The Swiss Museum Pass Foundation is the operator of the website www.museumspass.ch and therefore responsible for collecting, processing and using your personal data and for ensuring that data processing complies with applicable privacy laws.
Your trust is important for us, which is why we take the subject of data protection seriously and take pains to ensure an adequate level of security. It goes without saying that we abide by the statutory provisions of the Federal Act on Data Protection (FADP), the Ordinance of the Federal Act on Data Protection (VDSG), the Telecommunications Act (FMG) and any other applicable privacy provisions under Swiss or EU laws, in particular the General Data Protection Regulation (GDPR).
Please take note of the following information so that you are aware of what type of personal data we collect from you and the purposes for which we use such data.
The address of our data privacy representative in the EU is as follows:
VGS Datenschutzpartner UG, Am Kaiserkai 69, 20457 Hamburg, Germany,
info@datenschutzpartner.eu, https://datenschutzpartner.eu/
A. DATA processed when our website is visited
1. Accessing our website
When you visit our website our servers temporarily store each access in a log file. In so doing, the following technical data is generally collected without your intervention each time a connection is established with a web server and stored with us until it is automatically deleted within three months:
- the IP address of the requesting computer;
- the name of the owner of the IP address range (usually your internet access provider);
- the date and time of the access;
- the website from which the access took place (referrer URL) together with the search term if applicable;
- the name and the URL of the file retrieved;
- the status code (e.g. error message);
- your computer’s operating system;
- the browser used by you (type, version and language);
- the transmission protocol used (e.g. HTTP/1.1)
This data is collected and processed to enable our website to be used (establishment of connection), to ensure system security and stability in the long run, to optimise our internet service and for internal statistical purposes. This is where our legitimate interest in processing data pursuant to in art. 6, para. 1, letter f GDPR lies.
During attacks on our network infrastructure or other unauthorised use or misuse of the website the IP address together with other data is also analysed for clarification and to defend against such attacks and in some cases it is used for identification during criminal proceedings and to enable civil and criminal actions to be taken against the users in question. This is where our legitimate interest in processing data pursuant to art. 6, para. 1, letter f GDPR lies.
2. Contact via email
On our website you can contact us via email. All you have to do is to provide your email address.
We use your email address and other data freely provided by you to reply to your query as best we can and to personalise our reply. Therefore, the processing of such data is required pursuant to art. 6, para. 1, letter b GDPR to enable any steps prior to entering into a contract to be taken and/or lies in our legitimate interest pursuant to art. 6, para. 1, letter f GDPR.
3. Registration for our newsletter
On our website you have the option of signing up for our newsletter. Registration is required for this purpose. During registration you must provide your email address. The email address is required by us to send you our newsletter. Upon registration you provide your consent for the email address to be processed, for the newsletter to be regularly sent to the address provided by you, for statistical analysis of usage patterns and for optimising the newsletter.
This consent pursuant to art. 6, para. 1, letter a GDPR provides the legal basis for us to process your email address. We are entitled to engage third parties to handle technical aspects of online advertising and to pass on your data for this purpose (see para. 13 ff for details on the exchange of data with third parties). We use the email marketing service CleverReach provided by CleverReach GmbH & Co. KG from Germany to send you our newsletter.
You will find a link at the end of each newsletter enabling you to unsubscribe from the newsletter at any time. Once you have unsubscribed from the newsletter your personal data will be erased. Any further processing will only take place in an anonymised form for the optimisation of our newsletter.
4. Ordering a museum pass
On our website you have the option of ordering a museum pass. On the occasion of the order you have to create a customer account and must provide the following data:
- first name and surname;
- postal address;
- email address.
This data is only processed to enable the order to be handled and checked smoothly. Therefore, the processing of this data is required pursuant to art. 6, para. 1, letter b GDPR to enable any steps prior to entering into a contract to be taken and/or lies in our legitimate interest pursuant to art. 6, para. 1, letter f GDPR.
Payment transactions are processed via the bank-certified payment platform Saferpay. Saferpay guarantees simple and secure payment transactions via credit cards, both for the cardholder and for the provider.
5. Registration as an institution
On our website you have the option of registering as an institution. When registration takes place you must provide the following data:
- the institution’s name;
- the first name and surname of the contact person;
- postal address;
- telephone number;
- email address;
- internet page;
- type of institution.
