I INTRODUCTION AND DEFINITIONS
2.1 Personal data: "Personal data" means all information relating to an identified or identifiable person (Art. 4 para. 1 GDPR). Information relating to an identified person may, for example, be the name or the e-mail address. However, personal data also includes data for which the identity is not immediately apparent but which can be determined by combining one's own or third-party information and thus finding out who the person is. A person becomes identifiable, for example, by providing his or her address or bank details, date of birth or user name, IP address and/or location data. Relevant here is all information that in any way allows an inference to a person.
2.2 Processing: Art. 4 para. 2 GDPR defines "processing" as any operation involving personal data. This applies in particular to the collection, capture, administration, classification, recording, amendment, printing, making available, use, disclosure, sharing, dissemination, provision, comparison, linking, restriction, erasure or destruction of personal data.
II DATA CONTROLLER AND DATA PROTECTION OFFICER
Responsible for the data processing is:
Company: Reeperbahn Festival GmbH ("we" or individually "RBF")
Legal representative: Alexander Schulz (Managing Director)
Address: Neuer Pferdemarkt 1, 20359 Hamburg
Phone: + 49 (0) 40 43 17 959-17
Fax: +49 (0) 40 43 17 959- 26
4. DATA PROTECTION OFFICER
We have appointed an external data protection officer for our company. You can reach him at:
Name: Reinher Karl
Address: HABEWI GmbH & Co KG, Palmaille 96, 22767 Hamburg
Phone: + 49 (0) 40 18189800
Fax: + 49 (0) 40 181898099
III. SCOPE OF PROCESSING
5. SCOPE OF PROCESSING: WEBSITE
Regarding the website with the URL international.reeperbahnfestival.com we process the personal data of you listed in detail under points 6-11 below. We only process personal data that you actively provide on our website (e.g. by filling out forms) or that you automatically provide when using our services.
Your data will be processed exclusively by us and will not be sold, lent or passed on to third parties.
If we use the help of external service providers to process your personal data, this is done within the framework of so-called processing by a processor, in which we as the client are authorized to give instructions to our contractor. For the operation of our website we use external processors for hosting, as well as for maintenance, care and further development. Should further external service providers as a processor be used for individual processing operations listed in sections 6-11, they will be named there.
A data transfer to third countries does not take place and is not planned. We will provide information about exceptions to this principle in the processing operations described below.
IV. THE PROCESSING OPERATIONS IN DETAIL
6. PROVISION OF THE WEBSITE AND SERVER LOG FILES
6.1 DESCRIPTION OF PROCESSING
Whenever you access the website, we automatically collect information that your browser sends to our server. These are the following data:
Your IP address
the browser software you use, its version and language
the operating system you use
the website from which you have accessed our website (so-called referrer)
the sub-pages you have accessed on our website
the date and time of your visit to our website
Amount of data transmitted
This information is also stored in the so-called log files of our system. The temporary storage of your IP address by the system is necessary in order to deliver our website to the end device of a user. For this purpose, the user's IP address must remain stored for the duration of the session. However, your IP address is not recorded in our log files.
Processing is carried out to enable the website to be accessed and to ensure its stability and security. Furthermore, the processing serves the statistical evaluation and improvement of our online offer.
6.3 LEGAL BASIS
The processing is necessary in order to safeguard the controller's overriding legitimate interests (Art. 6 para. 1 letter f GDPR) and is based on a consent pursuant to Art. 6 para. 1 a GDPR, if the logfile was not essential and then obtained by us via a cookie banner or cookie content tool. Such consent is voluntary.. Our legitimate interest lies in the purpose stated in item 6.2.
6.4 STORAGE DURATION
The data will be erased as soon as they are no longer necessary for the purpose for which they were collected. In the case of the collection of data for the purpose of providing the website, this is the case when the relevant session has ended. Log files are erased after 30 days.
7.1 DESCRIPTION OF PROCESSING
7.3 LEGAL BASIS
The processing is necessary with regard to technically required cookies, as well as the use of the cookie content tool "Cookiebot" to safeguard the predominant legitimate interests of the data controller (Art. 6 para. 1 lit. f DSGVO). Our legitimate interest lies in the purpose stated in clause 7.2. In the case of processing with regard to all other - i.e. not technically necessary - cookies, the legal basis is consent (Art. 6 para. 1 lit. a DSGVO). Such consent is voluntary.
