In the following privacy statement, you will find everything you need to know about how your data is processed by our website:
The controller as defined by Article 4 (7) of the General Data Protection Regulation (hereinafter: GDPR) and other national data protection laws of the Member States and other data protection regulations is: see imprint. Please note that we transfer the personal data regularly to our partner www.ticket.io. Please see https://ticket.io/privacy/ for data privacy details.
General Information about Data Processing
1. Scope of processing of personal data
We only collect and process personal data of our users to the extent necessary to ensure the functioning of our website and as required for our contents and services. The personal data of our users is only collected and used routinely after consent has been given by the user. An exception applies in cases in which it is not possible to obtain prior consent for practical reasons and when the processing of the data is permitted by law.
The types of data processed are:
• Personal details (e.g. names, addresses).
• Contact data (e.g. E-mail addresses, telephone numbers).
• Content data (e.g. text input, photos).
• Usage data (e.g. accessed websites, interest in contents, access times)
• Meta/communication details (e.g. device information, IP addresses).
The website is intended only for persons who are at least 16 years of age and should only be used by such persons. We do not intentionally or knowingly process or store personal data about individuals who are under the age of 16. As soon as we gain knowledge that we have stored personal data of individuals who are under the age of 16, we will delete it immediately. Users who become aware that we have stored or processed personal data of individuals who are under the age of 16 are asked to contact us.
2. Legal basis for the processing of personal data
Where we obtain the consent of the data subject for the processing of personal data, point (a) of Article 6 (1) of the GDPR serves as the legal basis for this. Where the processing of personal data is necessary for the performance of a contract to which the data subject is a party, point (b) of Article 6 (1) of the GDPR serves as the legal basis. This also applies to processing that is necessary for taking steps prior to entering a contract. Where processing of personal data is necessary to fulfill a legal obligation to which our company is subject, point (c) of Article 6 (1) of the GDPR serves as the legal basis. Where data processing is necessary for the purposes of a legitimate interest pursued by us or a third party and the aforementioned interest is not overridden by the interests or fundamental rights and freedoms of the data subject, point (f) of Article 6 (1) of the GDPR serves as the legal basis.
3. Data erasure and storage duration
The personal data of the data subject are erased or blocked as soon as the purpose of storage ceases to apply. We use and keep personal data for a maximum period of two (2) years after an individual’s last interaction with the company. The data may be stored for longer periods of time if this is necessary for compliance with the requirements of the European or national legislators as set out in regulations, laws or other rules under European Union law which the controller is subject to. The data are also erased or blocked when a storage period stipulated on the basis of the aforementioned standards expires, unless the continued storage of the data is necessary to enter into or fulfill a contract.
4. Provision of contractual services and contact form
We process personal details (e.g. names and addresses and the contact details of users) and contract details (e.g. services used, names of contact persons) for the purpose of the fulfillment of our contractual obligations and services in accordance with point (b) of Article 6 (1) of the GDPR. The entries marked as mandatory in the online contact forms concern information which is necessary for communication purposes. The data is not passed on to any third parties without the individual’s consent. If any data is transferred to parties whose registered place of business or place at which data processing is carried out is not within a Member Member State of the European Union or within any other state which is party to the Agreement on the European Economic Area, before the data are transferred we ensure that the recipient either has an adequate level of data protection (e.g. on the basis of the agreement of so-called standard EU contractual clauses of the European Union with the recipient) and/or that we have obtained the individual’s appropriate consent. Individuals can obtain from us an overview of the recipients in third countries for the purpose of securing an appropriate level of data protection.
When an individual uses our online services, we store the IP address and the time at which you use them each time. We store this information on the basis of our legitimate interests and in order to protect the user from misuse and unauthorized use. These data are not transferred to third parties unless it is necessary for the pursuit of our legitimate interests or to comply with a legal obligation pursuant to point (c) of Article 6 (1) of the GDPR.
We process usage data (e.g. the accessed websites of our online content, interest in our products) and content data (e.g. entries in the contact form) to be able to provide users with answers to enquiries about our content. This data are never disclosed to third parties. The data are erased after the expiry of the statutory warranty or comparable obligations. Where statutory archiving obligations apply, the data are erased after the expiry of the applicable periods. Information in a customer account remains there until it is erased.
5. Description and scope of data processing
Every time an individual visits our website, our system automates data and information from the user’s computer system.
The following data are collected on a temporary basis:
- Information about the browser type and version used
- The user’s operating system
- The user’s internet service provider
- The user’s IP address
- The date and time of access
- Websites from which the user’s system accesses our website.
The data are stored in the log files of our system. These data are used to analyze any faults which occur and are erased within seven days at the latest. The legal basis for the temporary storage of the data and the log files is provided by point (f) of Article 6 (1) of the GDPR. The temporary storage of the IP address is necessary to enable the website to be delivered to the user’s computer. This means that the user’s IP address needs to be stored for the duration of the session. Storage in log files is carried out to ensure that the website works properly. In addition, the data also help us to optimize the website and ensure that our information technology systems are secure. The data are not analyzed for marketing purposes in this connection or to draw any inferences pertaining to the individual user. These purposes are also based on the legitimate interests in the processing of the data pursuant to point (f) of Article 6 (1) of the GDPR. The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. As a consequence, the user has no possibility of objecting.
6. Facebook Connect and Facebook Custom Audience
We maintain an online presence within social media networks and platforms (e.g. Facebook) in order to communicate with customers, interested parties, and users who actively use these sites and to inform them about our services and provide links to our website.
