Data protection declaration of the Schweizerische Südostbahn AG (SOB)

The SOB handles your data in confidence.

The protection of your identity and your privacy is an important concern for us, the public transport companies. We guarantee that we will process your personal data in accordance with the law and the applicable provisions of data protection law.

The public transport companies set an example for the confidential handling of your data with the following principles:

You decide how your personal data is processed.

You can refuse data processing or revoke your consent to it or have your data deleted at any time within the legal framework. You always have the option of travelling anonymously, i.e. without your personal data being recorded.

We offer you added value when processing your data.

Public transport companies use your personal data to offer you added value along the mobility chain (e.g. tailored offers and information, support or compensation in the event of disruption). Your data is therefore only used for the development, provision, optimisation and evaluation of our services or for maintaining customer relations.

Your data will not be sold.

Your data will only be disclosed to selected third parties listed in this data protection declaration and only for the explicitly stated purposes. If we commission third parties to process data, they are contractually obliged to comply with our data protection standards.

We guarantee you security and protection for your data.

The public transport companies guarantee the careful handling of customer data as well as the security and protection of your data. We ensure the necessary organisational and technical precautions are in place for this.

Below you will find detailed information on how we handle your data.

The Schweizerische Südostbahn AG (SOB) is responsible for the processing of your data on the webshop.

If you have any questions or suggestions regarding data protection, you can contact us at any time. Either by post to:

Schweizerische Südostbahn AG Data Protection Officer Bahnhofplatz 1a CH-9001 St. Gallen

or by email to: datenschutz@sob.ch

Customers residing in an EU member state may also contact our EU representative, either by post to: Swiss Infosec (Deutschland) GmbH Unter den Linden 24 10117 Berlin Germany

or by email to: SOB.dataprivacy@swissinfosec.de

We are aware of how important the careful handling of your personal data is to you. All data processing is carried out only for specific purposes. These may arise, for example, from technical necessity, contractual requirements, legal regulations, overriding interest, i.e. for legitimate reasons, or from your express consent. We collect, store and process personal data to the extent necessary, for example for managing customer relations, distributing our products and providing our services, processing orders and contracts, sales and invoicing, answering questions and concerns, providing information about our products and services and marketing them, providing support in technical matters and evaluating and further developing services and products. For more detailed information on which data is processed for which purposes, please read the following sections.

The following data processing operations take place on the SOB webshop: 3.1 When purchasing services 3.2 When checking services 3.3 In the event of misuse 3.4 When using the SOB webshop 3.5 When registering on the SOB webshop 3.6 When contacting our rail travel centres 3.7 When contacting us using the online contact form 3.8 When using the SOB webshop newsletter 3.9 When creating a SwissPass login/customer account at www.swisspass.ch 3.10 When contacting the SOB through digital advertising 3.11 Participation in competitions, prize draws and similar events 3.12 In connection with SOB marketing 3.13 In connection with market research purposes

3.1 When purchasing services

For contractual reasons, we require personal data for online orders or the purchase of certain services and products in order to provide our services and to fulfil the contractual relationship. This applies, for example, when purchasing a season ticket or a single ticket.

When purchasing personalised services, we collect the following data, depending on the product or service. Mandatory fields in the corresponding form are marked with an asterisk (*):

• sex, name, email address of the person making the purchase or travelling

• Further information such as postal address, date of birth

• telephone number

• means/method of payment

• agreement to the General Terms and Conditions of Sale and Delivery (GTC)

In order to fulfil the contractual relationship, we also collect data about the services you have purchased (‘service data’). Depending on the product or service, this includes the following information:

• type of product or service purchased

• price

• Place, date and time of purchase

• Purchase channel (internet, machine, counter, etc.)

• Date of travel or period of validity and departure time

• departure and destination

Data generated when purchasing services is stored in a central database (see the section on ‘joint responsibility in public transport’) and also processed for other purposes, including marketing and market research (for more details, see the relevant sections of this data protection declaration).

In addition, the data is used in the context of ticket inspections to identify the holder of a personalised ticket and to prevent misuse (for more information, see the section ‘When inspecting services’ and the section on ‘joint responsibility in public transport’).

