee data protection for such other persons and to ensure the accuracy of such personal data.

4.   Job applications

We process personal data relating to job applicants if such personal data is required for the assessment of suitability for an employment relationship or for the later execution of an employment contract. The personal data required in this context is derived from the information requested, for example, in the context of a job advertisement. We also process personal data that job applicants voluntarily provide or disclose, in particular as part of cover letters, curricula vitae (CVs) and other application documents as well as online profiles.

We process personal data in accordance with the General Data Protection Regulation (GDPR) if and insofar as the GDPR is applicable, in particular in accordance with Art. 9(2)(b) GDPR.

5.   Processing of personal data by third parties

In the performance of our business activities and the processing of personal data in accordance with this Privacy Policy, we may – to the extent that this is permitted by law and necessary – disclose personal data to trusted third parties (third-party recipients) who process personal data on our behalf. In particular, these parties may be service partners of ours (e.g. IT service providers, third parties involved in the implementation or organisation of events, support service providers).

Third-party recipients may be located in Switzerland or in another country abroad. If the country in question does not provide adequate legal data protection, we ensure an adequate level of protection as prescribed by law by using suitable contracts (namely, based on what are known as standard contractual clauses of the European Commission) or so-called Binding Corporate Rules, or we use an exemption clause. Exemptions may apply in particular in the event of legal proceedings abroad, but also in cases of overriding public interests or if performance of a contract requires such disclosure, if consent has been provided or if the matter concerns personal data made generally accessible by the data subject, the processing of which the data subject has not objected to.

6. Rights of data subjects

6.1 Rights and claims in accordance with data protection law

We grant data subjects all rights under the applicable data protection law. In particular, data subjects have the following rights:

•     Access: Data subjects can request information regarding whether we process personal data relating to them and, if so, what personal data we are processing. Data subjects also receive the information they need to assert their rights under data protection law and to ensure transparency. This includes the personal data processed in itself, but also includes information on the purpose of the processing, the duration of retention, any disclosure or export of data to other countries and the origin of the personal data.

•     Rectification and restriction: Data subjects can have inaccurate personal data rectified, incomplete data completed and the processing of their data restricted.

•     Erasure and objection: Data subjects can have personal data erased (“right to be forgotten”) and object to the processing of their data with effect for the future.

•     Disclosure and submission of data: Data subjects may request the disclosure of personal data or the transfer of their data to another data controller.

We may suspend, restrict or refuse the exercising of the rights of data subjects to the extent permitted by law. We may inform data subjects of any requirements that must be met in order to exercise their rights under data protection law. We may, for example, refuse to provide information in whole or in part on the grounds of commercial confidentiality or in order to protect other persons. We may also, for example, refuse to delete personal data in whole or in part in order to comply with legal obligations to retain data.

In exceptional cases, we may charge costs for the exercising of rights. We inform data subjects in advance of any possible costs.

We are obliged to take suitable measures to identify data subjects who request information or assert other rights. Data subjects are under an obligation to cooperate.

6.2   Right to complain

Data subjects have the right to assert their data protection claims through legal means or to lodge a complaint with a responsible supervisory authority for data protection.

The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

If and insofar as the General Data Protection Regulation (GDPR) is applicable, data subjects have the right to assert their data protection claims through legal means or to lodge a complaint with a responsible European supervisory authority for data protection.

7.   Data security

We take appropriate technical and organisational security measures to maintain the confidentiality, integrity and availability of personal data, to protect such data against unauthorised or unlawful processing and to mitigate the risks of loss, accidental alteration and unauthorised disclosure or access.

Access to our website is carried out by means of transport encryption (SSL / TLS, in particular with Hypertext Transfer Protocol Secure, abbreviated to HTTPS). The majority of browsers mark transport encryption with a padlock in the address bar.

8.   Use of the website

8.1   Cookies

We are permitted to use cookies. Cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – are data that is stored in a browser. Such stored data need not be restricted to traditional text cookies.

Cookies can be stored temporarily in a browser as “session cookies” or for a certain period of time as so-called permanent cookies. “Session cookies” are automatically deleted when the browser is closed. Permanent cookies have a certain storage period. In particular, cookies make it possible to recognise a browser the next time our website is visited and thus, for example, to measure the reach of our website. Permanent cookies can also be used for online marketing, for example.

