The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

1 Name and address of the person responsible

Your contact person as the controller within the meaning of the European General Data Protection Regulation ("EU GDPR") and other national data protection laws of the member states as well as other data protection regulations is

Stadtwerke Bad Aibling
Lindenstraße 30
83043 Bad Aibling

Telephone: +43 8061-90660
Telefax: +43 8061-90668
E-Mail:   info@stadtwerke-bad-aibling.de
Website: www.stadtwerke-bad-aibling.de

(hereinafter referred to as "we", "us" or "our")

2 Data protection officer

Our data protection officer can be reached using the following contact details:

Stadtwerke Bad Aibling

Lindenstraße 30
83043 Bad Aibling

Telephone: +43 8061-90660
Telefax: +43 8061-906680
E-Mail:   datenschutz@stadtwerke-bad-aibling.de

3 Purpose of the collection of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) EU GDPR serves as the legal basis.

When processing personal data that is necessary for the fulfilment of a contract to which the data subject is a party, Article 6(1)(b) EU GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Article 6(1)(c) EU GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) EU GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Article 6(1)(f) EU GDPR serves as the legal basis for the processing. The legitimate interest of our company lies in the performance of our business activities.

4 Use of the website

4.1 Collection of personal data when accessing the website

a. Legal basis for data processing

The legal basis for the processing of your personal data in the context of the provision of the website is Art. 6 para. 1 lit. f EU GDPR.

b. Purpose of the data processing

When you visit our website, your browser transmits certain data to our web server for technical reasons in order to provide you with the information you have requested. To enable you to visit the website, the following data is collected, temporarily stored and used:

• IP address
• Date and time of the enquiry
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Operating system and its access status / HTTP status code
• Amount of data transferred
• Website from which the request originates
• Browser, language and version of the browser software

c. Duration of storage

Your personal data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of the collection of your personal data for the provision of the website, this is the case as soon as the respective session has ended.

d. Possibility of objection and remov

The collection of your personal data for the provision of the website is absolutely necessary for the operation of the website. Consequently, there is no possibility for you to object.

4.2 Use of cookies

               4.2.1 Cookies

Possibility of objection and removal

Cookies are stored on your computer and transmitted from it to our website. You therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. You can delete cookies that have already been saved at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

When you visit our website for the first time, a banner appears on our website in which we draw your attention to the use of cookies and our privacy policy. If you would like to view more detailed information on this, click on the Privacy Policy button. There you will find information on the use, storage, processing and deletion/avoidance of cookies. Afterwards, or if you actively delete this cookie beforehand, the banner will be displayed again the next time you visit our website in order to obtain your consent again.

4.3 External services and content on our website

We integrate external services or content such as YouTube videos or Google Maps on our website. If you use such a service or if third-party content is displayed to you, communication data will be exchanged between you and the respective provider for technical reasons.

In addition, the provider of the respective services or content may process your data for other purposes of their own. We have configured services or content from providers that are known to process data for their own purposes to the best of our knowledge and belief in such a way that either communication for purposes other than displaying the content or services on our website does not take place, or communication only takes place when you actively decide to use the service.

For further information on the purpose and scope of the collection and processing of your data, please refer to the data protection notices of the providers of the services or content integrated by us who are responsible for data protection.

5 Use of social plug-ins

5.1 YouTube

We have embedded videos from YouTube (YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA) in our website. This has been done using the so-called "double-click" method. This means that you are initially only shown a preview image on our website without a connection to YouTube being established. Only when you click on the respective preview image will a connection to YouTube be established and your IP address forwarded to the YouTube servers. YouTube is thus informed that our website has been visited with your IP address. We have no knowledge of the data collected in this way or how it is used.

YouTube LLC, a subsidiary of Google LLC based at 1600 Amphitheatre Parkway, Mountain View, California, USA, is certified in accordance with the EU-US Privacy Shield (available at www.privacyshield.gov/list under the search term "Google"). The "Privacy Shield" is an agreement between the European Union (EU) and the USA that is intended to ensure compliance with European data protection standards in the USA.