This data is only used to enable the registration to be handled and checked smoothly. Therefore, the processing of this data is required pursuant to art. 6, para. 1, letter b GDPR to enable any steps prior to entering into a contract to be taken and/or lies in our legitimate interest pursuant to art. 6, para. 1, letter f GDPR.
6. Ordering Raiffeisenblock and/or advertising material
On our website you can order advertising material. When the order is placed you must provide your email address and contact details. The email address and any other data freely provided by you are only processed to enable the order to be handled and checked smoothly. Therefore, the processing of this data is required pursuant to art. 6, para. 1, letter b GDPR to enable any steps prior to entering into a contract to be taken and/or lies in our legitimate interest pursuant to art. 6, para. 1, letter f GDPR.
7. Cookies
Cookies help in many respects to render your visit to our website more convenient, pleasant and useful. Cookies are information files automatically stored by your web browser on your computer’s hard disk when you visit our website.
For example, we use cookies to temporarily store the services selected by you and the information typed into forms on the website, so that you do not have to type in the same information again when accessing another sub-page. Cookies may also be used to enable you to be recognised as a registered user following registration, so that you do not have to repeat the login process when accessing another sub-page.
Most internet browsers automatically accept cookies. You can configure your browser so that no cookies are stored on your computer or a message appears every time you receive a new cookie. You can find information on the following pages about how you can configure the way cookies are processed in the most commonly used browsers:
- Microsoft Windows Internet Explorer
- Microsoft Windows Internet Explorer Mobile
- Mozilla Firefox
- Google Chrome for Desktop
- Google Chrome for Mobile
- Apple Safari for Desktop
- Apple Safari for Mobile
Disabling cookies may mean that you are unable to use all the functions on our website.
8. Tracking and retargeting tools
a. Google Analytics and Google Tag Manager
We use the web analysis service Google Analytics to customise and continually optimise our website. In this respect, anonymised user profiles are created and cookies are used (see para. 7). The information created by the cookie on how you use this website is transmitted to the Google Analytics servers, stored there and processed on our behalf. Apart from the data mentioned in para. 1 we may also collect the following information under certain circumstances:
- navigation path followed by a visitor to the website;
- time spent on the website or a sub-page;
- the sub-page from which the visitor leaves the website;
- the country, region or city where access takes place;
- end device (type, version, colour depth, resolution, width and height of the browser window) and
- returning or new visitors.
This information is used to analyse how the website is used, to compile reports on website activities and to provide other services related to use of the website and internet usage for the purpose of market research and to customise this website.
Google Tag Manager is also used to manage usage-based advertising services. The tool Tag Manager is a cookie-free domain and does not collect any personal data. The tool is used rather to remove other tags which, in turn, collect data under certain circumstances. If you have disabled this tool at domain or cookie level, it continues to operate for all tracking tags created using Google Tag Manager.
These services are provided by Google Inc., a subsidiary of the holding Alphabet Inc, with registered office in the USA. Before data is sent to the provider the IP address is shortened on this website in member states of the European Union and in other countries party to the Agreement on the European Economic Area. The anonymised IP address sent to Google Analytics is not associated with other Google data. Only in exceptional cases is the entire IP address sent to a Google server in the USA and shortened there. However, Google is a company certified under the US Privacy Shield and as such possesses an appropriate level of data protection. Moreover, according to Google Inc., the IP address is not associated under any circumstances with other data relating to the user.
You can obtain further information about the services used on the Google website. You can find instructions about how to prevent your data from being processed by clicking here. You can obtain further information about Google and its privacy guidelines by clicking here.
We have a legitimate interest in processing data for this purpose pursuant to art. 6, para. 1, letter f GDPR.
b. Google AdWords Conversion Tracking
We use the online advertising platform Google AdWords on our website and, within the context of this platform, conversion tracking. Google AdWords Conversion Tracking is also a service provided by Google. When you click on an ad placed by Google, a conversion tracking cookie is stored on your computer. These cookies have a limited duration. If you visit certain pages on our website and the cookie has not yet expired, Google and our website are able to recognise that you have clicked on the ad and that you have been redirected to this page. Each Google AdWords client receives a different cookie. This means that there is no way of tracking cookies through the websites of AdWords clients.