Cookies can be deactivated or deleted in the browser settings at any time, either wholly or partially. Without cookies, our website may no longer be fully available. We actively ask – if and where necessary – for express consent for the use of cookies.

In the case of cookies that are used to measure success and reach or for advertising, a general “opt-out” is possible for many services via the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

8.2   Server log files

We may collect the following information each time our website is accessed, as far as this information is transmitted by your browser to our server infrastructure or can be determined by our web server: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual subpages of our website called up including the amount of data transferred, last website called up in the same browser window (referer/referrer).

We store such information, which may also constitute personal data, in server log files. This information is necessary to ensure the permanent provision of our website in a user-friendly and reliable manner and to ensure data security and thus in particular the protection of personal data – also by third parties or with the help of third parties.

8.3   Tracking pixels

We may use tracking pixels on our website. Tracking pixels are also called web beacons. Tracking pixels, including those of third parties whose services we use, are small, usually invisible images that are automatically called up when someone visits our website. Tracking pixels can be used to record the same information as server log files.

9.   Notifications and messages

We send notifications and communications by email and through other means of communication, such as Instant Messaging or SMS.

9.1   Measuring success and reach

Notifications and messages may contain web links or tracking pixels that record whether an individual message was opened and which web links were clicked on. Such web links and tracking pixels can also record the use of notifications and messages on a personal basis. We need this statistical recording of usage to measure success and reach in order to be able to send notifications and messages effectively and in a user-friendly, permanent, secure and reliable manner based on the needs and reading habits of the recipients.

9.2   Consent and objection

As a matter of principle, your express consent is required for the use of your email address and your other contact addresses for marketing purposes and relationship management, unless the use is permitted for other legal reasons. For any consent, we use the “double opt-in” where possible, meaning that you will receive an email with a web link that you must click on to confirm so that no abuse by unauthorised third parties can take place. We may log such consent, including the IP address, date and time, for the purpose of evidence and security.

You can always, as a matter of principle, opt out of receiving notifications and messages, such as newsletters, at any time. By opting out in this regard, you can in particular withhold your consent to the statistical recording of usage for the purposes of measuring success and reach. We reserve the right to send notifications and messages that are necessary with regard to our activities and operations.

9.3   Service provider for notifications and messages

We send notifications and messages using specialist service providers.

In particular, we use:

•     Mailchimp: Communication platform; provider: The Rocket Science Group LLC DBA Mailchimp (USA), a subsidiary of Intuit Inc. (USA); data privacy details: Privacy Statement (Intuit) including “Region and state-specific terms), “Frequently Asked Questions on data privacy at Mailchimp”, “Mailchimp and European Data Transfers”, “Security”, Cookie Policy, “Privacy Rights Requests”, “Legal Information”.

10.   Social media

We are present on social media platforms and other online platforms in order to communicate with interested people and inform them about our activities and operations. In connection with these types of platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and conditions of use as well as privacy policies and other provisions of individual operators of these types of platforms also apply in each case. These provisions provide information in particular about the rights of data subjects directly related to the relevant platforms, including in particular the right to disclosure.

We are responsible for our social media presence on Facebook, including the so-called Page Insights, if and in so far as the General Data Protection Regulation (GDPR) is applicable, together with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited belongs to the Meta company (including in the USA). Page Insights give information on how visitors interact with our Facebook presence. We use Page Insights to make our social media presence on Facebook effective and user-friendly.

Further information about the type, scope and purpose of data processing, information on the rights of data subjects as well as contact data of Facebook and the Facebook privacy officer can be found in Facebook’s Privacy Policy. We have concluded the “Controller Addendum” with Facebook and have thus agreed in particular that Facebook is responsible for guaranteeing the rights of data subjects. Corresponding information for Page Insights can be found on the page “Information about Page Insights” including “Information about Page Insights Data” .

