Data Privacy

Datenschutzerklärung

Protecting your privacy is very important to us. Below we inform you in detail about the handling of your data regarding your visit to our website (www.rock-am-ring.com) and your use of our app RAR & RIP.

We also inform you in each section whether the tool or tracking used is relevant to the website www.rock-am-ring.com (hereinafter "website") or the app RaR & RIP (hereinafter "APP") or both.

1. Name and contact details of the controller and the Data Protection Officer

This privacy policy applies to data processing by:

Controller:
eventimpresents GmbH & Co KG

c/o CTS EVENTIM AG & Co. KGaA

Contrescarpe 75a

28195 Bremen

Germany

Email: info@eventimpresents.com

 

You can reach our data protection officer here: datenschutz@eventimpresents.com

2. General notes and mandatory information

a) Data protection and information on storage

When you use our website or app, various personal data is collected. Personal data is data with which you can be personally identified. This privacy policy explains what information we collect and how we use it. It also explains how we collect the data and for what purpose.

We would like to point out that data transmission on the internet (e.g. communication by e-mail) may have security gaps. Complete protection of data against access by third parties is not possible.

Unless a more specific storage period is stated within this privacy policy, your personal data will remain with us until the purpose for the data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, the data will be deleted after these reasons no longer apply.

b) SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you send to us cannot be read by third parties.

c) External hosting of the website

This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster's servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact data, names, website accesses and other data generated via a website.

The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para.1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para.1 lit. f GDPR). Our hoster will only process your data to the extent that this is necessary for the fulfilment of its service obligations and will follow our instructions with regard to the data.

We use the following hoster for our website:

Vercel Inc.

340 S Lemon Ave #4133

Walnut, CA 91789

USA

 

The data is also transferred to the US depending on the server location. We have signed a data processing agreement (DPA) with the above-mentioned provider. In addition, the data transfer to the US is based on the standard contractual clauses of the EU Commission. Details can be found here: https://vercel.com/legal/Vercel_Inc_-_Data_Processing_Addendum.pdf. We have concluded these together with the DPA.

 

Vercel's privacy policy can be found at https://vercel.com/legal/privacy-policy.

 

d) External hosting of the app

 

Our app is hosted on AWS through Appmiral, Scheldestraat 11, 2000 Antwerp, Belgium. The hosting provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter: AWS). When you use our app, your personal data is processed on the servers of AWS (EU-WEST 1 in Dublin). In the process, personal data may also be transferred to the parent company of AWS in the US. The data transfer to the US is based on the EU standard contractual clauses. Details can be found here: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.

For more information, please see the privacy policy of AWS (https://aws.amazon.com/de/privacy/?nc1=f_pr) and Appmiral's privacy policy (https://appmiral.com/privacy-policy/).

 

The use of AWS is based on Art. 6 para.1 lit. f GDPR. We have a legitimate interest in the most reliable presentation of our website.

 

We have concluded a data processing agreement (DPA) with Appmiral.

 

3. Data collection on our website and app

a) Server log files

 

When you visit our website or app, the browser used on your end device automatically sends information to our website or app server. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until automatic deletion:

  • IP address of the requesting computer,
  • Date and time of access,
  • Name and URL of the retrieved file,
  • Website from which the access is made (referrer URL),
  • the browser used and, if applicable, the operating system of your computer as well as the name of your access provider.

The aforementioned data will be processed by us for the following purposes:

  • Ensuring a smooth connection of the website and app,
  • Ensuring a comfortable use of our website and app,
  • Evaluation of system security and stability, and
  • for other administrative purposes.

The legal basis for the data processing is Art. 6 para.1 lit. f GDPR. Our legitimate interest is based on the purposes for data collection listed above. In no case we will use the collected data for the purpose of drawing conclusions about your person. In addition, we use cookies and analysis services when you visit our website. You can find more detailed explanations of this under points 5 and 6 of this data protection declaration.

b) Use of cookies

  1. ) General notes

Our internet pages use so-called "cookies". Cookies are small text files and do not cause any damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or until they are automatically deleted by your web browser.