7.4 STORAGE PERIOD, WITHDRAWAL OF CONSENT
7.5 RECIPIENT AND TRANSFER TO THIRD COUNTRIES
When using third-party cookies, data may be transferred to the corresponding providers of these third-party services. This may also involve a transfer to third countries outside the European Union or the European Economic Area. We will inform you about the recipients of data as well as a transfer to third countries in the settings of the cookie banner/cookie content tool or in the corresponding passage on the third party service or processing in these data protection provisions. Where applicable, personal data may also be transferred to the service provider of the cookie-consent-tool "Cookiebot", Cybot A/S.
8. APPLICATION FORM AND CONTACT BY E-MAIL
8.1 DESCRIPTION OF PROCESSING
By providing an application form on our website we want to offer you a convenient way to apply for a Reeperbahnfestival International event. The data transmitted with and in the application form or your e-mail will be used exclusively for the purpose of processing and answering your request.
8.3 LEGAL BASIS
The processing is necessary to safeguard the overriding legitimate interests of the data controller (Art. 6 para. 1 letter f DSGVO). Our legitimate interest lies in the purpose stated in item 8.2. If an application or e-mail contact is aimed at the conclusion or fulfillment of a contract, data processing is carried out for the purpose of contract fulfillment (Art. 6 para. 1 lit. b DSGVO).
8.4 STORAGE DURATION
The data will be deleted as soon as they are no longer necessary for the purpose of their collection. This is usually the case when the respective communication with you has ended. The communication is ended when it is clear from the circumstances that your request has been finally clarified. This is the case with applications, for example, when a selection of participants has been made for the Reeperbahnfestival International Event in question. If legal retention periods conflict with the erasure, the erasure will take place immediately after the legal retention period has expired.
9. YOUTUBE VIDEOS
9.1 DESCRIPTION OF PROCESSING
Our website uses services from "YouTube" a video platform operated by YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA (hereinafter referred to as "YouTube"). YouTube is represented by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use YouTube by embedding individual videos from the platform on our website as so-called iFrames so that they can be played directly on our website. The videos are implemented in the "extended data protection mode" offered by YouTube, that means according to Youtube no personal data will be transferred from you to Google as long as you do not play the videos. Only when a video is played will data be transferred to Google, over which we have no influence. If you play an embedded video on a subpage of our website, Google is informed which subpage you have visited and which video you have viewed. If necessary, your IP address is also transmitted to Google. If you are logged in as YouTube or Google user, Google will assign this information to your user account. Google stores your data as user profiles and uses them for advertising purposes, for market research and/or for the design of Google websites according to your needs. You have a right of objection to the creation of these user profiles, and to exercise this right you must contact Google directly. Further information on data protection at Google can be found at http://www.google.com/intl/de-DE/policies/privacy/.
The processing is done in order to be able to show you videos on our website.
9.3 LEGAL BASIS
The processing is necessary in order to safeguard the controller's overriding legitimate interests (Art. 6 para. 1 letter f GDPR). Our legitimate interest lies in the purpose stated in item 9.2.
9.4 RECIPIENT AND TRANSFER TO THIRD COUNTRIES
By integrating YouTube, personal data may be transmitted to YouTube LLC or Google. Google also processes your personal data in the USA.
10. GOOGLE ANALYTICS
10.1 DESCRIPTION OF PROCESSING
The processing is done in order to be able to evaluate the use of our website. The information thus obtained is used to improve our online presence and to design it in line with requirements.
10.3 LEGAL BASIS
The processing is necessary in order to safeguard the controller's overriding legitimate interests (Art. 6 para. 1 letter f GDPR). Our legitimate interest lies in the purpose specified in Section 10.2. If you are asked by us within the framework of a cookie banner or cookie content-tool for consent, which also covers the use of Google Analytics, then the legal basis is Art. 6 para. 1 lit. a GDPR. Such consent is voluntary.
