Privacy policy

The Swiss Museum Pass Foundation is the operator of the website www.museumspass.ch and therefore responsible for the collection, processing and use of your personal data and the compliance of the data processing with the applicable data protection law.

Your trust is important to us, which is why we take the issue of data protection seriously and ensure appropriate security. It goes without saying that we comply with the legal provisions of the Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (OFADP), the Telecommunications Act (TCA) and other applicable data protection provisions of Swiss or EU law, in particular the General Data Protection Regulation (GDPR).

So that you know what personal data we collect from you and for what purposes we use it, please take note of the following information.

The address of our data protection representative in the EU is:
VGS Datenschutzpartner UG, Am Kaiserkai 69, 20457 Hamburg, Germany, info@datenschutzpartner.eu, https://datenschutzpartner.eu/

A. Data processing when visiting our website

1. calling up our website

When you visit our website, our servers temporarily store every access in a log file. As with every connection to a web server, the following technical data is recorded without any action on your part and stored by us until it is automatically deleted after three months at the latest:

• the IP address of the requesting computer,
• the name of the owner of the IP address range (usually your Internet access provider),
• the date and time of access,
• the website from which the access was made (referrer URL) with the search term used, if applicable,
• the name and URL of the retrieved file,
• the status code (e.g. error message),
• the operating system of your computer,
• the browser you are using (type, version and language),
• the transmission protocol used (e.g. HTTP/1.1) and

This data is collected and processed for the purpose of enabling the use of our website (connection establishment), ensuring system security and stability in the long term and enabling the optimization of our website as well as for internal statistical purposes. This is our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR.

The IP address is also evaluated together with the other data in the event of attacks on the network infrastructure or other unauthorized or abusive website use for clarification and defense and, if necessary, used in the context of criminal proceedings for identification and for civil and criminal proceedings against the users concerned. This is our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR.

2. contact by e-mail

You have the option of contacting us by e-mail on our website. All you have to do is enter your e-mail address.

We only use your e-mail address and other data you provide voluntarily to answer your contact request in the best possible and personalized way. The processing of this data is therefore necessary within the meaning of Art. 6 para. 1 lit. b GDPR for the implementation of (pre-)contractual measures or is in our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

3. registration for our newsletter

You have the option of subscribing to our newsletter on our website. Registration is required for this. As part of the registration process, you must enter your e-mail address. The e-mail address is required for sending the newsletter. By registering, you give us your consent to process the e-mail address for the regular dispatch of the newsletter to the address you have provided and for the statistical evaluation of user behavior and the optimization of the newsletter.

This consent constitutes our legal basis for the processing of your e-mail address within the meaning of Art. 6 para. 1 lit. a GDPR. We are entitled to commission third parties with the technical processing of advertising measures and are entitled to pass on your data for this purpose (see section 13 ff. for information on the exchange of data with third parties). To send our newsletter, we use the CleverReach email marketing service from CleverReach GmbH & Co. KG from Germany.

At the end of each newsletter you will find a link that you can use to unsubscribe at any time. After you unsubscribe, your personal data will be deleted. Any further processing will only take place in anonymized form to optimize our newsletter.

4. ordering a museum pass

You have the option of ordering a museum pass on our website. When ordering, you must create a customer account and provide the following data:

• First and last name
• Postal address
• E-mail address

The data is processed for the smooth processing and verification of the order. The processing of this data is therefore necessary within the meaning of Art. 6 para. 1 lit. b GDPR for the implementation of (pre-)contractual measures or is in our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

Payment transactions are processed via the bank-certified payment platform Saferpay. Saferpay guarantees simple and secure payment transactions using credit cards, both for the cardholder and for the provider.