In some cases, cookies from third-party companies may also be stored on your device when you enter our site (third-party cookies). These enable us or you to use certain services of the third-party company (e.g. cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies are used to evaluate user behaviour or to display advertising. Cookies that are necessary to carry out the electronic communication process (necessary cookies) or to provide certain functions desired by you (functional cookies, e.g. for the shopping cart function) or to optimize the website (e.g. cookies to measure the web audience) are stored on the basis of Art. 6 para.1 lit. f GDPR, unless another legal basis is specified. We have a legitimate interest in storing cookies for a technically error-free and optimized provision of our services. Insofar as consent to the storage of cookies has been requested, the storage of the cookies in question is based exclusively on this consent (Art. 6 para.1 lit. a GDPR); consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.

If cookies are used by third parties or for analysis purposes, we will inform you separately within the framework of this data protection declaration and, if necessary, request your consent.

  1. Usercentrics

Our website uses the consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your device or to the use of certain technologies and to document this in accordance with data protection law. The provider of this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, website: https://usercentrics.com/de/ (hereinafter "Usercentrics").

When you visit our website, the following personal data is transferred to Usercentrics:

  • Your consent(s) or revocation of your consent(s)
  • Your IP address
  • Information about your browser
  • Information about your device
  • Time of your visit to our website

Furthermore, Usercentrics stores a cookie in your browser in order to be able to assign the consent granted to you or its revocation. The data collected in this way will be stored until you request us to delete it, you delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected. Usercentrics is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Art. 6 para.1 lit. c GDPR.

We have concluded an data progressing agreement with Usercentrics.

  1. Use of cookies in our ticket shop

The ticket shop is provided and managed by our ticketing partner CTS Eventim KGaA & Co KG. The responsible party in terms of data protection is therefore CTS Eventim KGaA & Co. KG. Therefore, please note the applicable data protection declaration at https://www.eventim.de/help/data-protection/.

c) Contact requests via e-mail or telephone

If you contact us by e-mail or phone, your request including all resulting personal data (name, request) will be stored and processed for the purpose of processing your request. We do not pass on this data without your consent. The processing of this data is based on Art. 6 para.1 lit. b GDPR, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests sent to us (Art. 6 para.1 lit. f GDPR) or on your consent (Art. 6 para.1 lit. a GDPR) if this was requested.

The data you send us via contact requests will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular legal retention periods - remain unaffected.

d) Press section of our website

(1) General information

In order to be able to use the press area of our website, you will require media access from us, which you can request from us by e-mail. For this purpose, we collect your name, e-mail address and telephone number and, if necessary, proof of your journalistic or press activities. The legal basis for this is Art. 6 para. 1 lit. f GDPR. Our legitimate interest in processing your data is based on the fact that, for legal reasons, the press area of our website with the download options available there can only be made available to journalists and press representatives.

(2) Heroku

For press accreditations and as a cloud-based CRM, we use Heroku. The provider is Salesforce, Inc. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA. We have entered into an order processing agreement with Salesforce Inc. to ensure that your data is only processed based on our instructions. In addition, as the data may be transferred to a third country, we have entered into standard contractual clauses with the provider to ensure a level of protection appropriate to the EU/EEA. In addition, Salesforce Inc. is certified under the Data Privacy Framework.

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the United States designed to ensure compliance with European data protection standards for data processing in the United States. Any company certified under the DPF agrees to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant- detail?contact=true&id=a2zt0000001L5AAI&status=Active.

The legal basis for the use of Heroku is Art. 6 para. 1 lit. f GDPR, as you can see described unter point (1) Gerneral information.

You can find more information about Heroku at https://www.salesforce.com/company/privacy/  or via privacy@salesforce.com or datasubjectrequest@salesforce.com resp. by mail to: Salesforce Data Protection Officer, 415 Mission St., 3rd Floor, San Francisco, CA 94105, USA.

