Attachment 1
Notice of the agreement on the joint processing of personal data according to Art. 26 GDPR

For the processing of personal data relating to the purchase of a Gravity Card, the following enterprises are jointly responsible according to Article 26 GDPR:

•    Bikepark Leogang – Leoganger Bergbahnen GmbH, Hütten 39,5771 Leogang
•    BBSH Bergbahnen Saalbach-Hinterglemm GmbH, Eberharterweg 308, 5753 Saalbach
•    Hinterglemmer Bergbahnen GmbH, Zwölferkogelweg 208, 5754 Hinterglemm
•    Mountain Bike Park Wagrain – Bergbahnen AG Wagrain, Markt 59, 5602 Wagrain
•    Bikepark Semmering – Semmering-Hirschenkogel Bergbahnen Gesellschaft m.b.H., Carolusstraße 3, 2680 Semmering
•    Bikepark Planai – Planai-Hochwurzen-Bahnen GmbH, Coburgstraße 52, 8970 Schladming
•    Bikepark Winterberg – Mountainbike-Park Winterberg GmbH & Co KG, Schanzenstraße 17, 59955 Winterberg
•    Bikepark Geisskopf – Geißkopfbahn, Unterbreitenaus 3, 94253 Bischofsmais
•    Bikepark Spicak – Ski&Bike Spicak, Sport service s.r.o., Spicak 182, 34004 Zelezna Ruda
•    Bikepark Tirol – RBG Berglifte GmbH, Huebenweg 25, 6150 Steinach am Brenner
•    Bikepark Serfaus Fiss Ladis – Waldbahn GmbH & CO OG, Serfaus-Fiss-Ladis, Fisser Straße 50, 6533 Fiss
•    Bikepark Lenzerheide – Lenzerheide Bergbahnen AG, Voa Principala 80, 7078 Lenzerheide
•    Bikepark Brandnertal – Bergbahnen Brandnertal Ges.m.b.H., Mühldörfle 2, 6708 Brand
•    Bikepark Kranjska Gora – RTC Zicnice, Kranjska Gora, d.d., Borovska 103a, 4280 Kranjska Gora
•    Bike Republic Sölden – Bergbahnen Sölden | Ötztaler Gletscherbahn GmbH & Co KG, Dorfstraße 115, 6450 Sölden
•    Bikepark Wurbauerkogel – Hinterstoder-Wurzeralm Bergbahnen AG, Hintersoder 21, 4573 Hinterstoder
•    Bikepark Krvavec – RTC Krvavec d.d., Grad 76, 4207 Cerklje na Gorenjskem
•    Bikepark Innsbruck – Muttereralm Bergbahnen Errichtungs GmbH, Nockhofweg 40, 6162 Mutters
•    Nauders Bergbahnen AG, Gewerbegebiet 1, 6543 Nauders
•    Petzen Bergbahnen GmbH, Unterort 52, 9143 St. Michael ob Bleiburg
•    Bikepark Willingen – Ettelsberg Seilbahn GmbH & Co KG, Zur Hoppecke 5, 34508 Willingen (Upland)

The responsible persons have divided the data protection law tasks as follows:

1.    The parties will perform the data protection law tasks assigned to them below.

2.    Function of a point of contact for the affected persons (Art. 26 Para. 1 GDPR): The respective selling company is considered to be the point of contact for information. Hinterglemmer Bergbahnen GmbH, Zwölferkogelweg 208, 5754 Hinterglemm, provides information on the data collected from the common sales points (online shop, outlet centre).

3.    The essential points of the agreement (Art. 26 Para. 2 GDPR): Customers of each partner company shall be informed of the main points of this agreement by means of a notice. This applies, in particular, to rights according to Art. 16 ff GDPR, that customers must contact the company where the card was purchased. The other companies do not provide any information, whatever the nature or form.

4.    Obligation to provide information when collecting personal data (Art. 13 GDPR): The obligation to provide information must be implemented by each partner accordingly.

5.    Obligation to provide information if data is not collected from the person concerned (Art. 14 GDPR): If personal data has not been collected from the person concerned (e.g. for multiple orders), an information sheet must be brought to the attention of said persons in all cases. This information sheet must be included with the Gravity Card upon issue, which ensures that the obligation to provide information is met toward the person concerned.

6.    Processing requests for information (Art. 15 GDPR): Requests for information must, in principle, be processed by any selling company. Specific customer-side requests for information must only be made by the company which is responsible for selling.

7.    Processing of correction requests (Art. 16 GDPR): The person concerned has the right to immediately require the person responsible to correct any such incorrect personal data. Taking into account the purposes of processing, the person concerned has the right to completion of incomplete personal data, also by means of their own supplementary statement. The correction must be carried out by the selling company. Customer-side correction requirements must be carried out by the company which is responsible for selling.

8.    Processing of deletion requests or restriction of processing requests, and notification of the obligation to delete (Art. 17, 18 and 19 GDPR): The agreed forfeiture rules must be applied. Customer-side requests must be carried out by the company which is responsible for selling.

9.    Handling of demands for surrender of data (Art. 20 GDPR): Each responsible selling company must process any demands for surrender of data for its own tickets.

10.   Processing of objections (Art. 21 GDPR): The right of objection is to be processed by the responsible selling company.

11.   Keeping a directory of processing activities (Art. 30 GDPR): The keeping of a list of processing activities falls within the task of the responsible selling company, for the processing activities cited within this agreement.

12.   Handling of the predicted processes in the event of reportable data breaches (Art. 33, 34 GDPR): Each company is obliged to report any data breaches immediately to the Data Protection Authority and its own customers. If several responsible parties are affected by any data breaches, the Gravity Card steering committee must be informed immediately. Said steering committee will clarify the further course of action for the group.

13.   Appointment of a Data Protection Officer (Art. 27 GDPR): The appointment of a Data Protection Officer is not required.

14.   All those responsible must take adequate and relevant technical and organisational measures (Art. 24 Para. 1 relating to Art. 32 GDPR) so that the rights of the persons concerned can be safeguarded and fulfilled at all times. In any event, the technical and organisational measures described in Annex 1 must be ensured.

15.   Conclusion of contracts in accordance with Art. 28 GDPR (contract processor) if personal data is processed on behalf on another: Each partner is obliged to enter into corresponding contracts with the respective contract processors.

16.   Any additional data protection obligations of the respective persons responsible for further processing activities performed outside the co-operation remain unaffected from this division of tasks. Only the appropriate person is responsible for such processing.