Data protection
1. Our privacy policy
Protecting your personal data is a top priority at Südwestdeutsche Salzwerke AG. With this in mind, we always treat your personal data as confidential and handle this information in accordance with the applicable provisions on data protection and privacy.
In principle, it is possible to use our website without providing any personal data. However, if you wish to make use of particular services provided by our company via our website as a website visitor, it may become necessary to process personal data.
Our privacy policy provides information on the nature, scope, and purpose of the personal data we collect, use, and process. This privacy policy also explains what rights data subjects have in conjunction with their personal data.
In our role as controller, we have taken numerous technical and organizational measures to ensure that the personal data processed via this website are protected to the fullest possible degree. Still, please note that Internet-based data transfers may involve security vulnerabilities in principle, so it is not possible to guarantee absolute protection.
2. Definitions
Our privacy policy uses terms that are also found in the EU General Data Protection Regulation (GDPR). To make it easier for you to read and understand this document, key terms are explained in the section below.
2.1 Personal data
“Personal data” means all information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.2 Data subject
“Data subject” means any identified or identifiable natural person whose personal data are processed by the controller.
2.3 Processing
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.4 Restriction of processing
“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.
2.5 Profiling
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
2.6 Pseudonymization
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
2.7 Controller
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
2.8 Processor
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2.9 Recipient
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients.
2.10 Third party
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
2.11 Consent
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3. Name and address of the controller
The controller within the meaning of the GDPR, other data protection acts applicable within the Member States of the European Union, and other provisions of a data protection and privacy nature is:
Südwestdeutsche Salzwerke AG
Salzgrund 67
74076 Heilbronn
Germany
4. Contact details of the data protection officer
The address of the data protection officer is:
Südwestdeutsche Salzwerke AG
Data Protection Officer
Salzgrund 67
74076 Heilbronn
Alternatively, you can also use the following e-mail address for your inquiries:
5. How we protect your data
We take protecting your personal data very seriously and implement appropriate technical and organizational measures to protect your data associated with the use of this website against access by unauthorized parties, manipulation, destruction, and loss. The security measures used are improved on an ongoing basis in keeping with advances in technology.
For example, communication via our website is protected via HTTPS (HyperText Transfer Protocol Secure). This establishes a secure connection between the server and client that cannot be read by unauthorized parties. This serves to protect the transfer of confidential content such as inquiries that you submit to us as the operator of this site.
Where service providers are involved in the handling or performance of services of our website and these service providers should be viewed as processors, we have entered into processing agreements within the meaning of Article 28 GDPR to govern these relationships with an eye to protecting your personal data.
6. Collection of general data and information during use of our website
Where our website is used for purely informational purposes, i.e., without registering for a customer account, using the contact form for inquiries, or placing an order in the online shop, we collect only those personal data that your browser transmits to our server. If you wish to view our website, we collect the following data:
- the IP address;
- date and time of query;
- the region (not the address) from which the IP address accesses the website;
- the browser language, type (e.g., Chrome, Firefox, Safari), and version;
- operating system;
- device type (e.g., mobile device, desktop computer, tablet);
- browsing behavior on the website (e.g., when was the website visited, which areas of the website were clicked, how much time was spent on the website); and
- the website from which the request comes.
We process and store these data for purposes of ensuring the functionality of the website, improving the content of the website, and preparing statistical analyses based on aggregated data on surfing. We also process and store them to analyze the technical operation of the website and ensure the security of our information technology systems.
Our legitimate interest in data processing pursuant to point (f) of Article 6(1) GDPR lies in the necessity of displaying this website to you and ensuring stability, functionality, and security. The storage of server logfiles also serves the purpose of potential criminal prosecution with an eye to possible cyberattacks. With an eye to logfile rotation, logfiles and the IP addresses they contain are stored until a limit of 100 MB is reached and then automatically overwritten or deleted once that limit is passed. The duration of storage is 60 days.
7. Hosting of our website
We host our website via our hosting partner exclusively in Germany as a server location (server(s) in Germany). In keeping with the provisions of data protection and privacy law, we have entered into an agreement on processing of data on another entity’s behalf pursuant to Article 28 GDPR. Connection data are processed for the purpose of providing and delivering the website. The data are not stored beyond the visit itself for the mere purpose of delivering and providing the website. However, our processor does store the connection data for security purposes. The duration of processing for security purposes is variable and ends when there is no longer a need for the security measures in question.
