Privacy Policy of the Bourbaki Panorama Luzern Foundation

Table of contents


1          What is this privacy policy about?

2          Who is responsible for processing your data?

3          How do we handle your personal data?

4          What technical data do we collect?

5          What registration data do we collect?

6          What communication data do we collect?

7          What contract data do we collect?

8          Which master data do we collect?

9          What data do we collect on our pages in the social networks?

10        What other data do we collect?

11        What rights do you have?

12        On what basis do we process your data?

13        To whom do we disclose your data?

14        Do your personal data also end up abroad?

15        Can this privacy policy be changed?


  1. What is this privacy statement about?

The Bourbaki Panorama Luzern Foundation (hereinafter also “we”, “us”), as the operator of the Bourbaki Panorama Luzern museum and property, respects your right to privacy. We collect and process personal data concerning you or other persons (so-called “third parties”). We use the term “data” here synonymously with “personal data” or “persobal information”. In addition, we address other important topics regarding privacy and data protection. In the following, the Bourbaki Panorama Luzern Foundation will be abbreviated to Bourbaki.

In this privacy statement, we describe what we do with your data when you visit or use our educational app “My Bourbaki Panorama”, obtain our services or products, otherwise interact with us under a contract, communicate with us or otherwise deal with us. Where appropriate, we will notify you by timely written notice of additional processing activities not mentioned in this Privacy Policy. In addition, we may inform you separately about the processing of your data, e.g. in consent forms, contract terms, additional privacy statements, forms and notices.

If you transmit or disclose data about other persons such as family members, work colleagues, etc., we assume that you are authorised to do so and that this data is correct. By submitting data about third parties, you confirm this. Please also ensure that these third parties have been informed of this data protection declaration.

This privacy statement is designed to meet the requirements of the Swiss Data Protection Act (“DPA”) and the revised Swiss Data Protection Act (“revDSG”). However, whether and to what extent these laws are applicable depends on the individual case.

2. Who is responsible for processing your data?

The responsible party within the meaning of the Swiss Data Protection Act (DSG) and other data protection provisions is, unless otherwise communicated in individual cases, e.g. in further data protection declarations or in contracts, the:

Stiftung Bourbaki Panorama Luzern
Löwenplatz 11
CH-6000 Luzern 6
Tel: + 41 41 412 30 30

Your contact person of the responsible persons is:

Irène Cramm, Museumsleiterin
Stiftung Bourbaki Panorama Luzern
Löwenplatz 11
CH-6000 Luzern 6
Tel: +41 41 412 30 30

3. How do we handle your personal data?

3.1. Scope of the processing of personal data

As a matter of principle, we only process the personal data of our users to the extent that this is necessary for the provision of a functioning website and for the provision of our services and for communication purposes. The processing of personal data of our users only takes place with the consent or information of the users. An exception applies in those cases in which it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by legal regulations.

3.2. Legal basis for the processing of personal data

The processing of personal data in Switzerland is based on Art. 4 et seq. of the FADP. If the processing is necessary to protect a legitimate interest of our organisation or a third party and the interests and fundamental rights of the users do not outweigh the first-mentioned interest, Art. 13 FADP serves as the legal basis.

3.3. Protection of personal data

We take reasonable security measures to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorised or unlawful processing and to protect against the risks of loss, accidental alteration, unauthorised disclosure or access.

3.4. Data deletion and storage period

The personal data of the data subject will be deleted as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the legislator in ordinances, laws or other regulations to which Bourbaki is subject. The data will also be deleted if a storage period prescribed by the aforementioned standards expires, unless there is a necessity for the continued storage of the data for the conclusion or fulfilment of a contract.

4. What technical data do we collect?

When you use our website or other electronic offers (e.g. free guest WLAN), we collect the IP address of your end device and other technical data to ensure the functionality and security of these offers. This data also includes logs in which the use of our systems is recorded. The technical data in itself does not allow any conclusions to be drawn about your identity. As a rule, we cannot deduce who you are from technical data, unless you contact us via the contact form on our website. In this case, we can link technical data with master data - and thus with your person.

5. What registration data do we collect?

Certain offers and services (e.g. newsletter dispatch) can only be used with registration, which can take place directly with us or via our external login service providers. In doing so, you must provide us with certain data and we collect data on the use of the offer or service. The following information is collected:

  • First name and surname
  • E-mail address
  • IP address of the terminal device

We collect registration data for the purpose of maintaining relationships as well as for marketing purposes, e.g. to send our customers information about services and products. This can take place, for example, in the form of newsletters and other regular contacts, via other channels for which we have contact information from them, but also as part of individual marketing campaigns (e.g. events).