5. registration as an institution

You have the option of registering with us as an institution on our website. When registering, you must provide the following data:

• Name of the institution
• First and last name of the contact person
• Postal address
• Phone number
• E-mail address
• Website
• Type of institution

The data will only be processed for the smooth processing and verification of the registration. The processing of this data is therefore necessary within the meaning of Art. 6 para. 1 lit. b GDPR for the implementation of (pre-)contractual measures or is in our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

6. order Raiffeisen block and/or advertising material

You have the option of ordering advertising material on our website. When ordering, you must provide your e-mail address and contact details. The e-mail address and other data you provide voluntarily will only be processed for the smooth processing and verification of the order. The processing of this data is therefore necessary within the meaning of Art. 6 para. 1 lit. b GDPR for the implementation of (pre-)contractual measures or is in our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

7. cookies

Cookies help in many ways to make your visit to our website easier, more pleasant and more meaningful. Cookies are information files that your web browser automatically saves on your computer's hard disk when you visit our website.

For example, we use cookies to temporarily store your selected services and entries when you fill out a form on the website so that you do not have to repeat the entry when you access another subpage. Cookies may also be used to identify you as a registered user after you have registered on the website without you having to log in again when you access another subpage.

Most Internet browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears when you receive a new cookie. On the following pages you will find explanations of how you can configure the processing of cookies in the most common browsers:

• Microsoft's Windows Internet Explorer
• Microsoft's Windows Internet Explorer Mobile
• Mozilla Firefox
• Google Chrome for desktop
• Google Chrome for Mobile
• Apple Safari for Desktop
• Apple Safari for Mobile

If you deactivate cookies, you may not be able to use all the functions of our website.

8. tracking and retargeting tools

a. Google Analytics and Google Tag Manager

We use the web analysis service Google Analytics for the purpose of designing and continuously optimizing our website in line with requirements. In this context, pseudonymized user profiles are created and cookies are used (see section 7). The information generated by the cookie about your use of this website is transmitted to the Google Analytics servers, stored there and processed for us. In addition to the data listed under Section 1, we may receive the following information as a result:

• Navigation path that a visitor follows on the site,
• Time spent on the website or subpage,
• the subpage on which the website is left,
• the country, region or city from which access is made,
• end device (type, version, color depth, resolution, width and height of the browser window) and
• Returning or new visitor.

The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services relating to website activity and internet usage for the purposes of market research and the needs-based design of this website.

We also use Google Tag Manager to manage the services for usage-based advertising. The Tag Manager tool is a cookie-free domain and does not collect any personal data. Instead, the tool ensures the resolution of other tags, which in turn may collect data under certain circumstances. If you have made a deactivation at domain or cookie level, this remains in place for all tracking tags that are implemented with the Google Tag Manager.

The provider of these services is Google Inc, a company of the holding company Alphabet Inc, based in the USA. Before the data is transmitted to the provider, the IP address is shortened by activating IP anonymization („anonymizeIP“) on this website within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The anonymized IP address transmitted by Google Analytics will not be merged with other Google data. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. However, Google is a company certified under the US Privacy Shield and as such has an appropriate level of data protection. According to Google Inc., under no circumstances will the IP address be associated with other data relating to the user.

Further information about the services used can be found on the Google website. Instructions on how you can prevent the processing of your data by the web analysis service can be found here. You can find more information about Google and their privacy policy here here.

The legal basis for processing the data for this purpose is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

b. Google AdWords Coversion Tracking

We use the online advertising program „Google AdWords“ on our website and conversion tracking in this context. Google AdWords conversion tracking is also a Google service. When you click on an advertisement placed by Google, a cookie for conversion tracking is stored on your computer. These cookies have a limited validity. If you visit certain pages of our website and the cookie has not yet expired, Google and we can recognize that you have clicked on the ad and have been redirected to this page. Each Google AdWords customer receives a different cookie. It is therefore not possible for cookies to be tracked via the websites of AdWords customers.

The information collected with the help of the conversion cookie is used to create conversion statistics. This tells us the total number of users who clicked on one of our ads and were redirected to a page with a conversion tracking tag. However, we do not receive any information with which users can be personally identified.

You can prevent the storage of cookies by selecting the appropriate technical settings in your browser software (see section 7). After deletion, you will not be included in the conversion tracking statistics.