8. Data in the context of use of a contact form offered on the website
If you have questions of any kind, we give you the option of contacting us using a form provided on the website or an online function that serves this purpose. Providing a valid e-mail address is required so that we know who sent the inquiry and can respond to it. Further required information is indicated with an asterisk (*) in the contact form. Depending on the topic, the nature of the data involved, and whether or not you are already a customer, the processing of the data is based on the contract with you, your consent, or your or our legitimate interest in clarifying the matter pursuant to points (a), (b), and (f) of Article 6(1) GDPR. We will erase your data concerning the inquiry where we are not legally obligated to continue to store or retain them. Where the data are still required to handle outstanding inquiries, they will not be erased until after these inquiries are settled. Your personal data are not shared with third parties.
9. Links to other websites and services of third parties
Our website may contain links to third-party websites, and some of our services may allow you to access the services of third parties (such as social networks) under some circumstances. We have no influence over how third-party websites and/or services process your personal data. We do not review or verify third-party websites or services, nor are we responsible for their data protection and privacy practices. Please read the privacy policies of the third-party websites and/or services you access via our website or services. Where our website includes other services, you will find explanatory information regarding this in this privacy policy.
10. Cookie policy
10.1 What are cookies?
Cookies are small text files in which a Web browser stores information transmitted by a Web server regarding the Internet sites that have been visited. This may be information on the site visit, such as duration, login details, user entries, and similar information.
These cookies are stored on your computer or mobile device when you visit a website. They take up hardly any storage space and are automatically deleted when they expire. Certain cookies expire at the end of your Internet session, while others are stored for a limited period.
10.2. Cookie consent through Cookiebot via “COOKIE GUIDE”
Our website uses cookie consent technology from Cookiebot to obtain your consent to the storage of certain cookies on your device and document this in a manner compliant with data protection and privacy law. The provider of this technology is Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (“Cookiebot”).
When you enter our website, a connection is established to the Cookiebot servers to obtain your consent and other declarations regarding the use of cookies. Then Cookiebot stores a cookie on your browser to be able to associate the consent you have granted or withdrawn with you. The data collected in this way are stored until you request that we erase them or delete the Cookiebot cookie itself or the purpose of storing the data ceases to apply. Cookiebot is used in order to obtain the legally required consent to the use of cookies. The legal basis for this is point (c) of Article 6(1) GDPR.
Agreement on processing of data on another entity’s behalf
We have entered into an agreement on processing of data on another entity’s behalf with Cookiebot. This is an agreement required by data protection and privacy law that ensures that Cookiebot processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
10.3. COOKIE GUIDE
What kinds of cookies are there?
Strictly necessary cookies
Strictly necessary cookies help to make a website usable by enabling basic functions such as site navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Statistical cookies
Statistical cookies help website operators understand how visitors interact with websites by collecting and reporting information anonymously.
Marketing cookies
Marketing cookies are used to track visitors on websites. The intention is to display ads that are relevant and appealing to the individual user and are therefore of greater value for publishers and third-party advertisers.
Preference cookies
Preference cookies enable a website to remember information that affects how a website behaves or looks, such as your preferred language or the region where you are located.
Why do we use cookies?
We use cookies primarily to make your visit to our website as user-friendly as possible. We also use cookies with which tracking on the website can be analyzed and for advertising purposes when you visit other websites in the future.
How you can manage cookies on our website
You can easily view your cookie settings at any time and make changes as needed. You can click the “Change consent” or “Withdraw consent” button to access the cookie banner and make the appropriate adjustments at any time.
10.4 Cookie policy updates
This cookie policy is subject to change. Please visit this website regularly to stay abreast of the current version.
11. Erasure and blocking of personal data
The controller processes and stores personal data of the data subject only for the period necessary to achieve the purpose of storage or to the extent that this has been provided by the European legislative and regulatory authorities or other legislative bodies in laws or regulations to which the controller is subject.
If the purpose of storage ceases to apply or a storage time limit stipulated by the European legislative and regulatory authorities or another legislative body with jurisdiction expires, the personal data are blocked or erased in accordance with the statutory provisions.
12. Legal bases of processing of personal data
Point (a) of Article 6(1) GDPR serves our company as the legal basis for processing operations in whose case we obtain consent for a specific purpose of processing, such as in the case of use of a contact form included in the website.
If the processing of personal data is necessary in order to perform a contract to which the data subject is party, as is the case with processing operations that are necessary in order to deliver goods or perform another service or provide consideration, for example, then the processing is based on point (b) of Article 6(1) GDPR. The same applies to processing operations that are necessary in order to take steps prior to entering into a contract, such as in the case of inquiries concerning our products or services.
Where our company is under a legal obligation that necessitates processing of personal data, such as to fulfill tax obligations, the processing is based on point (c) of Article 6(1) GDPR.