The data is also used to provide our after-sales service, to identify you in the event of concerns or difficulties and to be able to support you, as well as to process any compensation claims.

The data is used to fairly distribute the revenue generated by the purchase of tickets among the companies and associations of the National Direct Transport.

Finally, we analyse your data anonymously in order to develop the entire public transport system in line with demand.

Insofar as the EU GDPR is applicable, our legitimate interest and the necessity for the performance of a contract form the legal basis for this processing of personal data.

Customer and subscription data is required and processed to secure revenue (checking the validity of tickets or discounts, collection, combating fraud). The transport companies and associations are therefore entitled to process all passenger data (ticket and control data, as well as any sensitive data relating to all types of travel without a valid ticket, such as passengers with partially valid tickets, passengers with invalid tickets or passengers with forgotten tickets and discount cards and possible misuse) of passengers and contractual partners, and to store and exchange this data with other transport companies and associations (including across borders in the case of international tickets or discount cards) during the periods defined by data protection law.

The following provisions apply to individual services or carrier media:

SwissPass card: When the physical SwissPass card is used as a carrier medium, no control data is stored (for an exception, see SwissPass Mobile).

SwissPass Mobile: When the SwissPass Mobile application is used, the provisions that are noted during the activation of SwissPass Mobile apply (see separate data protection declaration). In this regard, the following data is processed: registration, activation and control data that is collected when SwissPass Mobile is used. As soon as the SwissPass Mobile is used, this data is also collected for the SwissPass card. The retention period for registration data is up to eighteen months after deactivation of the SwissPass Mobile or after expiry of the SwissPass card. The activation and control data of the SwissPass Mobile and the SwissPass card are stored on control devices for one day and in the control database for thirty days. If there is evidence of misuse, the maximum storage period for activation and control data is ninety days. Travellers who misuse the SwissPass Mobile will be excluded from the SwissPass Mobile for twelve months. After that, the SwissPass Mobile can be used again. After a further twelve months, the traveller's exclusion file will be deleted.

Electronic tickets When you use electronic tickets (e-tickets), control data is stored on the central control data server at SBB. This data is stored for 360 days to combat and prevent misuse and improper reimbursements.

Insofar as the EU-DSGVO is applicable, our legitimate interest and the necessity for contract processing form the legal basis for this processing of personal data.

In the event of travel without a valid ticket, the data is stored in a separate database and in a jointly operated register. Travellers and contractual partners respectively acknowledge that if any abuses or forgeries are discovered, the transport companies are authorised to provide the relevant personal data to all internal departments affected by the abuse and to other transport companies, so that the abuse can be ruled out or confirmed and further abuse prevented. Various deadlines apply to the processing of the aforementioned data in accordance with the Federal Act on the Carriage of Passengers (PBG). The data will be deleted as soon as it is established that the person concerned has not caused a loss of revenue, and after two years if the person concerned has paid the surcharges and has not demonstrably travelled without a valid ticket during this time. The data may be stored for a maximum of ten years if it is required for the enforcement of claims against that person. Insofar as the EU GDPR is applicable, Art. 20a PBG and Art. 58a VPB form the legal basis for this processing of personal data.

When you visit our website, our hosting provider's servers temporarily store each access in a log file on our behalf. The following technical data (list is not exhaustive) is collected:

• IP address of the requesting computer

• Date and time of access

• Website from which access occurred, with the search term used if applicable Name and URL of the file accessed

• Search queries carried out (timetable, general website search function, products, etc.)

• The operating system of your computer (provided by the user agent)

• The browser you use (provided by the user agent)

• device type in the case of access from mobile phones

• transmission protocol used

The collection and processing of this data is used for system security and stability and for error and performance analysis, as well as for internal statistical purposes and to enable us to optimise our website. It also allows us to design our website for specific target groups, i.e. to provide it with targeted content or information that may be of interest to you.

The IP address is also used to set the language of the website. In addition, it is evaluated together with other data in the event of attacks on the network infrastructure or other unauthorised or improper use of the website for the purposes of investigation and defence and, if necessary, in the context of criminal proceedings for identification and for civil and criminal proceedings against the users concerned.

Finally, when you visit our website, we use cookies as well as applications and tools that are based on the use of cookies or are comparable to them. You can find more information on this in the sections on cookies, tracking tools, advertisements and social plugins in this data protection declaration.

Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data. We do not guarantee compliance with these data protection provisions for third-party websites that are linked to our website. The data protection provisions of the respective provider apply to these pages.

As part of the ordering process, you have the option to register for a customer account. By registering with our online shop, you will be able to move through the ordering process much more quickly, create multiple addresses, track your orders and much more. We collect the following personal data, with the mandatory information for opening a customer account marked with an asterisk (*):

• First name and last name (*)

• Email address (*)

We collect this information to enable you to keep track of your orders and the contracts concluded with you in this context. In this respect, it is data processing for which you have given us your consent. This is the legal basis for data processing, insofar as the EU GDPR is applicable. You can revoke your consent at any time with effect for the future.

Personal data may be collected when you contact our rail travel centres. We collect this information in order to process your request in the best possible way. Insofar as the EU GDPR is applicable, we base this data processing on our legitimate interest or, if the purpose of the contact is to conclude a contract, on the implementation of the pre-contractual measures requested by you and the necessity for the execution of the contract.

You have the option of using an online contact form to get in touch with us. The following personal data must be entered for this:

• First name and last name

• Telephone number

• Email address

We use this and voluntarily provided data to process your request in the best possible way. Any optional information about how you became aware of our offer is also used for internal statistical purposes.

Insofar as the EU GDPR is applicable, we base this data processing on our legitimate interest or, if your contact is aimed at concluding a contract, on the implementation of the pre-contractual measures requested by you and the necessity for contract processing the legal basis for this processing of personal data.

If you wish to receive the newsletter offered on the SOB webshop, we require your email address, first name and surname. After registering for the webshop newsletter, you will receive an email. By confirming your email address, you agree to receive the newsletter. In addition, further information in your user account, such as address, age and interests, may be taken into account for the delivery of the newsletter. Data processing and the sending of the webshop newsletter are carried out by SwissBooking AG with Alturos Destinations. You can revoke your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time via the ‘Unsubscribe’ link in the respective newsletter or in your user account under ‘Notifications’. Insofar as the EU GDPR is applicable, your consent forms the legal basis for this processing of personal data. We may also collect information about whether you read a newsletter or click on a link. You can find more information about this under ‘How are tracking tools used?’

You have the option of setting up a customer account at swisspass.ch. To do this, we require the following data from you:

• First name and surname

• Date of birth

• Address (street, postcode, town and country)

• Customer number (if you already hold a public transport season ticket)

• E-mail address and password (login data)

By registering, we enable you to access the numerous online services (web shops and apps) of public transport companies and networks using the login data (known as SwissPass login) and to purchase services from them without having to go through a separate, additional, time-consuming registration process each time. Services that you purchase using the SwissPass login (in particular public transport tickets/subscriptions) are recorded in your customer account and in a central database (‘IT database’). These data processing operations are necessary for the performance of the contract for the use of the SwissPass and are therefore based on this legal basis. Further information can be found in the sections on joint responsibility in public transport and on disclosure to third parties in this data protection declaration, as well as in the data protection declaration on swisspass.ch.

The following information may be used for the creation, personalisation, delivery and evaluation of digital advertisements for the SOB web shop:

• Profile data (age, place of residence and gender)

• Website visited, including any search queries carried out

• Approximate GPS coordinates

• User ID (Unique User ID), advertising ID (Ad ID), IP address

• Browser and operating system information

• Device manufacturer and device model

The above information is collected through your personal user account (Google, Facebook) and the Google Tag Manager and Facebook Pixel. When you use the Google Tag Manager, Facebook Pixel or Business Tools on a website, app, etc., interactions between you and that company or organisation are shared with Facebook and Google. This could be, for example, when you access their apps or websites or when the companies or organisations use their business tools, such as Facebook Login.

This information from Google or Facebook is available to us when we create and personalise an advert and is used to create adverts for target groups that are as suitable as possible.

We do not forward your personal data to advertisers. We do not carry out any profiling in connection with adverts. The following information is collected via tags on the SOB webshop:

• Google Tag Manager: tracking website views, leads, events, purchases

• Facebook Pixel: tracking of website visits, leads, events, purchases

Further information on cookies can be found in the section ‘How are tracking tools used?’