11.   Third-party services

We use the services of third-party specialists to carry out our activities and operations on a permanent, user-friendly, secure and reliable basis. Such services also enable us, among other things, to embed functions and content into our website. This type of embedding enables the services used to record the IP addresses of the users at least temporarily for essential technical reasons.

For their own security-related, statistical and technical purposes, third parties whose services we use may process data in connection with our activities and operations in aggregated, anonymised or pseudonymised form. This data includes, for example, performance or usage data to enable provision of the respective service.

In particular, we use:

•     Services from Google: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; general details on data privacy: “Privacy and Security Principles”, Privacy Policy, “Google is committed to complying with applicable data protection laws”, “Google Product Privacy Guide”, “How Google uses information from websites or apps that use our services” (information provided by Google), “Types of cookies and other technologies used by Google”, “Personalized advertising” (Activation / Deactivation / Settings).

•     Services from Microsoft: Providers: Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), in the United Kingdom and in Switzerland; general details on data privacy:

“Privacy at Microsoft”, “Data protection and privacy (Trust Center)”, Privacy Statement, Privacy dashboard (data and privacy settings).

11.1 Digital infrastructure

We use the services of third-party specialists to be able to take advantage of the digital infrastructure in terms of performing our activities and operations. These include, for example, hosting and storage services from selected providers.

In particular, we use:

•     StackPath CDN: Content Delivery Network (CDN); providers: StackPath LLC (USA) / Highwinds Network Group Inc. (USA); Data privacy details: Privacy Statement.

•     Vercel: Cloud deployment platform in particular for static websites; Provider: Vercel Inc. (USA); Data privacy details: Privacy Policy, “Additional Information for Users in the EEA and the UK”).

11.2 Audio and video conferencing

We use specialised audio and video conferencing services to communicate online. For example, we can hold virtual meetings or provide online instruction and webinars. For participation in audio and video conferences,

the legal texts of the individual services, such as data privacy statements and terms of use, also apply.

Depending on your individual circumstances, we recommend that you always mute the microphone when participating in audio or video conferences and blur the background or display a virtual background.

In particular, we use:

•     Microsoft Teams: Platform used, for example, for audio and video conferences; Provider: Microsoft; details specific to Teams: “Privacy and Microsoft Teams”.

•     Skype: Audio and video conferencing; Skype-specific providers: Skype Communications SARL (Luxembourg) / Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), in the United Kingdom and in Switzerland; General details on data privacy: “Skype Legal”,

“Privacy and security”.

•     Zoom: Video conferencing; provider: Zoom Video Communications Inc. (USA); data privacy details: Privacy Statement, “Privacy at Zoom”, “Legal & Compliance Center”.

11.3 Online cooperation

We use the services of third parties to enable us to collaborate online. In addition to this Privacy Policy, any directly visible terms and conditions of the services used, such as terms of use or data privacy statements, also apply in each case.

In particular, we use:

•     Notion: Platform for working in teams; provider: Notion Labs Inc. (USA); details on data privacy: Privacy Policy, “Security & privacy”, Cookie Notice.

11.4 Social media functions and social media content

We use third-party services and plug-ins to embed functions and content from social media platforms and to enable the sharing of content on social media platforms and in other ways.

In particular, we use:

•     Facebook (Social plug-ins): Embedding of Facebook functions and Facebook content, for example “Like” or “Share”; providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); details on data privacy: Privacy Policy.

•     LinkedIn Consumer Solutions Platform: Embedding of functions and content from LinkedIn, for example using plugins such as “Share Plugin”; provider: Microsoft; details specific to LinkedIn: “Privacy”, Privacy Policy, Cookie Policy, Managing Cookies / Opt out of email and SMS communication from LinkedIn, Opt out of targeted advertising.

•     Twitter for Websites: Integration of functions and content from Twitter, such as embedded tweets or “Follow” and “Tweet” buttons; Twitter International Unlimited Company (Ireland) for users in the European Economic Area (EEA), in the United Kingdom and in Switzerland / X Corp. (USA) in the rest of the world; data privacy information: Privacy Policy, “Additional information about data processing”, “Privacy […] at Twitter for Websites”, “About personalization based on your inferred identity”, “Privacy controls for personalized ads”.