Processing operations may also be based on point (f) of Article 6(1) GDPR. This is the case where the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. We are permitted to engage in these kinds of processing operations, in particular, because they were mentioned specifically by the European legislature when the regulation was drafted. The legislature’s view in this regard was that it might be necessary to assume a legitimate interest where the data subject is a customer of the controller or is in the controller’s service (Recital 47, second sentence, GDPR). Where processing of personal data is based on point (f) of Article 6(1) GDPR, our legitimate interest consists in performing our business activity for the good of our shareholders while observing the legitimate interests of the data subjects. When weighing this interest, the focus is always on an appropriate relationship between the data subject and us as a company.
13. Duration of storage of personal data
The criterion for the duration of storage of personal data is statutory retention periods, which may arise from tax or commercial law and from further applicable legal provisions, wherever these legal provisions are applicable to your personal data. After the time limit expires, the relevant data are erased insofar as they are no longer required to perform a contract, take steps prior to entering into a contract, or maintain the business relationship. If no retention periods are applicable and you have given us your consent to the storage and use of your personal data, the data will be stored and used for the intended purpose for as long as indicated in the context of the consent or until you withdraw your consent to use for the future, as the case may be.
14. Statutory or contractual provisions on providing the personal data; necessity for entering into a contract; obligation of the data subject to provide the personal data; possible consequences of failure to provide the personal data
Please note that providing personal data is required by law in some cases (tax regulations, for example) or may also arise from contractual provisions (such as information on the other party to the contract). In order to enter into a contract, it may be necessary for a data subject to provide us with personal data that subsequently must be processed by us. For example, the data subject is obligated to provide us with personal data if our company enters into a contract with him or her. Failure to provide the personal data would mean it would not be possible to enter into the contract with the data subject.
15. Data protection and privacy provisions on the use of Google Analytics 4
Where you have given consent, this website uses Google Analytics 4, a Web analytics service of Google LLC. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). We have entered into an agreement on processing of data on another entity’s behalf pursuant to Article 28 GDPR with Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Scope of processing
Google Analytics uses cookies that enable analysis of your use of our Web pages. The information on your use of this website collected via the cookies is typically transmitted to a Google server in the United States and stored there. We use the User-ID function. The User-ID function allows us to associate one or more sessions (and activity within these sessions) with a unique, permanent ID and analyze user behavior across devices.
With Google Analytics 4, anonymization of IP addresses is activated by default. Due to this IP anonymization, your IP address is truncated (shortened) by Google within Member States of the European Union or other states that are signatories to the Agreement on the European Economic Area. Only in isolated instances is the full IP address transmitted to a Google server in the United States and truncated there. According to Google, the IP address transmitted by your browser within the scope of Google Analytics is not combined with other Google data.
During your website visit, your user behavior is recorded in the form of “events.” Events include but are not limited to the following:
- Page impressions
- Initial visit to the website
- Start of a session
- Your “click path,” interaction with the website
- Scrolls (whenever a user scrolls to the end of the page (90%))
- Clicks on external links
- Internal search queries
- Interaction with videos
- File downloads
- Ads viewed / clicked
- Language settings
The following information is also collected:
- Your approximate location (data on country, region, city)
- Your IP address (in truncated (anonymized) form)
- Technical information on your browser and the devices you use (e.g., language settings, screen resolution)
- Your Internet provider
- Referrer URL (via which website or ad you arrived at this website)
Purposes of processing
On behalf of the operator of this website, Google will use this information to analyze your website use and compile reports on website activity. The reports provided by Google Analytics serve to analyze our website’s performance and the success of our marketing campaigns.
Recipients
The recipients of the data are/may be
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (in the role of processor pursuant to Article 28 GDPR)
- Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A.
- Alphabet Inc., 1600 Amphitheatre Parkway. Mountain View, CA 94043, U.S.A.
It is not impossible that U.S. government agencies or other authorities may access the data stored by Google.
Third country transfers
Where data are processed outside the EU/EEA and there is no level of data protection commensurate with the European standard, we have entered into EU standard contractual clauses with the service provider to establish an adequate level of data protection. The parent company of Google Ireland, Google LLC, is headquartered in California, U.S.A. It is not impossible that data will be transmitted to the United States, or that U.S. government agencies or other authorities may access the data stored by Google. The United States is currently considered a third country from the standpoint of European data protection and privacy law. You do not have the same rights there as you do within the EU/EEA. You may have no legal remedies against access by government agencies or other authorities.
Duration of storage
The data transmitted by us and linked to cookies are automatically erased after 14 months. Data that have reached the end of their retention period are automatically erased once a month.