 

4. Analyzing tools

a) Tracking tools

The tracking measures listed below and used by us are carried out on the basis of Art. 6 para.1 lit. a GDPR. With the tracking measures used, we want to ensure a needs-based design and the ongoing optimization of our website and app. On the other hand, we use the tracking measures to statistically record the use of our website and to evaluate it for the purpose of optimising our offer for you. These interests are to be regarded as legitimate in the sense of the aforementioned regulation.

The respective data processing purposes and data categories can be found in the corresponding tracking tools.

b) Google Analytics

For the web analysis described above, we use the web analysis service Google Analytics, which is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Google Analytics uses cookies, which are stored on your computer and which allow an analysis of your use of the website. The information generated by the cookie about your use of the website (browser type/version, operating system used, referrer URL, host name of the accessing computer (IP address), date and time of the server request) is usually transmitted to a Google server in the USA and stored there. The IP addresses are only recorded anonymously in the version of Google Analytics we use (see Google overview, available at https://support.google.com/analytics/answer/2763052?hl=de).

On our behalf, Google, as a processor within the meaning of Art. 28 GDPR, uses this information to evaluate your use of the websites, to compile reports on website activity and to provide other services related to website use and internet use to the website operator.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified in accordance with the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Any company certified under the DPF agrees to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant- detail?contact=true&id=a2zt0000001L5AAI&status=Active.

Browser Plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

For more information on how Google Analytics handles user data, please see Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Google Signals

We use Google signals. When you visit our website, Google Analytics collects, among other things, your location, search history, and YouTube history, as well as demographic data (visitor data). This data can be used for personalized advertising with the help of Google signals. If you have a Google account, the visitor data from Google Signal will be linked to your Google account and used for personalized advertising messages. The data is also used to compile anonymized statistics on the user behavior of our users.

Google Analytics E-commerce measurement

This website uses the "e-commerce measurement" feature of Google Analytics. E-commerce measurement allows us to analyze the buying behavior of our website visitors to improve our online marketing campaigns. This involves recording information such as orders placed, average order values, shipping costs and the time from viewing to purchasing a product. This data can be summarized by Google under a transaction ID that is assigned to the respective user or their device.

c) Google Firebase

Our app uses the Google Firebase technology (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, "Google"), an analytics service provided by Google Inc. to analyze user behavior.

The information generated about the use (app version, type and version of the device used, version of the operating system, the page requested, date and time of use, as well as the IP address used during use) is transmitted to a Google server in the US and stored there.

For the relevant data transfers to the US, Google Firebase refers to the standard contractual clauses of the EU Commission. Details can be found here: https://firebase.google.com/support/privacy

In addition, we have concluded a Joint Controller Contract (JCC) with Google with so-called standard contractual clauses, in which Google undertakes to process user data only in accordance with our instructions and to comply with the EU level of data protection.

Furthermore, certain actions collect information about them through the Firebase SDK while using the App. Actions such as installing and launching the app, app updates, uninstalling, updating the operating system, deleting app data, app crashes and in-app purchases, as well as receiving, swiping away and opening push notifications and opening and updating the app via a dynamic link, trigger the event-driven data collection of the Firebase SDK. To identify devices, the Firebase SDK uses an instantiated app identifier e.g. via the advertising ID.

On our behalf, Google will use this information for the purpose of evaluating your use of the app, compiling reports on our activities and providing other services relating to your use of the app. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.

The legal basis for the use of the data and use of Firebase is your consent in regards to Art. 6 para.1 lit. a GDPR. Your consent can be revoked at any time.

You can restrict the use of the advertising ID in the device settings (iOS: Privacy/ Advertising/ No ad tracking; Android: Account/ Google/ Ads). Google Analytics for Firebase (Google Inc.). Furthermore, we use Firebase Remote Config, which allows us to run A/B tests and customize the behavior and appearance of the app without downloading a new version. Personal data is not stored.

Here you can see which subcontractors Google uses: https://firebase.google.com/terms/subprocessors.