If you are logged into your YouTube or Google account, Google may add the processed information to your account depending on your account settings and treat it as personal data, see in particular https://www.google.de/policies/privacy/partners/.

We integrate YouTube so that you can watch videos directly on our website. By integrating external videos, we reduce the load on our servers and can use the corresponding resources elsewhere, which can increase the stability of our servers, among other things. This constitutes a legitimate interest within the meaning of the relevant legal basis of Art. 6 para. 1 lit. f GDPR. 

Further information on data processing by Google can be found at https://policies.google.com/privacy.

5.2 Google Maps

We use Google Maps on this website to visualise geographical information and to provide directions. Google Maps is a map service operated by Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland ("Google").

When you use Google Maps, Google collects data about your use of the Google Maps functions, including your IP address. It cannot be ruled out that the information collected will also be transmitted to a Google server in a third country, in particular to a server of Google's parent company, Google LLC, based in 1600 Amphitheatre Parkway, Mountain View, California, USA, and stored there. Google LLC is certified in accordance with the "EU-US Privacy Shield" (at www.privacyshield.gov/list  can be found under the search term "Google"). The "Privacy Shield" is an agreement between the European Union (EU) and the USA that is intended to ensure compliance with European data protection standards in the USA.

If you are logged into your Google account, Google may add the processed information to your account depending on your account settings and treat it as personal data, see in particular https://www.google.de/policies/privacy/partners/.

You have the option of deactivating the Google Maps service and thus preventing the transfer of data to Google by deactivating JavaScript in your browser. However, we would like to point out that you will not be able to use the map display in this case.

Enabling the visual display constitutes a legitimate interest within the meaning of the relevant legal basis of Art. 6 para. 1 lit. f GDPR.

Further information on the terms of use of Google Maps and data processing by Google can be found on Google's websites, for example at

 – https://www.google.com/intl/de_de/help/terms_maps.html

(Terms of use for Google Maps)

 – https://policies.google.com/privacy (Privacy policy of Google)

6 Contact form and contact by e-mail

Possibility of objection and removal
You have the option at any time to object to the processing of your personal data in the context of contacting us via the contact form or by e-mail at any time for the future. In such a case, the conversation between you and us cannot be continued. All personal data stored in the course of contacting us will be deleted in this case.

7 Webshop

7.1 Customer account in the webshop

a. Legal basis for data processing

The legal basis for this is Article 6(1)(a) GDPR, i.e. the processing of personal data is based on the customer's consent when creating an account.

b. Purpose of the data processing

In order to provide you with the greatest possible convenience when shopping, we offer you the permanent storage of your personal data in a password-protected customer account for our online shop. Once you have set up a customer account, you do not need to re-enter your personal data for the purchase process. When you create a customer account, the data you provide will be saved on a revocable basis

• Salutation
• First name
• Surname
• E-mail address
• Delivery address
• Billing address
• Login information
• IP address

In addition to the data requested when placing an order, you must enter a password of your choice to set up a customer account. This is used together with your e-mail address to access your customer account. Please treat your personal access data confidentially and in particular do not make it accessible to unauthorised third parties. We cannot accept any liability for misused passwords unless we are responsible for the misuse.

c. Duration of storage

If you transmit data to us for an order, your data will be stored for as long as is necessary for processing the purchase and in accordance with the statutory retention periods.

d. Possibility of objection and removal

Data subjects have the right to withdraw their consent to the processing of their personal data at any time. After a revocation, the account no longer exists and we can no longer offer the above-mentioned services.

7.2 Purchase of tickets/vouchers as a registered user

a. Legal basis for data processing

The legal basis for this is Article 6(1)(b) GDPR, i.e. you provide us with the data on the basis of the contractual relationship between you and us or in advance of this.

b. Purpose of the data processing

The data is used for the sale and dispatch of tickets/vouchers with subsequent invoicing and dispatch to the customer.

