Lucerne-Lake Lucerne Region Experience Ltd. – Data Protection Notice

Lucerne-Lake Lucerne Region Experience Ltd. operates the https://shop.luzern.com website and is responsible for collecting, processing and using the personal data of visitors to the https://shop.luzern.com website, as well as for ensuring that such data is handled correctly.

1. Responsible for data protection

Luzern-Vierwaldstättersee Experience GmbH (entered in the Canton Lucerne Commercial Register under number CHE-402.260.324)

c/o Luzern Tourismus AG Bahnhofstrasse 3 6002 Lucerne Email: dsb@luzern.com

We take data protection seriously and process the data in accordance with the Federal Act on Data Protection, the Ordinance to the Federal Act on Data Protection and, where applicable, the General Data Protection Regulation (GDPR) of the European Union and other provisions that may be applicable.

We process personal data according to the following principles:

2. Opening an account, booking and paying for services

2.1. Opening an account, booking services

If you would like to book services via the https://shop.luzern.com website, you can decide whether to open a user account or book the services as a guest. In either case, the following information is collected:

• Title

• First name

• Last name

• Email address

• Street and number

• Postcode

• Town/city

• Country

• Date of birth (optional)

• Password (if a user account is opened)

• ‘My orders’ (services booked including data relating to the service provision and its prices and information necessary for the service provision)

• In the case of bookings for multiple participants, the following information is collected from participants: first name, last name, address, booked services (including data relating to the provision of services, their prices and information required to provide the services). If you take out cancellation insurance, the data remains with Lucerne-Lake Lucerne Region Experience Ltd. In the event of a claim, the data required for settling the claim is transmitted to the insurer AXA Versicherungen AG, General-Guisan-Strasse 40, Postfach 357, 8401 Winterthur. Data protection provisions of AXA Versicherungen AG: www.AXA.ch/datenschutz

This personal information is collected and processed by our external processor and used, stored and archived for the initiation, conclusion, invoicing and fulfilment of contractual obligations. The use of data is governed and restricted by a data processing agreement between Lucerne-Lake Lucerne Region Experience Ltd. and Alturos Destinations AG, Churerstrasse 54, 8808 Pfäffikon SZ, Switzerland and Alturos Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria. This processing is based on the implementation of pre-contractual measures and/or on the fulfilment of contractual obligations including their billing according to Art. 6 (1) (b) GDPR.

Where necessary for the fulfilment of the contract, your data and that of other participants is forwarded to your selected service provider. This data processing is necessary for the fulfilment of contractual obligations and is based on Art. 6 (1) (b) GDPR.

2.2. Payment for booked services

The booked services must be paid for when the shopping basket is checked out. The payment process is handled by payment service provider Datatrans AG and the data is further processed by Payyo AG by Trekksoft AG.

Lucerne-Lake Lucerne Region Experience Ltd. has concluded corresponding agreements with both companies. Data processing is based on Art. 6 (1) (b) GDPR and serves the performance of the contract.

Note on the data protection provisions of Datatrans AG

In the case of credit card payments, card details are forwarded to your credit card issuer via payment service provider Datatrans AG, Kreuzbühlstrasse 26, 8008 Zurich and the credit card acquirer for the purpose of authorising the payment. If you decide to pay by credit card, you will be asked to enter all the necessary information each time. The legal basis for transferring the data is the performance of a contract in accordance with Art. 6 (1) (b) GDPR. Datatrans also meets common security standards, in particular the Payment Card Industry Data Security Standard (PCI DSS). With regard to the processing of your credit card information by the above-mentioned third parties, please consult the general terms and conditions and data protection notice of your credit card issuer. Further information can be found in the Datatrans AG data protection notice https://www.datatrans.ch/de/datenschutzbestimmungen/.