More information about Google Firebase and privacy can be found here: https://firebase.google.com/terms/data-processing-terms; https://firebase.google.com/terms/; https://firebase.google.com/support/privacy/.

d) Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

The Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store cookies, and does not carry out any independent analyses. It only manages and runs the tools integrated via it. However, the Google Tag Manager does collect your IP address, which may also be transferred to Google’s parent company in the United States.

The Google Tag Manager is used on the basis of Art. 6 para. 1 lit.f GDPR. The website operator has a legitimate interest in the quick and uncomplicated integration and administration of various tools on his website. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:

https://www.dataprivacyframework.gov/s/participant-search/participant- detail?contact=true&id=a2zt000000001L5AAI&status=Active

e) Facebook Pixel

This website uses the visitor action pixel from Facebook for conversion measurement. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transferred to the US and other third countries.

In this way, the behaviour of page visitors can be tracked after they have been redirected to the provider's website by clicking on a Facebook ad. This allows the effectiveness of the Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The collected data is anonymous for us as the operator of this website, we can not draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook, so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, according to the Facebook data use policy. This allows Facebook to serve ads on Facebook pages as well as outside of Facebook. This use of the data cannot be influenced by us as the site operator.

The use of Facebook Pixel is based on your consent according to Art. 6 para.1 lit. a GDPR. Your consent is given via Usercentrics (see point 5. b) Usercentrics) and can be revoked by you at any time.

The data transfer to the US is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing by Facebook that takes place after the onward transfer is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in a joint processing agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for the privacy-secure implementation of the tool on our website. Facebook is responsible for the data security of the Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.

In the privacy policy of Facebook you will find further information about the protection of your privacy: https://de-de.facebook.com/about/privacy/.

You can also disable the Custom Audiences remarketing feature in the Ads Settings section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. You must be logged into Facebook to do this. If you do not have a Facebook account, you can opt out of Facebook's usage-based advertising at the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.

f) Online/Social Media Marketing with EDGE

For marketing measures on our websites, third-party websites and social networks, we enlist the support of EDGE. The provider is EDGE Entertainment Digital GmbH, a subsidiary of CTS EVENTIM AG & Co. KGaA.

The legal basis for the use is Art. 6 para. 1 lit. 6 GDPR. Our legitimate interest is to effectively set up campaigns on high-reach platforms such as Facebook, Instagram, Google, YouTube and TikTok.

If you purchase our products on our websites or sign up for newsletters, we will transmit your personal data to Edge Entertainment Digital GmbH for the implementation of advertising measures if you give us your consent to do so within the meaning of Art. 6 para. 1 lit.a DSGVO.

We are jointly responsible with EDGE for the processing of your personal data.

5.         Plugins and tools

a)         YouTube with extended data protection

This website embeds videos from the website YouTube. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. Thus, YouTube - regardless of whether you watch a video - establishes a connection to the Google DoubleClick network.

As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, after starting a video, YouTube may store various cookies on your end device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience, and prevent fraud attempts.

If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no control.

YouTube is used in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

You can find more information about data protection at YouTube in their privacy policy at: https://policies.google.com/privacy?hl=de.

  1. Vimeo without tracking (Do-Not-Track)

This website uses plugins of the video portal Vimeo. The provider is Vimeo Inc, 555 West 18th Street, New York, New York 10011, USA.

When you visit one of our pages equipped with Vimeo videos, a connection to the Vimeo servers is established. This tells the Vimeo server which of our pages you have visited. In addition, Vimeo obtains your IP address. However, we have set Vimeo in such a way that Vimeo will not track your user activities and will not set any cookies.

The use of Vimeo is in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR. Insofar as a corresponding consent was requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

Data transfer to the U.S. is based on the EU-U.S. Data Privacy Framework and/or the standard contractual clauses of the EU Commission, as well as, according to Vimeo, on "legitimate business interests".

For more information on the handling of user data, please see Vimeo's privacy policy at: https://vimeo.com/privacy.

c) Spotify

On our website and app, functions of the music service Spotify are integrated. The provider is Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm in Sweden. You can recognize the Spotify plugins by the green logo on this website. You can find an overview of the Spotify plugins at: https://developer.spotify.com.