The following personal data is collected from you:

• Salutation
• First name
• Surname
• Company (optional)
• E-mail address
• Delivery address
• Telephone (optional)
• Fax (optional)
• Login information
• IP address

c. Duration of storage

If you transmit data to us for an order, your data will be stored for as long as is necessary for processing the purchase and in accordance with the statutory retention periods.

7.3 Purchase of event tickets as a guest user

a. Legal basis for data processing

The legal basis for this is Article 6(1)(b) GDPR, i.e. you provide us with the data on the basis of the contractual relationship between you and us or in advance of this.

b. Purpose of the data processing

You have the option of placing your orders as a guest. If you decide in favour of this type of order, you do not have to register before placing an order. Please note that you will have to enter your details again for each subsequent order. The data is used for the sale and dispatch of tickets/vouchers with subsequent invoicing and dispatch to the customer.

The following personal data is collected from you:

• Salutation
• First name
• Company (optional)
• E-mail address
• Delivery address
• Billing address
• Telephone number
• Fax (optional)
• Personalisation data for the ticket
• IP address

c. Duration of storage

If you transmit data to us for an order, your data will be stored for as long as is necessary for processing the purchase and in accordance with the statutory retention periods.

7.4 Reservation of events by the end customer

a. Legal basis for data processing

The legal basis for this is Article 6(1)(b) GDPR, i.e. you provide us with the data on the basis of the contractual relationship between you and us or in advance of this.

b. Purpose of the data processing

The data is processed for the personalised reservation of events via the web shop.

The following personal data is collected from you:

• First name
• Last name
• E-mail address
• IP address

Duration of storage

If you transmit data to us for an order, your data will be stored for as long as is necessary for processing the purchase and in accordance with the statutory retention periods.

7.5 Payment services

7.5.1 PayPal

a. Legal basis for data processing

When paying via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "payment by instalments" via PayPal, we pass on your payment data to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal"), as part of the payment processing. The transfer takes place in accordance with Art. 6 para. 1 lit. b GDPR and only insofar as this is necessary for payment processing.

b. Purpose of the data processing

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

The purpose of transmitting the data is payment processing and fraud prevention. The controller will transfer personal data to PayPal in particular if there is a legitimate interest in the transfer. The personal data exchanged between PayPal and the controller may be transmitted by PayPal to credit reference agencies. The purpose of this transmission is to check identity and creditworthiness.

The personal data transmitted to PayPal is usually:

• First name
• Surname
• Your address
• E-mail address
• IP address
• Telephone number
• Mobile phone number or other data required for payment processing. Personal data that is necessary for processing the purchase contract is also data that is related to the respective order

The purpose of transmitting the data is to process payments and prevent fraud. The controller will transmit personal data to PayPal in particular if there is a legitimate interest in the transmission. The personal data exchanged between PayPal and the controller may be transmitted by PayPal to credit reference agencies. The purpose of this transfer is to check identity and creditworthiness.

Further data protection information, including information on the credit agencies used, can be found in PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

c. Duration of storage

Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons. 

d. Right to object and right to erasure

The data subject has the option to withdraw consent to the handling of personal data from PayPal at any time. A revocation does not affect personal data that must be processed, used or transmitted for (contractual) payment processing.

7.5.2 Instant bank transfer

a. Legal basis for data processing

The legal basis for data processing is Art. 6 (1) b) GDPR, as the processing of the data is necessary for payment by instant bank transfer and thus for the fulfilment of the contract. 

b. Purpose of the data processing

The operating company of Sofortüberweisung is SOFORT GmbH, Fußbergstraße 1, 82131 Gauting, Germany.

The purpose of transmitting the data is payment processing and fraud prevention. The controller will also transfer other personal data to Sofortüberweisung if there is a legitimate interest in the transfer. The personal data exchanged between Sofortüberweisung and the controller may be transmitted by Sofortüberweisung to credit reference agencies. The purpose of this transfer is to check identity and creditworthiness.