Note on the data protection of Payyo AG by TrekkSoft AG

Payyo AG by Trekksoft AG, Hauptstrasse 15, 3800 Matten b. Interlaken, Switzerland receives all the information necessary for settling payments with the service partners and forwards this information to the service partners. The legal basis for transferring the data is the performance of a contract in accordance with Art. 6 (1) (b) GDPR.

3. Telephone enquiries

In the case of telephone enquiries, only data in anonymised form is collected for statistical purposes. It is not possible to identify the caller from this data. If you would like a callback or if clarifications need to be made as a result of the enquiry, your first and last names as well as your telephone number are recorded. This data collection is based on Article 6 (1) (a) GDPR and thus on your consent.

4. Newsletter

You have the option of subscribing to our newsletter on our website and also when making a booking. Registration is required for this. The following data is required as part of the registration process:

• Title

• First and last names

• Email address

The above data is essential for data processing. We process this data exclusively to personalise the information and offers sent to you and to tailor them more closely to your interests.

By registering, you give us your consent to process the data provided for the purpose of regularly sending the newsletter to the address you specify, evaluating user behaviour by means of statistics, and optimising the newsletter. This consent constitutes our legal basis for processing your email address within the meaning of Art. 6 (1) (a) GDPR. We are entitled to commission third parties with the technical implementation of advertising and to share your data for this purpose (see below).

There is a link at the end of each newsletter that you can use to unsubscribe from it at any time. When unsubscribing, you have the option of informing us of your reason for doing so. After you have unsubscribed, your personal data is deleted. Data will only be processed further in anonymised form for the purpose of optimising our newsletter.

To send our newsletter, we use email marketing services provided by Microsoft Dynamics 365, Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Our newsletter may contain a web beacon (tracking pixel) or similar technical means. A web beacon is an invisible graphic (1x1 pixel in size) that is associated with the user ID of the respective newsletter subscriber.

The use of corresponding services makes it possible to know whether the emails containing our newsletter are opened. It also allows the clicking behaviour of the newsletter recipient to be recorded and analysed. We use this data for statistical purposes and to optimise the content and structure of the newsletter. This enables us to tailor the information and offers in our newsletter more closely to the individual interests of each recipient. In this regard, we base ourselves on our legitimate interests according to Art. 6 (1) (f) GDPR. The tracking pixel is deleted when you delete the newsletter.

To block tracking pixels in our newsletter, you should set your email app so that HTML is not displayed in emails. The following explains how to do this in the most common email applications.

• Outlook 2007-2016

• Microsoft Outlook Mail for Mac (“Load remote content in messages”)

• Mac Mail, Gmail, Outlook: Disable image loading

In this regard, we base ourselves on our legitimate interests according to Art. 6 (1) (f) GDPR.

5. Chat feature

On our website, you have the option of contacting us directly via a chat box. The following personal data is required to use the chat feature:

• Your message

• IP address

• Chat history and browser data

Offline mode: contact details (name, email address and telephone number for callback) are required only for offline enquiries outside usage hours.

We use this data only in order to answer your message via chat in an optimum manner and in a way that is tailored to you. The processing of your chat query constitutes our legitimate interest according to Art. 6 (1) (f) GDPR. You can object to this data processing at any time (see Section 12 Contact). You are personally responsible for the messages/content you send us via the chat feature. We recommend that you do not send any sensitive information via the chat feature. Only the personal data you send to us voluntarily during the chat will be collected. You are therefore in control of which information you send us. In order to answer your chat queries, we may request additional information from you, such as your email address and telephone number, etc. We will only collect personal data from you which we require to process and answer your query or to provide the services requested. Art. 6 (1) (f) GDPR.