You can also deactivate personalized advertising in the Google settings. You can find instructions on how to do this here. In addition, you can deactivate the use of cookies by third-party providers by visiting the deactivation page of the Network Advertising Initiative here and implement the further information on the opt-out mentioned there. Further information and Google's privacy policy can be found here.

The legal basis for processing the data for this purpose is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

c. Google Dynamic Remarketing

We use Google Dynamic Remarketing, also a Google service, on our website. Google Dynamic Remarketing serves the purpose of analyzing visitor behavior and visitor interests.

Google also uses cookies to analyze website usage, which forms the basis for the creation of interest-based advertisements. Cookies are used to record visits to the website and anonymized data on the use of the website (see section 7 above on cookies). No personal data is stored. If you subsequently visit another website in the Google Display Network, you will be shown advertisements that are highly likely to take into account previously accessed product and information areas. Your data may also be transmitted to the USA.

You can permanently deactivate the use of cookies by Google for this purpose. here deactivate it. You can find more information about Google Remarketing and the associated privacy policy at here.

The legal basis for processing the data for this purpose is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

9. google maps

We use Google Maps API (Application Programming Interface, „Google Maps“) on our website to visually display geographical information (maps). Google Maps is also operated by Google. By using Google Maps, information about the use of our website, including your IP address, is transmitted to a Google server in the USA and stored there. It is possible to deactivate the Google Maps service and prevent the transfer of data to Google by deactivating JavaScript in your browser. However, we would like to point out that you will not be able to use the map display in this case. You can find more information about the collection, processing and use of your data by Google and your rights in this regard here in Google's privacy policy and here in the additional terms of use for Google Maps or Google Earth.

The legal basis for processing the data for this purpose is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

10. links to our social media presences

We have included links to our social media profiles on the following social networks on our websites:

• Facebook, Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA,
• Instagram, Instagram Inc, 1601 Willow Road, Menlo Park, CA 94025, USA, and
• YouTube, a service operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

If you click on the relevant social network icons or links, you will be automatically redirected to our profile on the relevant network. In order to use the functions of the network there, you must log into your user account with the network in some cases.

When you access a link to one of our social media profiles, a direct connection is established between your browser and the server of the relevant social network. This provides the network with the information that you have visited our website with your IP address and accessed the link. If you access a link to a network while you are logged into your account with the relevant network, the content of our pages may be linked to your profile on the network, which means that the network can directly associate your visit to our website with your user account. If you wish to prevent this, you should log out before clicking on the relevant links. An assignment will take place in any case if you log in to the relevant network after clicking on the link.

The legal basis for processing the data for this purpose is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

B. Data processing outside the website

11. for the (external) sale of the museum pass

You have the option of purchasing a museum pass at our external points of sale (e.g. at the post office, museums and tourist offices) as well as on site at our offices. To do so, you must provide the following information:

• First and last name
• Postal address
• E-mail address

The data will only be processed by us and the external sales outlets for the smooth processing and checking of the order and, in the case of the external sales outlets, forwarded to us.

If you buy the museum pass from us on site, you have the option of paying both in cash and by card. Card payments are processed via SumUp. SumUp is a payment service provided by SumUp Payments Limited, 32-34 Great Marlborough St, W1F 7JB, London, UK. With the SumUp payment, SumUp receives data about the transaction (including time, location, transaction amount and cardholder information). Further information about SumUp and their privacy policy can be found here.

The processing of this data is therefore necessary within the meaning of Art. 6 para. 1 lit. b GDPR for the implementation of (pre-)contractual measures.

12. at the entrance to the museum

When you visit one of our museums and/or institutions with your Museum Pass, the following data is collected:

• First and last name of the visitor
• Museum pass number (if necessary, only the last four numbers)

This data is only collected by the museums and/or institutions to track visitor numbers and for statistical purposes and forwarded to us. The processing of this data is therefore in our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

C. Storage and exchange of data with third parties

13. central storage and linking of data

We may store personal data in a central electronic data processing system. The data relating to you will be systematically recorded and linked in order to process your order and handle the contractual services. For this purpose, we use software from Micro Systems, Landstrasse 66, 5073 Gipf-Oberfrick. We base the processing of this data as part of the software on our legitimate interest in customer-friendly and efficient customer data management within the meaning of Art. 6 para. 1 lit. f GDPR.