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the use of the free WLAN, this is the case when the respective session has ended. We generally retain registration data for 12 months after the end of the use of the service or the termination of the user account.

You can refuse such contacts at any time or refuse or revoke consent to be contacted for advertising purposes.

6. What communication data do we collect?

When you are in contact with us in person at the Museum Reception via the contact form, email, telephone, letter or other means of communication, we collect the data exchanged between you and us, including your contact details and the marginal data of the communication. The data are:

  • First name and surname
  • Address
  • Company/group/school
  • E-mail address
  • Telephone number

If we record telephone conversations or video conferences, e.g. for training and quality assurance purposes, we will specifically draw your attention to this. Such recordings may only be made and used in accordance with our internal data protection guidelines. You will be informed if and when such recordings take place, e.g. by an advertisement during the video conference in question. If you do not wish to be recorded, please inform us or end your participation. If you simply do not want your image to be recorded, please turn off your camera. If we want or need to establish your identity, e.g. in the case of a request for information submitted by you, a request for media access, etc., we collect data to identify you (e.g. a copy of an ID card).

If you send us an e-mail, this will be passed on to Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA). The data transmitted to us in this way is stored exclusively at data storage locations within Switzerland and the European Union. There is a contract based on EU standard contractual clauses with Microsoft for the data protection-compliant processing of the transmitted data.

The processing of personal data from contacting us is solely for the purpose of processing the same, in particular to answer enquiries and assert your rights and to contact you in the event of queries. The contact also constitutes the necessary legitimate interest in processing the data.

The duration of storage is based on the legal requirements. We generally keep physical documents (e.g. booking sheet) for 24 months. This period may be longer insofar as this is necessary for reasons of evidence or to comply with legal or contractual requirements or for technical reasons. E-mails in personal mailboxes and written correspondence are generally stored for a maximum of 10 years.

Users have the option to revoke their consent to the processing of personal data or to object to the storage at any time. In such a case, the conversation cannot be continued. The objection to storage or the claiming of the right to deletion must be clearly formulated by the user in the text of the e-mail or written correspondence. All personal data stored in the course of contacting us will be deleted in this case.

7. What contract data do we collect?

This is data that arises in connection with the conclusion or processing of a contract, e.g. information about contracts and the services to be provided or provided, as well as data from the run-up to the conclusion of a contract, the information required or used for processing and information about reactions (e.g. complaints or information about satisfaction, etc.). We generally collect this data from you, from contractual partners and from third parties involved in the processing of the contract and from publicly accessible sources.

Contractual data includes information about the conclusion of the contract, about your contracts, e.g. type and date of conclusion of the contract, information from the application process (such as an application for our products or services) and information about the contract in question (e.g. its duration) and the processing and administration of the contracts (e.g. information in connection with invoicing, customer service, assistance with technical matters and the enforcement of contractual claims). Contract data also includes information about defects, complaints and adjustments to a contract, as well as information about customer satisfaction that we may collect, for example, through surveys. Contract data also includes financial data such as details of reminders and debt collection. We receive this data partly from you (e.g. when you make payments), but also from credit agencies and from publicly accessible sources (e.g. a commercial register).

We process your data for the purpose of establishing, managing and processing contractual relationships.

As a rule, we keep this data for 10 years from the last contractual activity, but at least from the end of the contract. This period may be longer if this is necessary for reasons of evidence or to comply with legal or contractual requirements or for technical reasons.

8. What master data do we collect?

We refer to master data as the basic data that we require in addition to the contractual data (see above) for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details and information e.g. about the ticket type (e.g. child or adult), your role and function, your bank account(s), your date of birth, customer history, powers of attorney, signature authorisations and declarations of consent. We obtain master data from yourself, from bodies you work for or from third parties such as our contractual partners, associations and address dealers and from publicly accessible sources such as public registers or the internet (websites, social media etc.).

We process your master data if you are a customer or other business contact or are working for such a contact (e.g. as a contact person of the business partner), or because we want to address you for our own purposes or the purposes of a contractual partner (e.g. as part of marketing and advertising, with invitations to events, with newsletters, etc.). We collect information on the ticket type exclusively for the purpose of internal statistics.

The duration of the storage is based on the legal requirements.