For the chat feature, we deploy Zendesk Chat from Zendesk Inc., 989 Market Street, San Francisco, CA 94103, USA. The chat data is stored by Zendesk on a server in a member state of the European Union. Zendesk has acknowledged the regulations of the EU-US and Switzerland-US Privacy Shield, https://www.zendesk.de/company/privacy-and-data-protection/#privacy-shield

6. Use of our website https://shop.luzern.com

6.1. Log file

When you visit our website, our servers temporarily store each access in a log file. The following data is collected without any action on your part and stored by us until it is automatically deleted after no more than twelve months:

• The IP address of the requesting computer

• The date and time of the access

• The name and URL of the retrieved file

• The website from which access was made

• Your computer’s operating system and the browser you use

• The country from which you accessed the website and the language settings in your browser

• The name of your internet access provider

This data is collected and processed for the purpose of enabling the use of our website (establishing a connection), ensuring continuous system security and stability, enabling the optimisation of our internet offering, and for internal statistical purposes. The data processing constitutes our legitimate interest according to Art. 6 (1) (f) GDPR. In particular, the IP address is used to capture the website visitor’s country of residence and to preset the language of the website accordingly. The IP address is also analysed for investigation and prevention purposes in the event of an attack on the network infrastructure or if other abuse or misuse of the website is suspected and, if applicable, during criminal proceedings to identify and proceed against the relevant users under civil and criminal law. This is done to protect our legitimate interests according to Art. 6 (1) (f) GDPR.

In addition, when you visit our website, we use tracking pixels and cookies for the use of web analysis services. For more information, see sections 6.2 and 6.3 of this data protection notice.

6.2. Cookies

6.2.1. General information about cookies

Cookies are information files that your web browser automatically stores on your computer’s hard drive when you visit our website. Cookies neither damage the hard drive of your computer nor do they transmit user personal data to us. Cookies help in many ways to make your visit to our website easier, more pleasant and more meaningful.

For example, we use cookies to tailor the information, offers and advertising you see more closely to your individual interests. Our use of cookies does not lead to us receiving new personal data about you as an online visitor. Most internet browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages, you will find an explanation of how to configure the processing of cookies in the most common browsers:

• Microsoft Edge

• Mozilla Firefox

• Google Chrome for desktop

• Google Chrome for mobile

• Apple Safari for desktop

• Apple Safari for mobile

Disabling cookies may result in you being unable to use all the features available on our website.

6.2.2. Cookie consent tool (OneTrust)

To enable you to control the use of cookies, a cookie consent tool has been implemented on our website (hereinafter: OneTrust). OneTrust is owned by OneTrust LLC, Dixon House, 1 Lloyd’s Avenue, London EC3N 3DQ, UK and displays a list of cookies broken down by function group, explains the purpose of the cookie function groups and the individual cookies, and displays how long they are stored.

In order to use OneTrust, it is technically necessary to store multiple cookies.

The first time you visit our website, OneTrust will be displayed as a pop-up window in which you can activate cookies (which are divided into function groups) by clicking on the corresponding box. Note that the technically necessary cookies are stored as soon as you visit the website, so the corresponding box is preset.

If functional cookies are deactivated, use of the website or individual features may be restricted or impossible.

To check or change your cookie settings, click on “Cookie settings” at the bottom of the website.

6.3. Tracking tools

6.3.1. Google Analytics

The website uses Google Analytics, a web analysis service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland or Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google Analytics uses methods which enable website usage to be analysed, such as cookies (see Section 6.2 Cookies). The information generated by the cookie about your use of this website, such as the navigation path that you follow on the website, length of time spent on the website or subpage, subpage from which the website is left, country, region or city from which access is made, terminal device (type, version, colour depth, resolution, width and height of the browser window), whether you are a repeat or new visitor, the browser type/ version, operating system used, referrer URL (the previously visited site), host name of the accessing computer (IP address), and time of the server request are transmitted to servers belonging to Google, a company of the holding company Alphabet Inc. in the USA and stored there (see Section 10 Note on data transfers to the USA). As IP anonymisation (“anonymizeIP”) is enabled on this website, the IP address is abridged within the member states of the European Union or in other contracting states to the agreement on the European Economic Area and Switzerland before being transferred. Google does not combine the anonymised IP address transferred by your browser for Google Analytics with other data. Only in exceptional cases will the full IP address be transferred to a Google server in the US and abridged there. In these cases, we ensure by means of contractual guarantees that Google maintains sufficient data protection levels.