The personal data exchanged with Sofortüberweisung is as follows:

• First name
• Surname
• Your address
• E-mail address
• Telephone number
• Mobile phone number or other data required for payment processing.

 The applicable data protection provisions of Sofortüberweisung may be retrieved under https://www.sofort.com/ger-DE/datenschutzerklaerung-sofort-gmbh.

c. Duration of storage

Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes.

This applies, for example, to data that must be retained for commercial or tax law reasons.

d. Possibility of objection and removal

The data subject has the option of withdrawing consent to the handling of personal data from Sofortüberweisung at any time. A revocation does not affect personal data that must be processed, used or transmitted for (contractual) payment processing.

8 Forwarding of data for processing on our behalf

We sometimes use specialised service providers to process your data. Our service providers are carefully selected and regularly monitored by us. They process personal data only on our behalf and strictly in accordance with our instructions on the basis of corresponding order processing contracts.

9 Security

We use various security measures such as state-of-the-art encryption and authentication tools to protect and maintain the security, integrity and availability of your data.

10 The following rights are available to you under the applicable data protection laws:

If your personal data is processed, you are a data subject within the meaning of the EU GDPR and you have the following rights towards us:

10.1 Right to information

You can request information from us at any time about the data we hold about you. This information concerns, among other things, the categories of data processed by us, the purposes for which we process them, the origin of the data if we have not collected them directly from you and, if applicable, the recipients to whom we have transmitted your data. You can receive a copy of your data from us free of charge. If you are interested in further copies, we reserve the right to charge you for the additional copies.

10.2 Right to rectification

You have a right to rectification and/or completion vis-à-vis us if the processed personal data concerning you is incorrect or incomplete. We must make the correction without delay.

10.3 Deletion of the processing of your personal data

You can request that we erase your data if the legal requirements for this are met. According to Art. 17 GDPR, this may be the case if:

• the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• you withdraw your consent, which is the basis for the data processing, and there is no other legal basis for the processing
• you object to the processing of your data and there are no overriding legitimate grounds for the processing, or you object to data processing for direct marketing purposes;
• the data has been processed unlawfully;
• the processing is not necessary to ensure compliance with a legal obligation that requires us to process your data; in particular with regard to statutory retention periods; to assert, exercise or defend legal claims.

10.4 Right to restriction of processing

You can demand that we restrict the processing of your data if:

• you contest the accuracy of the data, for the period necessary for us to verify the accuracy of the data;
• the processing is unlawful and you oppose the erasure of your data and request the restriction of its use instead;
• we no longer need your data, but you need it to assert, exercise or defend legal claims
• you have objected to processing pending the verification whether our legitimate grounds override yours.

10.5 Right to object to processing

You can object to the processing of your data at any time for reasons arising from your particular situation, provided that the data processing is based on your consent or on our legitimate interests or those of a third party. In this case, we will no longer process your data. The latter does not apply if we can demonstrate compelling legitimate grounds for the processing which override your interests or if we need your data for the establishment, exercise or defence of legal claims.

10.6 Right to data portability

At your request, we will transfer your data - insofar as this is technically possible - to another controller. However, you are only entitled to this right if the data processing is based on your consent or is necessary to fulfil a contract. Instead of receiving a copy of your data, you can also ask us to transfer the data directly to another controller specified by you.

You can revoke your consent to the collection, processing and use of your personal data at any time with effect for the future. You can find more information on this in the respective sections above, where data processing based on your consent is described.

10.7 Automated decision

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, to express your point of view and to contest the decision.

10.8 Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

10.9 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the EU GDPR.

The competent supervisory authority for us is

Bayerische Landesbeauftragte für den Datenschutz
Wagmüllerstraße 18
80538 München

Telephone: +49 (0) 89 2126720
E-Mail: poststelle@datenschutz-bayern.de 

The supervisory authority with which you have lodged a complaint will inform you of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Our data protection officer will be happy to answer any questions you may have at any time.