This means that when you visit our website or use our app, a direct connection can be established between your browser and the Spotify server via the plugin. Spotify thereby receives the information that you have visited this website with your IP address. If you click the Spotify button while logged into your Spotify account, you can link the content of this website on your Spotify profile. This allows Spotify to associate your visit to this website with your user account.

We would like to point out that cookies from Google Analytics are used when using Spotify, so that your usage data can also be passed on to Google when using Spotify. Google Analytics is a tool of the Google Group for the analysis of user behaviour based in the USA. Spotify is solely responsible for this integration. We as the website operator have no influence on this processing.

The storage and data analysis through Spotify is based on Art. 6 para.1 lit. a GDPR. Your consent is given via Usercentrics (see point 5. b) Usercentrics) and can be revoked by you at any time.

For more information, please see Spotify's privacy policy: https://www.spotify.com/de/legal/privacy-policy/.

If you do not want Spotify to associate your visit to this website with your Spotify user account, please log out of your Spotify user account.

d) Cashless payment at festivals

Only cashless transactions for payments are possible at our festivals. To offer this service, we use „GET“, a cashless payment tool from Global Event Technologies GmbH & CO KG, Neualmerstraße 37, 5400 Hallein, Austria.

A link on our website or app will take you directly to GET. You can register on GET´s website with the number of your festival ticket and, if you enter your payment details, transfer money on your chip for payments. The chip itself will be given to you at the festival. The registration with GET and the processing of your personal data is voluntary and is based on your consent in accordance with Art. 6 para.1 lit. a GDPR. For this purpose we have concluded a data processing agreement with GET.

When registering via GET, your personal data may be transferred to the US. Further information on data processing at GET can be found in their data protection information: https://www.get.systems/privacy-policy/.

It is also possible to transfer money on your chip without registering with GET. This can be done directly at the festival in form of a cash deposit at one of our information stands. This option allows you to use our cashless payment function without providing personal data. However, a refund of unused credit requires a registration via GET. This is based on our legitimate interest in accordance with Art. 6 para.1 lit. f GDPR to offer refunds as efficiently as possible.

 

6) Newsletter data

If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only on a voluntary basis. For the handling of the newsletter, we use newsletter service providers, which are described below.

Brevo

This website uses Brevo for the sending of newsletters. The provider is the Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.

Brevo services can, among other things, be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter are archived on servers of Sendinblue GmbH in Germany.

Data analysis by Brevo

Brevo enables us to analyze our newsletter campaigns. For instance, it allows us to see whether a newsletter message has been opened and, if so, which links may have been clicked. This enables us to determine, which links drew an extraordinary number of clicks.

Moreover, we are also able to see whether once the e-mail was opened or a link was clicked, any previously defined actions were taken (conversion rate). This allows us to determine whether you have made a purchase after clicking on the newsletter.

Brevo also enables us to divide the subscribers to our newsletter into various categories (i.e., to “cluster” recipients). For instance, newsletter recipients can be categorized based on age, gender, or place of residence. This enables us to tailor our newsletter more effectively to the needs of the respective target groups.

If you do not want to permit an analysis by Brevo, you must unsubscribe from the newsletter. We provide a link for you to do this in every newsletter message. Moreover, you can also unsubscribe from the newsletter right on the website.

For detailed information on the functions of Brevo please follow this link: https://www.brevo.com/de/newsletter-software/.

Legal basis

The data is processed based on your consent (Art. 6 para. 1 lit. f GDPR). You may revoke any consent you have given at any time by unsubscribing from the newsletter. This shall be without prejudice to the lawfulness of any data processing transactions that have taken place prior to your revocation.

Storage period

The data deposited with us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter or the newsletter service provider and deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored for other purposes with us remain unaffected.

After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist, if such action is necessary to prevent future mailings. The data from the blacklist is used only for this purpose and not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). The storage in the blacklist is indefinite. You may object to the storage if your interests outweigh our legitimate interest.