The information is used to analyse website usage, compile reports about activities on the website and to provide other services associated with use of the website and internet for market research purposes and needs-based website design. This information may also be transferred to third parties if this is required by law or if third parties are commissioned to process this data. According to Google, the IP address will not be linked to other data concerning users under any circumstances. Data processing within the scope of these remarks is based on Art. 6. (1) (f) GDPR and is in our interest.

Users may prevent the collection by Google of data generated by the cookie and relating to their website usage (including their IP address) and the processing by Google of this data by downloading and installing the browser plugin available here: http://tools.google.com/dlpage/gaoptout?hl=de

For more information, please see Google’s data protection notice and terms of use at https://policies.google.com/privacy?hl=de

6.4. Links to our social media pages

Our website includes links to our social media profiles on various social networks. The following information is provided for general information purposes. We have no knowledge of the data collected, transmitted and subsequently used by the respective provider of the social media accessed. The respective social media platforms contain the applicable data protection provisions.

Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

X Inc.,1355 Market Street, Suite 900, San Francisco, CA 94103, USA, and X International Company, 1 Cumberland Place, Fenian Street, Dublin 2, Ireland

YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, and Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland

Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA, and Instagram c/o Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

LinkedIn, 1000 W Maude, Sunnyvale, CA 94085, USA and LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

WhatsApp LLC, 1601 Willow Road, Menlo Park, California 94025, USA, and WhatsApp Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Tripadvisor Inc., 400 1st Avenue, Needham, MA 02494, USA.

If you click on the relevant symbols for the social networks, you will automatically be redirected to our profile on the corresponding network. To use the relevant network’s functions, you will sometimes have to log into your user account for that network.

If you click on a link to one of our social media profiles, a direct connection is established between your browser and the server of the relevant social network. The network will therefore receive the information that you are visiting our website with your IP address and have opened the link. If you open a link to a network while you are logged in to your account for the relevant network, the content of our page may be linked to your profile on the network, meaning that the network can directly assign your visit to our website to your user account. If you wish to prevent this, you should log out before clicking on this kind of link. This assignment will happen anyway if you log in to the relevant network after clicking the link.

6.4.1. Social Plugins from Facebook

Social plugins from Facebook are used on our website to make our online presence more per­sonal. We use the “LIKE” or “SHARE” buttons for this purpose. This is an offering from US com­pany Facebook Inc. (1601 S. California Ave, Palo Alto, CA 94304, USA).

By integrating the plugin, Facebook receives the information that your browser has called up the corresponding website, even if you do not own a Facebook account or are not logged in to Fa­cebook. This information (including your IP address) is transferred by your browser to one of Facebook’s servers in the United States and stored there. If you are logged in to Facebook, Facebook may assign the visit to our website to your Facebook account directly. If you interact with the plugins, for example the “LIKE” or “SHARE” button, the corresponding information is likewise transferred to one of Facebook’s servers directly and stored there. The information is published on Facebook and shown to your Facebook friends.

Facebook may use this information for the purposes of advertising, market research and needs-based design for Facebook pages. For this reason, usage, interests and relationship profiles are created by Facebook, e.g. in order to analyse your use of our website with respect to the adver­tisements placed on Facebook, to inform other Facebook users about your activity on our web­site and to provide other services associated with your use of Facebook.

If you do not want Facebook to assign the data collected about your online presence to your Facebook account, you must log out of Facebook before visiting our website. The purpose and scope of data collection and further processing and use of the said data by Facebook as well as your rights in this respect and settings options in order to protect your privacy can be found in Facebook’s privacy policy.