Legal basis
The legal basis for this data processing is your consent pursuant to point (a) of Article 6(1) GDPR.
Withdrawal of consent
You can withdraw your consent at any time with effect for the future by accessing the cookie settings via the COOKIE GUIDE and changing your selection there (see Sec. 10.3.). This will not change the lawfulness of the processing that has taken place based on your consent up until the time of withdrawal.
You can also prevent cookies from being stored from the outset by adjusting your browser settings accordingly. If you configure your browser to reject all cookies, however, the functions of this and other websites may be restricted as a result. You can also prevent the data generated by the cookie concerning your use of the website (including your IP address) from being collected and transmitted to Google and the processing of these data by Google by not consenting to the placement of cookies.
For further information on the terms of use of Google Analytics and privacy at Google, please visit https://marketingplatform.google.com/intl/de/about/analytics/ and https://policies.google.com/privacy?hl=en.
16. Overview of your rights as a data subject
Pursuant to the provisions of the GDPR, a data subject has individual rights that can be asserted by request in connection with that person’s personal data. For example, there are rights of access to information and rights to rectification, erasure, restriction of processing, and data portability, along with individual rights to object and the right to lodge a complaint with a supervisory authority. This section presents an overview of the individual rights and the time limits that apply to them.
17.1 Time limits for rights assertable by request as stipulated in Articles 15–21 GDPR
In our role as controller, we will respond to the data subject regarding any requests pursuant to Articles 15–21 GDPR within a time limit of one month after receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In that case, we will notify you within one month after receipt of your request that we are making use of this extension. Where the data subject makes the request by electronic means, we will respond to it by electronic means where possible, unless you request otherwise.
17.2 Request channels
You can submit requests by mail or e-mail. You can find the contact address in Sec. 4 of this privacy policy.
17.3 Right of access by the data subject pursuant to Article 15 GDPR
A data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and further information as described in Article 15 GDPR.
Please note that the controller can provide information only if there are no objections or concerns regarding the data subject’s identity. The controller is required to use all reasonable means to verify the identity of a data subject seeking access to information.
17.4 Right to rectification pursuant to Article 16 GDPR
A data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
17.5 Right to erasure pursuant to Article 17 GDPR
A data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller has the obligation to erase personal data without undue delay where the prerequisites listed in Article 17 GDPR are met.
17.6 Right to restriction of processing pursuant to Article 18 GDPR
A data subject has the right to obtain from the controller restriction of processing where the prerequisites stipulated in Article 18 GDPR are met.
17.7 Right to data portability pursuant to Article 20 GDPR
A data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a format as described in Article 20 GDPR and the right to have those data transmitted to another controller on the data subject’s instructions, where the prerequisites described in Article 20 GDPR are met.
17.8 Right to object pursuant to Article 21 GDPR
A data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her where these data were collected based on point (e) of Article 6(1) GDPR (processing takes place for the performance of a task carried out by the controller in the public interest or in the exercise of official authority vested in the controller) or point (f) of Article 6(1) GDPR (processing takes place on the basis of a legitimate interest pursued by the controller or a third party).
The controller must no longer process the personal data in these cases unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the processing serves for the establishment, exercise or defense of legal claims.
Where personal data are processed by the controller for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
17.9 Right to object pursuant to point (c) of Article 13(2) GDPR
Where the processing of personal data of a data subject by the controller is based on point (a) of Article 6(1) GDPR (the data subject has given consent to the processing of his or her personal data for one or more specific purposes) or point (a) of Article 9(2) GDPR (the data subject has given consent to the processing of special categories of personal data concerning him or her for one or more specific purposes), the data subject has the right to withdraw consent at any time without the lawfulness of the processing that has taken place based on consent up until the time of its withdrawal being affected thereby.
You can withdraw your consent by mail or e-mail. You can find the contact address in Sec. 4 of this privacy policy.
18. Right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR
Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. You can typically contact the supervisory authority in the place of your habitual residence or place of work or the place of the company’s registered office to do this.
The supervisory authority with which the complaint has been lodged is required to inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.
The data protection supervisory authority with jurisdiction over us is:
The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information
Address: Mailing address:
Lautenschlagerstr. 20 Postfach 10 29 32
70173 Stuttgart 70025 Stuttgart
Germany Germany
Further information is available online at www.baden-wuerttemberg.datenschutz.de.
19. Current version of this privacy policy
It may be necessary to adjust our privacy policy for legal or technical reasons. We reserve the right to make such changes at any time and therefore request that you consult this privacy policy at regular intervals to stay informed of current developments.
Last updated: December 2023