Please note that this can mean that users’ data may be processed beyond the European Union area. As a result, risks may arise for users, since it may be more difficult for users to exercise their rights, for example. In addition, users’ data are also generally processed for market research and advertising purposes. For example, usage profiles can be created, e.g. from the usage behavior and the interests of the users that emerge from it. The usage profiles can in turn be used in order to e.g. place advertisements within and outside the platform, which are assumed to correspond to the interests of the users. For these purposes, cookies are as a rule stored on the computers of the users in which the usage behavior and the interests of the users are stored. Furthermore, in the usage profiles, data can also be stored independently of the devices used by the users (in particular when the users are members of the respective platforms and are logged onto these platforms).
The processing of the personal data of users is undertaken on the basis of our legitimate interests in obtaining effective information about users and communicating with users in accordance with point (f) of Article 6 (1) of the GDPR. If the users are requested by the respective providers to provide their agreement to the data processing (i.e. to declare their willingness by ticking a box or confirming a button), the legal basis of the processing is point (a) of Article 6 (1), Article 7 of the GDPR. For a detailed description of the respective processing procedures and the options for objection (opt-out), we refer to the information of the provider which is accessible via the following links.
With regard to requests for information and the exercise of user rights, these can most effectively be presented to the providers. Only the providers have access to the users’ data in each case and can take direct measures accordingly and provide information.
7. Rights of the data subject
If individuals’ personal data are processed, he/she the data subject within the meaning of the GDPR and he/she is entitled to the following rights with respect to the controller:
a) The right of access
Individuals have the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being stored and processed by us. If such processing does take place, the individual is entitled to request details about the following information from the controller:
- the purposes for which the personal data are processed;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed;
- the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- individuals have the right to be informed whether the personal data concerning him/her are transferred to a third country or to an international organization. In this connection, individuals have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
b) The right to rectification
Individuals have the right to obtain from the controller the rectification and/or completion of his/her personal data if the processed personal data are inaccurate or incomplete. The controller must undertake the rectification of inaccurate personal data without undue delay.
c) The right to restriction of processing
Individuals have the right to restrict the processing of the personal data where one of the following applies:
- the accuracy of the personal data is contested by the individual, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the individual opposes the erasure of the personal data and request the restriction of his/her use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the individual for the establishment, exercise or defense of legal claims, or
- the individual has objected to processing pursuant to Article 21 (1) of the GDPR pending the verification of whether the legitimate grounds of the controller override the individual’s grounds.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the individual’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If an individual has obtained restriction of processing pursuant to the above, the individual must be informed by the controller before the restriction of processing is lifted.
d) The right to erasure
aa) Obligation to erase
Individuals have the right to obtain from the controller the erasure of personal data without undue delay, and the controller shall have the obligation to erase such data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- An individual withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2) of the GDPR, and where there is no other legal ground for the processing.
- An individual objects to the processing pursuant to Article 21 (1) of the GDPR, and there are no overriding legitimate grounds for the processing, or an individual objects to the processing pursuant to Article 21 (2) of the GDPR.
- The personal data concerned have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) of the GDPR.
bb) Information disclosed to third parties
Where the controller has made an individual’s personal data public and is obliged pursuant to Article 17 (1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who are processing the personal data that an individual has h requested the erasure by such controllers of any links to, or copy or replication of, the personal data.
The right to erasure shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) of the GDPR;
- for the establishment, exercise or defence of legal claims.
e) Right to notification
If an individual has exercised the right to obtain from the controller the rectification or erasure of personal data or restriction of processing, the controller is obliged to communicate this rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the individual about those recipients if requested.
f) The right to data portability
An individual shall have the right to receive the personal data concerning him/her, which has been provided to a controller, in a structured, commonly used and machine-readable format. The individual also has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6 (1) of the GDPR or point (a) of Article 9 (2) of the GDPR or on a contract pursuant to point (b) of Article 6 (1) of the GDPR; and
- the processing is carried out by automated means.
In exercising this right to data portability, an individual shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The right referred to above must not adversely affect the rights and freedoms of others. The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
g) The right to object
An individual has the right to object, on grounds relating to his/her particular situation at any time, to processing of personal data which is based on point (e) or (f) of Article 6 (1) of the GDPR, including profiling based on those provisions.
The controller shall no longer process an individual’s personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. In the event that personal data is processed for direct marketing purposes, individuals have the right to object at any time to processing of personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where an individual objects to processing for direct marketing purposes, the personal data concerning the individual shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, individuals may exercise your right to object by automated means using technical specifications. To do this, send an E-mail to our data protection officer.
h) The right to withdraw your declaration of consent under data protection law
Individuals have the right to withdraw their declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
i) Automated individual decision-making, including profiling
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This shall not apply if the decision:
- is necessary for entering into, or performance of, a contract between the user and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard an individual’s rights and freedoms and legitimate interests; or
- is based on an individual’s explicit consent.
However, decisions referred to above shall not be based on special categories of personal data referred to in Article 9 (1) of the GDPR, unless point (a) or (g) of Article 9 (2) of the GDPR applies and suitable measures to safeguard an individual’s rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard an individual’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express the individual’s point of view and to contest the decision.
j) The right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, individuals have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of work or place of the alleged infringement if the individual consider that the processing of personal data relating to him/her infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.