The information collected with the aid of the conversion cookie is used to compile conversion statistics. Here we find out about the total number of users who clicked on one of our ads and were redirected to a page using conversion tracking tags. However, we do not collect any information enabling users to be personally identified.
You can prevent cookies from being stored by using the technical configuration options of your browser software (see para. 7). Once the cookies have been erased you will no longer be included in the conversion tracking statistics.
Furthermore you can opt out of interest-based advertising in the Google settings. You can find instructions on how to do this here. You can also disable use of cookies by third-party providers by visiting the opt-out page of the Network Advertising Initiative here and following the detailed information on how to opt out. You can find further information and consult the Google privacy policy by clicking here.
We have a legitimate interest pursuant to art. 6, para. 1, letter f GDPR in processing data for this purpose.
c. Google Dynamic Remarketing
We use Google Dynamic Remarketing on our website, another service provided by Google. Google Dynamic Remarketing is used to analyse visitor behaviour and visitor interests.
Google also uses cookies here to perform the analysis of web usage for the creation of interest-based advertising. Visits to the website and anonymised data on how the website is used (see para. 7 above on cookies) are stored in cookies. No personal data is stored. If you then visit another page in the Google display network you are shown pop-up ads which in all likelihood are related to products and information you have previously consulted. In so doing, your data is also sent to the USA.
You can permanently disable the use of cookies by Google here. You can find more detailed information on Google Remarketing and the associated privacy policy here.
We have a legitimate interest pursuant to art. 6, para. 1, letter f GDPR in processing data for this purpose.
9. Google Maps
We use Google Maps API (Application Programming Interface, ‘Google Maps’) on our website to enable geographical information (location maps) to be displayed visually. Google Maps is also operated by Google. When Google Maps are used information on how our website is used including its IP address is sent to a server in the USA and stored there. You can disable Google Maps and prevent data from being sent to Google if you disable JavaScript in your browser. However, you should be aware that in this case you will no longer be able to display maps. You can find more information on the collection, processing and use of your data by Google and your rights in this respect here in the Google privacy policy and here in the additional terms of use for Google Maps and Google Earth.
We have a legitimate interest pursuant to art. 6, para. 1, letter f GDPR in processing data for this purpose.
10. Links to our social media sites
We have included links on our websites to our social media profile at the following social networks:
- Facebook, Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA;
- Instagram, Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, and
- Youtube, a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
When you click on the corresponding symbols of the social networks you are automatically redirected to our profile at the social network in question. In order to use the network’s functions you must partially log into your user account at the network.
When you follow a link to one of our social media profiles a direct connection is established between your browser and the server of the corresponding social network. This enables the network to obtain the information that you have visited our website using your IP address and followed the link. When you follow a link to a network while you are logged into your account, the content of our pages may be linked to your profile at the network, which means that the network is able to directly associate your visit to our website with your user account. If you wish to prevent this, you must log out before clicking on the links in question. An association is established every time you log into the network in question after clicking on the link.
We have a legitimate interest pursuant to art. 6, para. 1, letter f GDPR in processing data for this purpose.
B. Data processing outside the website
11. When purchasing a museum pass (at an external physical point of sale)
You can buy a museum pass at one of our external physical points of sale (e.g. at Post offices, museums and tourist offices) or on site in our offices. To do this you must provide the following information:
- first name and surname
- postal address
- email address
This information is only processed and passed on to us by the physical points of sale to enable the order to be handled and checked smoothly.
If you buy the museum pass from us on site, you have the option of paying in cash or by card. The card payment is handled by SumUp. SumUp is a payment service provided by Sumup Payments Limited, 32-34 Great Marlborough St, W1F 7JB, London, UK. When paying with SumUp, SumUp receives data about the transaction (including time, location, transaction amount and cardholder information). More information about SumUp and its privacy policy can be found here.
Therefore, the processing of such data is required pursuant to art. 6, para. 1, letter b GDPR for the implementation of (pre-)contractual measures.
12. When entering a museum
If you visit one of our museums and/or institutions using your museum pass the following information is collected:
- visitor’s first name and surname
- museum pass number (where necessary only the last four digits)
This data is used by the museums and/or institutions to monitor visitor numbers and for statistical purposes and is passed on to us. Therefore, we have a legitimate interest pursuant to art. 6, para. 1, letter f GDPR in processing data for this purpose.