6.4.2. Social Plugins from X

Plugins from the short messaging network X Inc., 795 Folsom St., Suite 600, San Fran­cisco, CA 94107, USA are integrated into our website. The X plugin (tweet button) is rec­ognisable by the X logo on our website.

If you activiate the social plugins, a direct connection is established between your browser and the X server. Through this connection, X receives the information that you have vis­ited our website with your IP address. If you click on the X "tweet button" while you are logged in to your X account, you may link the content of our websites to your X pro­file. X can attribute the visit to our websites to your user account as a result. We would like to point out that, as the provider of these websites, we are not made aware of the content of the transferred data or its use by X. Further information about this can be found in X privacy policy.

If you do not want X to be able to identify your visit to our websites, please log out of your X account.

6.5. Links to other websites

Links to other websites not operated by Lucerne-Lake Lucerne Region Experience Ltd. are intended to offer the user additional benefits. We have not checked the linked websites in detail and users follow the links on their own responsibility. The operator of the selected website is responsible for data protection. Lucerne-Lake Lucerne Region Experience Ltd. has no knowledge of the data collected and subsequently used by the respective operator of the website.

6.6. Google Maps

Our website uses Google Maps, a service of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google Maps is enabled/disabled via the OneTrust cookie manager. Google Maps provides geographic information about the Lucerne – Lake Lucerne Region. When using Google Maps, information about the use of our website (including the IP address) is transmitted to and stored in a Google server in the USA.

The legal basis for processing the data under this point is our legitimate interest according to Art. 6 (1) (f) GDPR.

Google provides information on the collection, processing and use of your personal data and your rights in its data protection provisions (https://policies.google.com/privacy) and in the conditions of use of Google Maps and Google Earth (www.google.com/help/terms_maps).

7. Disclosure to third parties

We will disclose your personal data only under the following circumstances:

• You have expressly consented to this disclosure.

• There exists a statutory obligation or official order.

• The disclosure is necessary to enforce our rights, in particular to enforce our rights under contracts.

We disclose personal data to third parties insofar as this is necessary for the use of the website, processing enquiries (email, chat, telephone), sending newsletters and other marketing communications, and analysing user behaviour. The third parties may use the data for the stated purpose only.

In addition to the aforementioned service providers, the companies Alturos Destinations AG, Churerstrasse 54, 8808 Pfäffikon SZ, Switzerland and Alturos Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria have access to data collected via the website and personal data collected and processed by employees of Lucerne-Lake Lucerne Region Experience Ltd. and Luzern Tourismus AG. These companies implement our website; the data is shared with them to provide and maintain the functionality of our website. Corresponding contracts have been concluded with these companies. In this regard, we base ourselves on our legitimate interests according to Art. 6 (1) (f) GDPR.

Please note that Lucerne-Lake Lucerne Region Experience Ltd. and/or its service providers may be obliged by law or official order to share your personal data with public authorities or third parties commissioned by public authorities. For companies in the EU or EEA, this disclosure of personal data may be based on Art. 6 (1) (e) GDPR, and companies in Switzerland, etc. on Art. 6 (1) (f) GDPR.

8. Note on data transfers to the USA

For the sake of completeness, we would like to point out to users residing or domiciled in Switzerland or the European Union that US authorities have surveillance measures in place in the USA which generally allow the storage of the personal data of persons whose data has been transferred to the USA from Switzerland or the European Union. This is done without any differentiation, limitation or exception being made in light of the objectives pursued, and without providing an objective criterion for determining limits to the access by the US authorities to the data and its subsequent use to very specific, strictly limited purposes that are capable of justifying the interference associated both with the access to this data and with its use. Furthermore, we would like to point out that there are no legal remedies available in the USA for persons from Switzerland and the European Union that would allow them to gain access to the data concerning them and to have it rectified or erased, and that there is no effective judicial protection against the general access rights of US authorities. We are making such persons explicitly aware of this legal and factual situation so that they can make an appropriately informed decision regarding their consent to the use of their data.