11.5 Digital audio and video content

We use the services of third-party specialists to allow direct playing of digital audio and video content such as music or podcasts.

In particular, we use:

•     Vimeo: Video platform; provider: Vimeo Inc. (USA); details on data privacy: Privacy Policy, “Data privacy”.

•     YouTube: Video platform; provider: Google; specific YouTube details: “Privacy and safety center”, “Your data in YouTube”.

11.6 Advertising

We use the option of displaying targeted advertising for our activities and operations through third parties such as social media platforms and search engines.

Our aim with such advertising is to reach people who are already interested in our activities and operations or who might be interested in them (remarketing and targeting). For this purpose, we may transfer relevant – possibly also personal – information to third parties that enable such advertising. We can also determine whether our advertising is successful, i.e. whether it leads to visits to our website (conversion tracking).

Third parties with whom we advertise and where you are registered as a user may be able to associate the use of our website with your profile there.

In particular, we use:

•     Facebook Ads: Social media advertising; providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); details on data privacy: Remarketing and targeting, in particular via Facebook Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy, “Ad preferences” (registration as a user required).

•     Google Ads: Search engine advertising, provider: Google; details specific to Google Ads: Advertising based on, among other things, search requests using various domain names – in particular doubleclick.net, googleadservices.com and googlesyndication.com – for Google Ads, “Advertising” (Google), “Why am I seeing a certain ad?”.

•     Instagram Ads: Social media advertising; providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); data privacy details: Remarketing and targeting, in particular via Facebook Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy (Instagram), Privacy Policy (Facebook), “Ad preferences” (Instagram) “Ad preferences” (Facebook) (registration as a user required).

•     Pinterest Ads: Social media advertising; providers: Pinterest Inc. (USA) / Pinterest Europe Ltd. (Ireland) for users in the European Economic Area (EEA), details on data privacy: Remarketing and targeting, in particular using the Pinterest Tag,

“Privacy, safety and legal”, Privacy Policy, “Personalization and data”, “Personalized ads on Pinterest”, “Data sharing on Pinterest”, Cookies.

12. Extensions to the website

We use extensions for our website in order to use additional functions.

In particular, we use:

•     jQuery (OpenJS Foundation): Free JavaScript Library; provider: OpenJS Foundation (USA) using StackPath CDN; data privacy details: Privacy Policy (OpenJS Foundation), Cookie Policy (OpenJS Foundation).

13. Measuring success and reach

We try to find out how our website is used. For example, we can measure the success and reach of our activities and operations as well as the effectiveness of third-party links to our website. We can also test and compare how different sections or versions of our website are used (“A/B test” method). Based on the results of the performance and reach measurement, we can particularly correct errors, enhance popular content or make improvements to our website.

In most cases, the IP addresses of individual users are stored for the purpose of success and reach measurement. In this case, IP addresses are in principle shortened (“IP masking”) in keeping with the principle of data economy by means of appropriate pseudonymisation.

Cookies may be used and user profiles may be created when measuring success and reach. Any user profiles created include details of, for example, the individual pages visited or content viewed on our website, information on the size of the screen or browser window and at least an approximate location. As a matter of principle, any user profiles are only created in pseudonymised form and are not used to identify individual users. Individual services provided by third parties with which users are registered can, if necessary, attribute the use of our online services to the user account or user profile of the respective service.

In particular, we use:

•     Google Analytics: Measuring success and reach; provider: Google; specific details for Google Analytics: Measurement also across different browsers and devices

(Cross-Device Tracking) and using pseudonymised IP addresses, which are only transmitted in full to Google in the USA in exceptional cases, “Data Privacy”, “Browser add-on for opting out of Google Analytics”.

•     Google Tag Manager: Integration and management of other services for performance and reach measurement as well as other services from Google and third parties; provider: Google; specific details for Google Tag Manager: “Data collected by Google Tag Manager”; more details on data privacy are available in the individual integrated and managed services.

14. Final provisions

We have created this Privacy Policy using the Data Protection Generator from Datenschutzpartner.

We may amend and supplement this Privacy Policy at any time. We will provide information about such adaptations and additions in a suitable form, in particular by publishing the respective current Privacy Policy on our website.