C. Storage and exchange of data with third parties
13. Centralised storage and linkage of data
We may store data in a central electronic data processing system. The data concerning you is systematically collected and linked to process your order and handle the contractual services. We use software provided by Micro Systems for this purpose. The processing of such data is based on our legitimate interest pursuant to art. 6, para. 1, letter f GDPR in the customer-friendly and efficient management of customer data.
14. Retention period
We only store personal data for as long as required to use the aforementioned tracking services and for further processing based on our legitimate interest. Contractual data is stored by us for longer periods since such data is governed by statutory retention requirements. Statutory retention requirements under which we are obliged to store data are based on accounting regulations and tax laws. Under these regulations business communications, contracts and order records must be retained for up to ten years. If this data is no longer required for the provision of services to you, the data is blocked. This means that the data can only be used thereafter for accounting purposes and for tax purposes.
15. Transfer of data to third parties
We only pass on personal data if you have given your explicit consent, if there is a statutory requirement or in order to exercise our rights, in particular, to assert claims under the contractual relationship. We also pass on data to third parties if this is necessary to enable the website to be used and for contract management.
Various third-party service providers (e.g. in para. 3 newsletter, para. 8 Tracking and retargeting tools, para. 11 When purchasing a museum pass (at an external physical point of sale) have been explicitly mentioned in this privacy notice. Another service provider to which personal data is passed on and/or which has or may obtain access thereto is our web hoster Cyon GmbH. The website is hosted on servers located in Switzerland. This transfer of data takes place to enable the functions of our website to be provided and maintained. This is where our legitimate interest pursuant to art. 6, para. 1, letter f GDPR lies.
16. Transfer of personal data abroad
We are also entitled to transfer your personal data for the data processing purposes set out in this privacy policy to third companies (service providers commissioned by us) located abroad. They are bound by privacy provisions to the same extent as we are. If the level of data protection in any given country is not in line with the level of protection afforded in Switzerland or European countries, we will provide contractual undertakings that the level of protection of your personal data corresponds to the levels existing in Switzerland or in the EU.
D. Further information
17. Right to information, rectification, erasure and restriction of processing; right to data portability
You have the right to request information about the personal data stored by us concerning you. You also have the right to rectify any inaccurate data and the right to erase your personal data, provided this is not precluded by any statutory retention requirements or permission allowing us to process such data.
You also have the right to recover the data you have provided to us (right to data portability). If requested, we can also transmit the data to a third-party controller of your choice. You have the right to receive the data in a commonly used data format.
You can contact us via the email address info@museumspass.ch for the aforementioned purposes. In order to handle your request we may ask you to furnish an ID document as we see fit.
18. Data security
We employ appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and against unauthorised access by third parties. Our security measures are continually improved to incorporate the latest technological advancements.
You should always handle your login data confidentially and close the browser window when you have ended your communication with us, especially if you share your computer with other people.
We also take in-house data security very seriously. Our staff and the service providers we engage have been bound by us to maintain confidentiality and to comply with privacy provisions.
19. Note on data transfers to the USA
For the sake of completeness we draw the attention of users with a place of residence in Switzerland that surveillance measures have been put in place by the US authorities generally enabling the storage of all the personal data of any persons whose data has been sent from Switzerland to the USA. This takes place without any differentiation, limitation or exception with regard to the objective pursued and without any objective criterion enabling access by US authorities to such data and its subsequent use to be limited to specific, strictly defined purposes that might justify any intervention associated with access to and use of such data. We should also point out that no legal remedies are available in the USA to persons from Switzerland allowing them to obtain access to such data and to order its rectification or erasure and/or that there is no effective legal protection against general rights of access exercised by US authorities. We expressly draw the attention of those affected to this legal situation and state of affairs, to enable them to take an informed decision on whether to grant consent for the use of their data.
For users with a place of residence in a member state of the EU we should point out that the USA – from the point of view of the European Union – in the light of the points outlined in this paragraph among other things – does not have an adequate level of data security. Where we have explained in this privacy policy that recipients of data (e.g. Google) are based in the USA, we will ensure that the data held at our partners enjoys an adequate level of security, either by means of contractual provisions in this respect with such companies or by ensuring the certification of such companies under the EU or Swiss-US Privacy Shield.
20. Right to lodge a complaint before a data protection authority
You have the right to lodge a complaint before a data protection authority at any time.
Last amended: 2022-09-01