14. storage period

We only store personal data for as long as is necessary to use the above-mentioned tracking services and other processing within the scope of our legitimate interest. We store contractual data for longer, as this is required by statutory retention obligations. Retention obligations that require us to retain data arise from accounting regulations and tax law. According to these regulations, business communication, concluded contracts and order receipts must be stored for up to 10 years. If we no longer need this data to perform the services for you, the data will be blocked. This means that the data may then only be used for accounting and tax purposes.

15. disclosure of data to third parties

We only pass on your personal data if you have expressly consented to this, if there is a legal obligation to do so or if this is necessary to enforce our rights, in particular to enforce claims arising from the contractual relationship. In addition, we pass on your data to third parties if this is necessary in the context of using the website and processing the contract.

Various third-party service providers are explicitly mentioned in this privacy policy (e.g. in Section 3 Newsletter, Section 8 Tracking and retargeting tools, Section 11 for the (external) sale of the Museum Pass). Another service provider to whom personal data is passed on or who has or may have access to it is our web host Cyon GmbH. The website is hosted on servers in Switzerland. The data is passed on for the purpose of providing and maintaining the functionalities of our website. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

16. transfer of personal data abroad

We are also entitled to transfer your personal data to third-party companies (contracted service providers) abroad for the purposes of the data processing described in this privacy policy. These companies are obliged to protect data to the same extent as we are. If the level of data protection in a country does not correspond to that in Switzerland or the EU, we contractually ensure that the protection of your personal data corresponds to that in Switzerland or the EU at all times.

D. Further information

17. right of access, rectification, erasure and restriction of processing; right to data portability

You have the right to request information about the personal data that we store about you. In addition, you have the right to have incorrect data corrected and the right to have your personal data deleted, insofar as this does not conflict with any legal obligation to retain data or a permission that allows us to process the data.

You also have the right to request that we return the data that you have provided to us (right to data portability). On request, we will also forward the data to a third party of your choice. You have the right to receive the data in a commonly used file format.

You can contact us for the aforementioned purposes via the e-mail address info@museumspass.ch reach. We may, at our discretion, require proof of identity in order to process your application.

18. data security

We use suitable technical and organizational security measures to protect your personal data stored by us against manipulation, partial or complete loss and against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

You should always treat your access data confidentially and close the browser window when you have finished communicating with us, especially if you share the computer with others.

We also take data protection within the company very seriously. Our employees and the service companies commissioned by us have been obliged by us to maintain confidentiality and to comply with data protection regulations.

19. note on data transfers to the USA

For the sake of completeness, we would like to point out to users residing or domiciled in Switzerland that there are surveillance measures in place in the USA by US authorities that generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland to the USA. This is done without differentiation, restriction or exception based on the objective pursued and without an objective criterion that makes it possible to restrict the US authorities' access to the data and its subsequent use to very specific, strictly limited purposes that justify the interference associated with both access to this data and its use. We would also like to point out that there are no legal remedies available in the USA for data subjects from Switzerland that would allow them to gain access to the data concerning them and to obtain its correction or deletion, or that there is no effective legal protection against general access rights of US authorities. We explicitly draw the attention of the data subject to this legal and factual situation so that they can make an appropriately informed decision to consent to the use of their data.

We would like to point out to users residing in a member state of the EU that the USA does not have an adequate level of data protection from the perspective of the European Union - partly due to the issues mentioned in this section. Insofar as we have explained in this privacy policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is protected at an appropriate level by our partners either through contractual arrangements with these companies or by ensuring that these companies are certified under the EU or Swiss-US Privacy Shield.

20. right to lodge a complaint with a data protection supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority at any time.

Status: 01.09.2022