9. What data do we collect on our social network pages?

We may operate pages and other online presences on social networks (“fan pages”, “channels”, “profiles” etc.) and collect the data about you described in section 4 and below there. We receive this data from you and the platforms when you come into contact with us via our online presence (e.g. when you communicate with us or comment on our content). At the same time, the platforms evaluate your use of our online presences and link this data with other data about you known to the platforms (e.g. about your behaviour and preferences). They also process this data for their own purposes under their own responsibility, in particular for marketing and market research purposes (e.g. to personalise advertising) and to control their platforms (e.g. what content they show you).

We process this data for the purposes described in section 3, in particular for communication, marketing purposes (including advertising on these platforms) and market research. Content published by you (e.g. comments on an announcement) may be disseminated by us (e.g. in our advertising on the platform or elsewhere). We or the platform operators may also delete or restrict content from or about you in accordance with the usage guidelines (e.g. inappropriate comments).

For further details on the edits made by the operators of the platforms, please refer to the platforms' data protection notices. There you will also find out in which countries they process your data, what rights of access, deletion and other data subjects you have and how you can exercise these or obtain further information. We currently use the following platforms:

  • Facebook: Here we operate the page: The responsible body for operating the platform for users from Europe is Facebook Ireland Ltd, Dublin, Ireland. Their privacy policy can be found at As part of Page Insights, statistics are compiled about what visitors do on our site (comment on posts, forward content, etc.). This is described at We only receive anonymous, aggregated data. We have regulated our responsibilities regarding data protection according to the information on
  • Instagram: Here we operate the profile: The responsible body for the operation of the platform is: Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA. Their privacy policy is available at: Instagram can assign your visit to our pages to your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram.
  • Youtube: Here we operate the channel: The responsible body for the operation of the platform for users from Europe is Google Ireland Limited, a company registered and operated under Irish law, with its registered office in Gordon House, Barrow Street, Dublin 4 Ireland. Their privacy notice is available at: Your legal agreement with YouTube consists of the terms and conditions available at the following link: These terms constitute a legally binding agreement between you and YouTube regarding your use of the Services. Google's privacy policy ( explains how Google treats and protects your personal data when you use the YouTube Services. We cannot be held responsible for your use of the YouTube Services.

10. What other data do we collect?

We also collect data from you in other situations. In connection with official or judicial proceedings, for example, data is collected (such as files, evidence, etc.) which may also relate to you. We may also collect data for health protection reasons (e.g. in the context of protection concepts). We may obtain or make photographs, videos and sound recordings in which you may be identifiable (e.g. at events, through security cameras etc.). We may also collect data on who enters certain buildings when or has corresponding access rights (incl. in the case of access controls, based on registration data or visitor lists etc.), who participates in events or campaigns when or who uses our infrastructure and systems when.

The retention period of this data depends on the purpose and is limited to what is necessary. We inform you in advance about the collection of the data described above.

11. What rights do you have?

When personal data is collected, you have the following rights, depending on the applicability of the legal data protection requirements according to your location:

11.1 Right to information

In accordance with Art. 8 of the Data Protection Act (DSG), you can request confirmation from Bourbaki as to whether personal data concerning you is being processed by us. This right is not transferable and is not subject to a time limit. Your right to information includes the following:

  • Information about all personal data concerning you that is held in a data file, including where it came from;
  • Information on the purpose of the processing and, if applicable, the legal basis for the processing;
  • information on the categories of data processed;
  • information on the parties involved in a data file
  • Information on persons and bodies to whom data are transmitted (data recipients). This includes information on whether the personal data concerning you will be transferred to a third country or to an international organisation.
  • Information on the planned duration of the storage of the personal data concerning you or, if concrete information on this is not possible, criteria for the determination of the storage duration
  • The existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by Bourbaki or a right to object to such processing.
  • The existence of a right of appeal to a supervisory authority
  • Any available information on the origin of the data if the personal data is not collected from you

Should you wish to receive such information, please contact the Bourbaki contact person in writing, enclosing a copy of your ID. The copy of your ID is for identification purposes only. Please write as precisely as possible what you are requesting information about. Your request for information will be processed within 30 days of receipt, i.e. you will either receive written notification of the request for information or a reasoned decision to refuse the information.

11.2 Right to rectification

Pursuant to Art. 15 of the Data Protection Act, you have a right of rectification vis-à-vis Bourbaki if the processed personal data concerning you are incorrect or incomplete. Bourbaki will carry out the correction without delay. It is your responsibility to inform us that existing personal data concerning you are incorrect or outdated.