Further information and instructions on how to handle advertisers can be found here:

• Manage my activities outside of Facebook

• Use of data from websites and apps from Google

The following data may be collected in a competition run by the SOB web shop:

• First name, surname

• Email address

• Postal address

• Image material

• Date of participation

• Answers to questions

By agreeing to the individual terms and conditions of the respective competition and the privacy policy, you consent to this collection of data.

The data may be collected via the following platforms:

• SOB social media channels via comments, links or private messages

• Online contact form at www.sob.ch

The data is used to evaluate the winner and to send the competition prize. Optionally, the data can be stored for marketing purposes if the participant gives their consent.

The personal data will not be passed on to third parties. Depending on the prize, the data will be sent to the prize sponsor on a one-off basis if the prize needs to be handed over on site.

Provided you do not object, we use your customer data (name, gender, date of birth, address, customer number, e-mail address), your service data (data about services purchased such as travelcards or single tickets) and your click behaviour on our websites or in e-mails that you have received from us for marketing purposes. Please also note the section on ‘Tracking tools’ with regard to the evaluation of click behaviour.

We analyse this data in order to develop our offers in line with your needs and to send or display information and offers that are as relevant as possible to you (e.g. by e-mail, letter, in person at the counter). For this purpose, we only use the data that we can clearly assign to you, for example because you have logged in or identified yourself on our website with your SwissPass and purchased a ticket. We also use methods that predict your possible future purchasing behaviour based on your current purchasing behaviour. The legal basis for this processing is our legitimate interest. In certain cases, the Swiss Federal Railways (SBB) or another company involved in direct traffic may also contact you under strict conditions. Please refer to the information in the section on ‘joint responsibility in public transport’.

You can opt out of us, SBB (e.g. in connection with your GA or Half Fare Travelcard) or other public transport companies contacting you at any time. The following options are available for this:

• Every email you receive from us or other public transport companies contains an unsubscribe link that allows you to opt out of further messages with a single click.

• If you have a SwissPass login, you can log in at www.swisspass.ch and manage your message settings in your user account at any time.

• You can also register or unsubscribe in person at any ticket office or by calling the SBB Contact Center (0848 44 66 88).

Please also note the information on the right to object to the evaluation of click behaviour in the section on ‘Tracking Tools’.

We regularly conduct market research to continuously improve the quality of our services and offers. If you agree, we can use your contact details for customer surveys (e.g. online surveys). If you do not wish to be invited to such surveys, the following options are available to you:

• Every e-mail you receive from us or from other public transport companies contains an unsubscribe link that you can use to unsubscribe from further messages.

• If you have a SwissPass login, you can log in at www.swisspass.ch and manage your message preferences in your user account at any time.

• You can also register or unsubscribe in person at any ticket office or by calling the SBB Contact Center (0848 44 66 88).

We only store personal data for as long as is necessary

• to provide services that you have requested or for which you have given your consent to the extent specified in this data protection declaration,

• to use the tracking services specified in this data protection declaration in the context of our legitimate interest,

• to fulfil the legal storage obligations (e.g. data on the conclusion of a contract).

We store contract data for longer as this is prescribed by statutory retention obligations. Retention obligations that require us to store data arise from accounting regulations and tax law. If we no longer need this data to provide services to you, the data will be blocked. This means that the data may then only be used to fulfil our retention obligations.

List of storage periods for databases in public transport

Your data is generally stored in databases within Switzerland. However, in some cases listed in this data protection declaration, the data is also passed on to third parties that are based outside Switzerland. If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected by these companies either through contractual arrangements with them.

In relazione ai tuoi dati personali, hai i seguenti diritti nell'ambito e nei limiti della legge applicabile:

• Puoi richiedere informazioni sui tuoi dati personali memorizzati.

• Puoi richiedere la rettifica, l'integrazione, il blocco o la cancellazione dei tuoi dati personali. Il blocco sostituisce la cancellazione se vi sono ostacoli legali alla cancellazione (ad esempio obblighi di conservazione previsti dalla legge).

• Se hai creato un account cliente, puoi cancellarlo o farlo cancellare.