For more details, please consult the Data Protection Regulations of Brevo at: https://www.brevo.com/de/datenschutz-uebersicht/ and https://www.brevo.com/de/legal/privacypolicy/.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

7. Social media

a) General information

Our social media presences are intended to ensure the broadest possible presence on the Internet. We want to communicate with our visitors and inform them about events and news. The specific media portals used are listed under the following points.

Social networks such as Facebook, Instagram, etc. can generally analyze your user behavior comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media presences triggers numerous processing operations relevant to data protection. In detail:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected under certain circumstances if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or have been logged in.

Please also note that we don’t have knowledge of all processing on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. Details on this can be found in the terms of use and privacy policies of the respective social media portals.

 

Legal basis

Our social media presences are intended to ensure the most comprehensive presence possible on the Internet. This is a legitimate interest of ours within the meaning of Art. 6 para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on deviating legal bases to be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).

Joint Controller and assertion of rights

If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operators of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. against Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Storage period

The data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory legal provisions - in particular retention periods - remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

Your rights

You have the right at any time to receive information free of charge about the origin, recipient and purpose of your stored personal data. You also have the right to object, data portability and the right to complain to the competent supervisory authority. Furthermore, you can demand the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

b) Facebook Fanpage

Our Facebook page uses the services of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta"). If you are registered with this service, your visit to our Facebook page may be linked to your account. Even if you are not registered there or have not logged in, it is possible that Facebook receives and stores information such as your IP address (more detailed under a) General information). You can find more information on data processing at https://de-de.facebook.com/policy.

Meta provides the operators of Fanpages with so-called Facebook Insights. These are summarized data, through which page operators can obtain information about how users interact with their page (details can be found here:

https://www.facebook.com/legal/terms/information_about_page_insights_data ).

 

Facebook and we are jointly responsible for the processing of this data according to Art. 26 GDPR. Therefore, we have entered into a joint processing agreement (Joint Controller Addendum) with Meta.

The agreement is limited exclusively to the collection of the data and its forwarding to Facebook. Processing that takes place after the onward transfer by Facebook is not part of the joint responsibility. The obligations incumbent on us jointly have been set out therein and can be viewed at the following link:

https://www.facebook.com/legal/controller_addendum.

Your rights under Art. 13 et seqq. GDPR (e.g. request for information) regarding the data processed by Facebook can be asserted directly with Facebook. You can contact the data protection officer of the provider of the Facebook service at the following link:

https://www.facebook.com/help/contact/540977946302970.

You can object to the data processing here:

https://www.facebook.com/help/contact/1994830130782319.

If you assert your data protection rights with us, we will forward the request to Facebook.

Data transfer to the U.S. is based on the EU-U.S. Data Privacy Framework and/or the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

c) Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited ("Meta"), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

When you visit the platform, your profile information as well as information about the visit is essentially processed by Meta. Data is also processed if you do not have an Instagram account or are not logged in.

You can find all further information on this in Instagram's privacy policy at: https://help.instagram.com/519522125107875.

We process the data of visitors to our profile, in particular information about user interactions (e.g. likes and comments), public profile information, demographic and statistical data, as well as the data transmitted to us in the context of messages and comments.

We use the statistics function to learn more about the visitors to our profile. Demographic and statistical data in the context of so-called "Insights" data help us to adapt our content to the respective target group. This is aggregated data for us, a personal reference is not possible for us.

Instagram and we are jointly responsible for the processing of this data in accordance with Art. 26 GDPR. Therefore, we have concluded a joint processing agreement (Joint Controller Addendum) with Meta.

The agreement is limited exclusively to the collection of the data and its forwarding to Facebook. Processing that takes place after the onward transfer by Facebook is not part of the joint responsibility. The obligations incumbent on us jointly have been set out therein and can be viewed at the following link: https://www.facebook.com/legal/controller_addendum

 

Data transfers to the U.S. are based on the EU-U.S. Data Privacy Framework and/or the EU Commission's standard contractual clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

d) TikTok

We have a profile on TikTok. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Details on how they handle your personal data can be found in the TikTok privacy policy: https://www.tiktok.com/legal/privacy-policy?lang=en.