We would like to point out to users residing in an EU member state that, from the perspective of the European Union, the USA does not have an adequate level of data protection, partly due to the issues outlined in this section. Insofar as we have explained in this data protection notice that data recipients (such as Google, Facebook and X) are based in the USA, we will ensure that your data is protected to an appropriate level by our partners, either through contractual arrangements with these companies or by ensuring that these companies are certified under the EU-US Privacy Shield.

9. Retention of data

We store personal data only for as long as is necessary to use the tracking, advertising and analysis services mentioned above within the scope of our legitimate interest; to perform services to the extent specified above that you have requested or for which you have given your consent (e.g. for the newsletter in section 4); and to comply with our statutory obligations.

We store contract data for a longer period, as this is prescribed by statutory retention obligations. Retention obligations, which oblige us to store data, result from accounting and tax regulations. According to these regulations, business communications, concluded contracts and accounting records must be kept for up to ten years.

10. Right to information, rectification, erasure and restriction of processing; right to data portability

10.1. Your rights

You have the right, upon request, to receive information free of charge about the personal data we have stored about you. In addition, you have the right to have inaccurate data corrected and the right to have your personal data deleted, provided that this is not prevented by a statutory obligation to retain the data or by a legal basis that allows us to process the data. Pursuant to Articles 18 and 21 of the GDPR, you also have the right to request a restriction of data processing and to object to data processing.

You also have the right to demand the return of the data that you have provided to us (right to data portability). On request, we will also pass on the data to a third party of your choice. You have the right to receive the data in a common file format.

You can reach us using the email address dsb@luzern.com for the aforementioned purposes (Section 12 Contact). In order to process your requests, we may, at our own discretion, require proof of identity.

You may also tell us what to do with your data after your death by providing us with appropriate instructions.

10.2. Restriction of processing

If you have requested that the processing of your personal data be restricted in accordance with Art. 18 (1) GDPR, we may only process this data with your consent or for the establishment, exercise or defence of legal claims or for the protection of another natural or legal person or for important public interests.

10.3. Exercising your rights

In order to exercise your rights, you must inform us in person, by telephone or in writing. We can only provide you with information if you can identify yourself. If you have any questions about data protection on our website, would like more information or wish to have your data deleted, please contact us by emailing dsb@luzern.com.

You can also send a letter to the following address:

Luzern-Vierwaldstättersee Experience GmbH c/o Luzern Tourismus AG Bahnhofstrasse 3 CH-6002 Lucerne

10.4. Complaint to the data protection supervisory authority

If you believe that the storage and processing of your personal data violates applicable data protection law or your data protection aspects are being violated, you have the right to lodge a complaint with the supervisory authority.

11. Data security

We take appropriate technical and organisational security measures to protect your personal data stored by us against manipulation, partial or total loss and unauthorised access by third parties. We improve our security measures continuously in line with technological developments.

You should always treat your payment information confidentially and close the browser window when you have finished communicating with us, especially if the computer is used by others.

We also take internal data protection very seriously. We oblige our employees and the service providers commissioned by us to maintain confidentiality and to comply with the provisions of data protection law. In addition, they are granted access to personal data only insofar as this is deemed necessary.

12. Data protection agency for the EU and EEA

We have appointed the following data protection agency for the European Union and the European Economic Area: Advovox Rechtsanwalts GmbH, Grossbeerenstrasse 2-10/Haus 6, 12107 Berlin, Germany, inbox@advovox.de. The data protection agency is an additional point of contact for enquiries from supervisory authorities and data subjects in connection with the General Data Protection Regulation (GDPR) in addition to the address mentioned in Section 13.

13. Contact

If you have any questions about data protection, if you would like more information or wish to have data corrected or deleted, please contact:

Luzern-Vierwaldstättersee Experience GmbH c/o Luzern Tourismus AG Bahnhofstrasse 3 CH-6002 Lucerne Email dsb@luzern.com