• Puoi opporti all'utilizzo dei tuoi dati per scopi di marketing. Nella misura in cui è applicabile il GDPR dell'UE, puoi opporti in qualsiasi momento al trattamento dei dati personali che trattiamo sulla base di interessi legittimi e al trattamento dei dati personali per finalità di marketing diretto, in particolare per motivi derivanti dalla tua situazione particolare.

• Puoi revocare il tuo consenso in qualsiasi momento con effetto per il futuro.

• Puoi richiedere il trasferimento di alcuni dati.

Per esercitare i tuoi diritti, è sufficiente inviare una lettera per posta a:

Schweizerische Südostbahn AG Consulente per la protezione dei dati Bahnhofplatz 1a CH-9001 St. Gallen

o via e-mail a: datenschutz@sob.ch

I clienti che risiedono in uno stato membro dell'Unione Europea possono anche contattare il nostro rappresentante UE, inviando una lettera a

Swiss Infosec (Deutschland) GmbH Unter den Linden 24 10117 Berlino Germania

o via e-mail a: SOB.dataprivacy@swissinfosec.de

Hai inoltre il diritto di presentare un reclamo presso un'autorità di protezione dei dati in qualsiasi momento.

Se desideri informazioni o la cancellazione dei tuoi dati personali ai sensi della legge sulla protezione dei dati dei trasporti pubblici, puoi contattare SBB per iscritto. La richiesta di informazioni o di cancellazione deve essere inviata al seguente indirizzo:

SBB AG Legal & Compliance Data Protection Office Hilfikerstrasse 1 3000 Bern 65

We will not sell your data. Your personal data will only be passed on to selected service providers and only to the extent necessary to provide the service. These are

• IT service providers, e.g. for support, data analysis and other services,

• our hosting provider (see section

  ‘Use of the website’

  ),

• issuers of subscription cards,

• mailing service providers (such as the Swiss Post),

• service providers that are tasked with distributing transport revenues among the participating transport companies (in particular in the context of creating a distribution key as defined by the Swiss Passenger Transport Act),

• our service provider Swiss Booking AG, which is tasked with the ongoing operation of the software, handling the requirements under commercial law, collecting the transactions, brokering the range of service providers and providing administrative services for the SOB web shop,

• service providers that perform services with possible customer contact on behalf of SOB (e.g. catering, cleaning), only in the case of relevant events,

• as well as the providers mentioned in the sections on tracking tools, social plug-ins and advertisements.

With regard to service providers based abroad, please also note the information in the section ‘Where is your data stored?’.

In addition, your data may be passed on if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from our relationship with you (e.g. to authorities, official bodies, parties involved in proceedings, etc.).

If you book cross-border trips, your data will also be passed on to the respective foreign providers (potentially worldwide). However, this will only be to the extent necessary to check the validity of the tickets and to prevent misuse.

Insofar as the EU GDPR applies, our legitimate interest forms the legal basis for the data processing mentioned here and, in the event of disclosure in accordance with legal obligations under foreign law, the fulfilment of these legal obligations.

Your personal data will not be disclosed to any third parties outside the public transport system. The only exceptions are SwissPass partners (to the extent described below) and companies that have been authorised by public transport companies, on the basis of a contractual agreement, to broker public transport services. These brokers will only have access to your personal data if you wish to purchase a public transport service from them and have given them your consent to access it. Even in this case, they will only have access to your data to the extent necessary to determine whether you already have tickets or passes for the planned travel period that are relevant to your journey and the third-party service you require. The legal basis for this data processing is therefore your consent. You can revoke your consent at any time with effect for the future (see section ‘What data is processed for market research purposes?’).

If you use your SwissPass to take advantage of offers from a SwissPass partner, data about the services you have purchased from us (e.g. a GA Travelcard, Half Fare Travelcard or regional travel pass) may be transmitted to the SwissPass partner to check whether you are entitled to a specific offer from the SwissPass partner (e.g. a discount for GA Travelcard holders). In the event of loss, theft, misuse or forgery or card replacement after a service has been purchased, the relevant partner will be informed. These data processing operations are necessary for the performance of the contract for use of the SwissPass and are therefore based on this legal basis. Further information can be found in the data privacy policy at www.swisspass.ch and in the data privacy policy of the respective SwissPass partner.