11.3 Right to restriction of processing

You may request the restriction of the processing of personal data concerning you under the following conditions:

  • If you dispute the accuracy of the personal data concerning you for a period of time that allows Bourbaki to verify the accuracy of the personal data.
  • If the processing of the personal data concerning you is unlawful and you refuse to erase the data and instead request the restriction of the use of the personal data.
  • If Bourbaki no longer needs the personal data for the purposes of processing, but you need it for the assertion, exercise or defence of legal claims.

If the restriction of processing has been restricted in accordance with the above-mentioned conditions, you will be informed by Bourbaki before the restriction is lifted.

11.4 Right to deletion

Pursuant to Art. 12 para. 2b and Art. 15 para. 1 FADP, you have the right to erasure of all processed personal data concerning you, provided that the following reasons apply:

  • The personal data concerning you are no longer needed for the purposes for which they were collected or processed.
  • You withdraw your consent on which the processing was based in accordance with valid legal grounds and there is no other legal basis for the processing.
  • You object to the processing and there are no overriding legitimate grounds for the processing.
  • The personal data concerning you has been processed unlawfully.
  • The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Swiss law to which Bourbaki is subject.

Bourbaki will carry out this deletion within 30 days and also instruct any data recipients to do so as well as confirm the deletion to you or inform you in a reasoned decision why the deletion could not be carried out.

11.5 Right to information

If you have asserted the right to rectification, erasure or restriction of processing against Bourbaki, we are obliged to inform all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data. 

12. On what basis do we process your data?

Where we ask for your consent for certain processing, we will inform you separately about the relevant purposes of the processing. You may revoke consent at any time with future effect by notifying us in writing (by post) or, where not otherwise stated or agreed, by email; you will find our contact details in section 2. Where you have a user account, revocation or contact with us may also be carried out via the relevant website or other service, if applicable. Once we have received notice of the withdrawal of your consent, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for doing so. The revocation of your consent will not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Where we do not ask you for your consent for processing, we base the processing of your personal data on the fact that the processing is necessary for the initiation or execution of a contract with you (or the entity you represent) or that we or third parties have a legitimate interest in doing so, so in particular in order to pursue the purposes and related objectives described above and to be able to implement appropriate measures. Our legitimate interests also include compliance with legal requirements, insofar as this is not already recognised as a legal basis by the applicable data protection law in each case.

If we receive sensitive data (e.g. biometric data for identification purposes), we may also process your data on the basis of other legal grounds, e.g. in the event of disputes due to the necessity of processing for a possible lawsuit or the enforcement or defence of legal claims. In individual cases, other legal grounds may come into play, which we will communicate to you separately where necessary.

13. Who do we disclose your data to?

In connection with our contracts, the website, our services and products, our legal obligations or otherwise in order to protect our legitimate interests and the other purposes listed, we also transfer your personal data to third parties, in particular to the following categories of recipients:

  • Service providers: We work with service providers in Switzerland and abroad who process data about you on our behalf or under joint responsibility with us or who receive data about you from us under their own responsibility (e.g. IT providers). The central service providers for us in the IT area are Microsoft, Goodvantage GmbH, and in the collection area the company Procliente Treuhand AG.
  • Authorities: We may pass on personal data to offices, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to do so or if this appears necessary to protect our interests. Authorities process data about you that they receive from us on their own responsibility.
  • Other persons: This refers to other cases where the involvement of third parties arises from the purposes set out in point 12, e.g. service recipients, media and associations in which we participate or if you are part of one of our publications.

All these categories of recipients may in turn involve third parties, so that your data may also become accessible to them. We may restrict the processing by certain third parties (e.g. IT providers, data processors).

14. Does your personal data also end up abroad?

As explained in section 13, we also disclose data to other bodies. These are not only located in Switzerland. Your data may therefore be processed in Europe; in exceptional cases, however, in any country in the world.

If a recipient is located in a country without adequate legal data protection, we contractually oblige the recipient to comply with the applicable data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here:, unless the recipient is already subject to a legally recognised set of rules to ensure data protection and we cannot rely on an exception. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have given your consent or if the data in question has been made generally accessible by you and you have not objected to its processing.

Please also note that data exchanged via the Internet is often routed via third countries. Your data may therefore end up abroad even if the sender and recipient are in the same country.

15. Can this privacy policy be changed?

This Privacy Policy does not form part of any contract with you. We may amend this privacy policy at any time. The version published on this website is the current version.

Last updated: 01 October 2023