Data transmission to third countries is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here:
https://www.tiktok.com/legal/privacy-policy?lang=en.

e) X (formerly Twitter)

We use the short message service X (formerly Twitter). The provider is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

You can customize your X privacy settings in your user account. Click on the following link and log in:

https://twitter.com/personalization.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://gdpr.twitter.com/en/controller-to-controller-transfers.html.

For details, see the X Privacy Policy: https://twitter.com/privacy.

f) YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details on how they handle your personal data can be found in the YouTube privacy policy: https://policies.google.com/privacy?hl=en.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:
https://www.dataprivacyframework.gov/s/participant-search/participant- detail?contact=true&id=a2zt000000001L5AAI&status=Active

8. Transfer of personal data

a) Legal basis

We will only pass on your personal data to third parties if this is necessary to achieve our purposes and at least one of the following legal bases exists:

  • you have expressly given your consent to this in accordance with Art. 6 Para. 1 lit. a GDPR,
  • this is legally permissible and necessary for the processing of contractual relationships according to Art. 6 Para. 1 lit. b GDPR,
  • in the event that a legal obligation exists for the disclosure pursuant to Art. 6 para. 1 (c) GDPR, as well as
  • the transfer according to Art. 6 para. 1 (f) GDPR is necessary to protect our legitimate interests, unless your interests, fundamental rights and freedoms, which require the protection of your personal data, prevail.

 

b) Data transfer to the USA

We largely, but not exclusively, rely on service providers located within the EU/EEA or a third country for which the European Commission has adopted an adequacy decision within the meaning of Art. 45 of the GDPR. Even in the case of service providers based within the EU/EEA, however, we cannot guarantee in individual cases that they will store or process your data exclusively on servers in countries where a level of protection comparable to that in the EU/EEA prevails.

Among other things, we use tools from companies based in the USA. If these tools are active, your personal data may be transferred to these third countries and processed there. We note that the European Commission has adopted an adequacy decision for the EU-U.S. Data Privacy Framework (successor to the "Privacy Shield"). The decision states that the United States will ensure an adequate level of protection - comparable to that of the European Union - for personal data transferred from the EU to U.S. companies within the new framework. Based on this sectoral adequacy decision, personal data can be transferred securely from the EU to U.S. companies participating in the framework ("Data Privacy Framework") without having to implement additional data protection safeguards. To participate, companies must have certified themselves with the U.S. Department of Commerce. If they have not done so, the adequacy decision does not serve as a basis for secure data transmission. In these cases, we enter into Standard Contractual Clauses (SCC) with the service providers. By concluding standard contractual clauses within the meaning of Art. 46para. 1(c) GDPR, we provide guarantees for the protection of your data.

In addition, we encrypt or pseudonymize personal data before transferring it to a service provider in a third country, if this is technically possible and appropriate.

9. Data subject rights

You have the right to,

  • to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details;

 

  • in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or completion of your personal data stored by us;

 

  • pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;

 

  • in accordance with Art. 18 GDPR to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;

 

  • pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller;

 

  • in accordance with Art. 7 para.3 GDPR, to revoke your consent given to us at any time. This has the consequence that we may no longer continue the data processing based on this consent in the future; and

 

  • complain to a supervisory authority in accordance with Art. 77 GDPR. Usually you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.

 

 

10. Right of objection

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 para.1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right of objection, which is implemented by us without specifying a particular reason.

If you wish to exercise your right to object, simply send an e-mail to datenschutz@eventimpresents.com.

11. Data security

Within the website visit, we use the widespread SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is encrypted when you see the closed key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

12. Modification of this privacy policy

This privacy policy is currently valid and is dated November 2023.

Due to the further development of our website and offers on it or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy. The current data protection declaration can be accessed and printed out by you at any time on the website at https://www.rock-am-ring.com/en/privacy or through our app.

 

 

 

Cookie Einstellungen