The SOB is responsible for processing your data. As a public transport company, we are legally obliged to provide transport services together with other transport companies and associations (‘Direct Transport’, Art. 16 and 17 of the Passenger Transport Act). To make this possible, data from our contact with you or from the services you have purchased, for example, is shared at the national level within the National Direct Transport (NDV), an association of over 240 public transport companies and associations. The individual transport companies and associations are listed here.

The data is stored in the central NOVA (network-wide public transport connection) database, which is maintained by SBB under a mandate from NDV and for which we are jointly responsible with the other NDV companies and associations. NOVA is a technical platform for the distribution of public transport offers. It contains all the central elements for the sale of public transport services, such as the customer database. The scope of access to the shared databases by the individual transport companies and associations is governed by a joint agreement. The transfer of data and its processing by the transport companies and associations that occurs with the central storage of the data is limited to the following purposes:

Provision of transport services: To ensure that your journey runs seamlessly, your travel and purchase data is forwarded within the NDV.

Contract processing: We process this data for the purposes of establishing, managing and processing contractual relationships.

Customer relationship management and support: We process your data for purposes related to communicating with you, in particular to answer your questions and to enable you to assert your rights and to identify you across the entire public transport network in the event of concerns or difficulties, so that we can provide you with the best possible support, as well as to process any compensation claims.

Ticket inspection and revenue protection: Customer and subscription data are required and processed for revenue protection (checking the validity of tickets or discount cards, collection, combating fraud). Incidents of travelling without a valid ticket or with a partially valid ticket can be recorded via the national blacklist of fare dodgers.

Revenue distribution The Alliance SwissPass office, managed by ch-integral, fulfils the legal mandate defined in the Swiss Passenger Transport Act to collect travel data for the correct distribution of revenue. The office acts as the revenue distribution agent for national direct transport on behalf of the companies that belong to the NDV.

Identification for the authentication of the SwissPass login (SSO) For services that you purchase using the SwissPass login, the data is then stored in the central customer database (NOVA). In order to enable you to use the so-called Single Sign-On (SSO) (one login for all applications that offer the use of their services with the SwissPass login), the aforementioned login, card, customer and service data are also exchanged between the central SwissPass login infrastructure and us as part of the authentication process.

Joint marketing and market research activities In addition, the data collected when public transport services are purchased is also processed for marketing purposes in certain cases. If you have given your consent and the data is processed or you are contacted for this purpose, this will generally only be done by the transport company or network from which you purchased the public transport service in question. Processing or contact by the other transport companies and associations participating in the NDV will only take place in exceptional cases and under strict conditions, and only if the analysis of the data shows that a specific public transport offer could provide added value for you as a customer. An exception to this is the processing and contact by SBB. SBB handles the marketing mandate for NDV services (e.g. GA travelcards and Half Fare Travelcards) and may contact you regularly in this role. We also process your data for market research, to improve our services and for product development.

Further development of public transport systems with anonymous data We analyse your data anonymously in order to further develop the public transport system as a whole in line with demand.

Customer information For group travel, we will notify you by text message about your group reservation as well as any delays or cancellations. You can decide for yourself whether you wish to receive these notifications when you book a group trip.

We use Google's web analysis services to ensure that our website and e-mails are designed to meet requirements and to optimise them on an ongoing basis. In the case of the data processing described below, our legitimate interest forms the legal basis insofar as the EU GDPR applies.

Tracking on websites Pseudonymised user profiles are created and small text files (‘cookies’) are stored on your computer (see ‘What are cookies and when are they used?’) in connection with our website. The information generated by cookies about your use of these websites is transferred to the servers of the service providers, stored there and processed for us. In addition to the data listed above (see ‘What data is processed when you use our websites?’), we receive the following information:

• The navigation path that a visitor takes on the website

• Time spent on the website or subpage

• Subpage from which the website is exited

• Country, region or city from which access occurs

• Terminal device (type, version, colour depth, resolution, width and height of the browser window) Returning or new visitor

• Browser type/version

• Operating system used

• Referrer URL (the previously visited page)

• Host name of the accessing computer (IP address)

• Time of the server request

The information is used to evaluate the use of the website.