10.4 STORAGE PERIOD WITHDRAWAL OF CONSENT
We have explained the storage period and your control and setting options for cookies in section 10. You can object to data processing by Google Analytics at any time by downloading and installing the browser add-on offered by Google at https://tools.google.com/dlpage/gaoptout?hl=de. Alternatively, you have the option of clicking on the following link. This will set an opt-out cookie on your end device which will prevent the collection of your data during future visits to this website: Deactivate Google Analytics. The analysis data processed and stored with Google Analytics will be automatically erased by us after 14 months. If we obtain consent for the use of Google Analytics via a cookie banner or a cookie content tool, such consent can be revoked by you at any time within the settings of the cookie banner or cookie content tool with effect for the future.
10.5 RECIPIENTS AND TRANSMISSION TO THIRD COUNTRIES
Google Analytics is a service provider for us within the scope of an order processing. Google also processes your personal data in the USA and has subjected itself to the EU-US Privacy Shield.
11. GOOGLE TAG MANAGER
Our website uses the "Google Tag Manager", a service of the company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google"). The Google Tag Manager does not collect any personal data or set any cookies. This service only enables us to integrate and manage tags on our website. Tags are small code elements on our website that are useful for measuring traffic and visitor behavior with other tools, for measuring the impact of online advertising and social channels, for using remarketing and targeting, for testing and optimizing the website. Further information about the Google Tag Manager can be found here: https://www.google.com/intl/de/tagmanager/use-policy.html
V. SECURITY MEASURES
12. SECURITY MEASURES
To protect your personal data from unauthorised access, we have provided our website with an SSL or TLS certificate. SSL stands for "Secure-Sockets-Layer" and TLS for "Transport Layer Security" and encrypts the communication of data between a website and the user's end device. You can recognise the active SSL or TLS encryption by a small lock logo, which is displayed on the far left in the address line of the browser.
VI. YOUR RIGHTS
13. DATA SUBJECT RIGHTS
With regard to the data processing by our company described above, you are entitled to the following data subject rights:
13.1 Right of access (Art. 15 GDPR): You have the right to ask us to confirm whether we are processing personal data concerning you. If this is the case, you have the right, under the conditions set out in Art. 15 GDPR, to access this personal data and the other information listed in Art. 15 GDPR.
13.2 Rectification (Art. 16 GDPR): You have the right to ask us to correct incorrect personal data concerning you and, if necessary, to complete incomplete personal data without delay.
13.3 Erasure (Art. 17 GDPR): You have the right to demand that we erase any personal data relating to you immediately if one of the reasons listed in Art. 17 GDPR applies, e.g. if your data is no longer required for the purposes we pursue.
13.4 Restriction of data processing (Art. 18 GDPR): You have the right to ask us to limit the processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you dispute the accuracy of your personal data, the data processing will be limited for the time necessary to allow us to verify the accuracy of your data.
13.5 Data portability (Art. 20 GDPR): You have the right, subject to the conditions set out in Art. 20 GDPR, to demand the surrender of the data concerning you in a structured, common and machine-readable format.
13.6 Withdrawal of consent (Art. 7 para. 3 GDPR): You have the right to withdraw your consent at any time in the event of processing based on consent. The withdrawal is valid from the time of its assertion. In other words, it is effective for the future. In other words, the withdrawal of consent does not make the processing unlawful with retroactive effect.
13.7. Complaints (Article 77 GDPR): If you believe that the processing of personal data concerning you is in breach of the GDPR, you have the right to complain to a supervisory authority. You can exercise this right before a supervisory authority in the EU Member State in which you are resident, in your place of work or in the place where the suspected breach occurs.
13.8 Restraint on automated decisions/profiling (Art. 22 GDPR): Decisions that have legal consequences for you or significantly affect you must not be based solely on automated processing of personal data, including profiling. We inform you that we do not use automated decision making, including profiling, with respect to your personal data.
13.9 Objection (Art. 21 GDPR): If we process your personal data on the basis of Art. 6 Para. 1 letter f GDPR (to safeguard overriding legitimate interests), you have the right to object to this under the conditions set out in Art. 21 GDPR. However, this only applies insofar as there are reasons arising from your particular situation. Following an objection, we will no longer process your personal data unless we can demonstrate compelling reasons for processing that are worthy of protection and outweigh your interests, rights and freedoms. Nor do we have to stop processing if it serves to assert, exercise or defend legal claims. In any case - also irrespective of any special situation - you have the right to object at any time to the processing of your personal data for direct marketing purposes.
Status: September 2020