Tracking when sending e-mails: We use third-party e-mail marketing services to send e-mails.

Our e-mails may therefore contain a so-called web beacon (tracking pixel) or similar technical means. A web beacon is a 1x1 pixel-sized, invisible graphic that is associated with the user ID of the respective e-mail subscriber. For each newsletter sent, information is provided on the address file used, the subject and the number of newsletters sent. In addition, it is possible to see which addresses have not yet received the newsletter, to which addresses the newsletter has been sent and for which addresses the delivery has failed. We also receive information on the opening rate, including which addresses have opened the newsletter and which addresses have been removed from the newsletter distribution list.

The use of corresponding services enables the evaluation of the information listed above. In addition, it can also be used to record and evaluate click behaviour. We use this data for statistical purposes and to optimise the content of our messages. This enables us to better align the information and offers in our e-mails with the individual interests of the respective recipient.

If you wish to prevent the use of web beacons in our e-mails, please set your e-mail programme so that no HTML is displayed in messages, if this is not already the default setting. Instructions for doing this can be found on the Microsoft Office Support website, for example.

You can find out more about our tracking tools below.

Google Analytics Our website uses Google Analytics, a web analysis service provided by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA, or Google Ireland Limited, Gordon House Barrow St, Dublin 4, Ireland. Google Analytics uses methods that enable an analysis of the use of the website, such as cookies (see ‘What are cookies and when are they used?’). The information generated by cookies about your use of this website, as described above, is transmitted to and stored by Google, a company of the holding company Alphabet Inc., on servers in the United States. The IP address is shortened by activating IP anonymisation (‘anonymizeIP’) on this website before transmission within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area or Switzerland. The anonymised IP address transmitted by your browser as part of Google Analytics is not merged with other Google data. Only in exceptional cases will the full IP address be transmitted to a Google server in the US and shortened there. In these cases, we ensure by contractual guarantees that Google maintains an adequate level of data protection.

The information is used to evaluate the use of the website, to compile reports on the activities on the website and to provide further services associated with the use of the website and the internet for the purposes of market research and the design of the website to meet requirements. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of Google. According to Google, under no circumstances will the IP address be associated with other data relating to the user.

Users can prevent the data generated by cookies about their use of the website (incl. their IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available at this link.

What are cookies and similar technologies and when are they used? In certain cases, we use cookies. Cookies are small files that are stored on your computer or mobile device when you visit or use one of our websites. An opt-out cookie is stored on your device for this purpose. If you delete your cookies, you will have to click the link again.

Cookies store certain settings via your browser and data about the exchange with the website via your browser. When a cookie is activated, it can be assigned an identification number that is used to identify your browser and the information contained in the cookie can be used. You can set your browser so that a warning appears on the screen before a cookie is stored. You can also do without the advantages of personal cookies. Certain services cannot be used in this case.

Other technologies work in a similar way to cookies by distinguishing individual users from one another, but usually without identifying them.

We use cookies and similar technologies in particular to analyse general user behaviour. The aim is to optimise our digital presence. This should be easier to use and the content should be more intuitive to find. It should be possible to structure it in a more comprehensible way. It is important to us to make our digital presence as user-friendly as possible for you. This enables us to optimise the website by providing targeted content or information on the website that may be of interest to you.

Most web browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears when you receive a new cookie. On the following pages, you will find explanations of how to configure the processing of cookies:

• Google Chrome for Desktop

• Google Chrome for Mobile

• Microsoft Windows Edge

• Apple Safari for Mobile

Disabling cookies may mean that you are unable to use all the features of our website. Our legitimate interest forms the legal basis for the data processing described.

• Change your cookie settings for our website by clicking on ‘Manage cookies’ in the footer.

• This link will take you to an overview of the cookies used on this website.

We use appropriate technical and organisational security measures to protect your personal data stored by us against manipulation, partial or complete loss and against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments. We also take internal data protection very seriously. Our employees and the external service providers we commission have committed themselves to confidentiality and compliance with data protection regulations. We take appropriate precautions to protect your data. However, the transmission of information via the internet and other electronic means always entails certain security risks, and we cannot guarantee the security of information transmitted in this way.