Deutsches Theater München Betriebs-GmbH
Data Protection Statement
(Rev. May 2018)
The following data protection statement governs the use of the deutsches-theater.de website (referred to hereinafter as “website”).
Data protection is very important to us. Below, we explain how we will process your personal data and what rights you have in this regard.
Your personal data is collected and processed in conformance with the applicable data protection regulations, particularly the General Data Protection Regulation (GDPR). We collect and process your personal data for the following purposes: acting as agent for event tickets, reservation, sale and delivery of tickets, information on events as well as the sale and delivery of vouchers. We wish to constantly improve our service and to make the website more appealing to you. Addtionally, we wish to adapt the website to suit your demands and needs.
1. Responsible authority
The authority responsible for collecting, processing and utilizing your personal data within the meaning of GDPR Art. 4 (7) is:
Deutsches Theater München Betriebs-GmbH
Represented by the managing directors
Carmen Bayer and Werner Steer
If you wish to object to the collection, processing or use of your data as described in these data protection provisions as a whole or for individual actions, you may address your objection to the responsible authority named above.
You can save and print out this data protection statement at any time.
2. General use of the website
The hosting services we use are for providing the following services: infrastructure and platform services, computing capacity, storage space and database services, security services as well as technical maintenance services we use for the purpose of operating the website.
In doing so we or our hosting provider process master data, contact data, content data, contract data, usage data, metadata and communication data of customers, interested persons and visitors to this online content on the basis of our justified interests in efficiently and securely providing this online content in accordance with GDPR Art. 6 (1) (f) in conjunction with GDPR Art. 28.
2.2. Access data
We collect information about you when you use this website. We automatically collect information about your usage behaviour and your interaction with us, and register data about your computer or mobile device. We collect, store and utilize data about each access to our online content (so-called server log files). The access data include:
- Name and URL of accessed file
- Access time and date
- Amount of data transferred
- Report of successful access (HTTP response code)
- Browser type and version
- Operating system
- Referrer URL (i.e. the previously visited page)
- Websites which the user’s system accesses via our website
- User’s Internet service provider
- IP address of querying provider
We use such log data without matching them to your identity or creating other profiles for statistical analysis for the purpose of operating, securing and optimizing our online content, but also for anonymously tracking of the number of visitors to our website (traffic) and the scope and type of use of our website and services as well as for billing purposes in order to measure the number of clicks received from cooperation partners. Based on this information we can provide personalized and location-based content and can analyse data traffic, search for and correct errors and improve our services.
This is also our justified interest according to GDPR Art. 6 (1) (f).
We reserve the right to subsequently examine the log data if there is a reasonable suspicion of unlawful use based on concrete indicators. We store IP addresses for a limited period of time in the log files if this is necessary for security purposes or needed in order to provide or bill for a service, for instance when you use one of our services. After the ordering process is cancelled or after payment is received, we delete the IP address if it is no longer needed for security purposes. We also store IP addresses if we have a concrete suspicion of criminal activity in connection with the use of our website. Addtionally, we store the date of your last visit as part of your account (e.g. on registration, login, clicking links, etc.).
We use so-called session cookies in order to optimize our online content. A session cookie is a small text file sent by the respective servers and temporarily stored on your hard drive when visiting a website. This file itself contains a so-called session ID which can be used to match various queries by your browser to the joint session. This allows your computer to be recognized when you return to our website. These cookies are deleted after you close your browser. For instance, they allow you to use the shopping cart function across multiple pages.
We also use persistent cookies to a small extent (likewise small text files that are stored on your device); these remain on your device, allowing us to recognize your browser on your next visit. These cookies are stored on your hard drive and are automatically deleted after a preset time. They can persist between one month and up to ten years. This allows us to present our content to you in a more user-friendly, efficient and secure manner and, for instance, to display information on the site specifically tailored to your interests.
Our justified interest in using the cookies according to GDPR Art. 6 (1) (f) lies in making our website more user-friendly, efficient and secure.
The following data and information may be stored in the cookies we use:
- Login information
- Language settings
- Search terms entered
- Information about the number of accesses to our website and use of individual functions on our Internet presence
When the cookie is activated, an identifying number is assigned to it and no match is made between your personal data and this identifying number. Your name, IP address and similar data that would allow the cookie to be matched to you are not stored in the cookie. Based on the cookie technology, we receive only pseudonymized information, for instance about which pages of our shop were visited, which products were viewed etc.
You can set your browser to notify you in advance about cookies being set and to allow you to decide in the specific case whether to block the acceptance of cookies for certain cases or in general, or to completely prevent cookies. This may limit the functionality of the website.
2.4. E-mail contact
When you contact us (e.g. using a contact form or via e-mail), we store your information to process the inquiry and in case there are follow-up questions.
This is also where our justified interest lies according to GDPR Art. 6 (1) (f) .
We store and use additional personal data only if you give consent or if this is legally permitted without special consent.
2.5. Matomo web analytics
We process data on our website using the Matomo web analytics software (www.matomo.org), a service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (“Matomo”), on the basis of our justified interest in statistical analysis of user behavior for optimization and marketing purposes according to GDPR Art. 6 (1) (f).
The data collected using the Matomo technology (including your pseudonymized IP address) are processed exclusively on our servers and are not shared with third parties. The data can be used to create and analyze pseudonymized user profiles for the aforementioned purpose. Cookies may be used for this purpose. The information in the pseudonymous user profile generated by the cookie is not used to personally identify the visitor to this website and is not merged with personal data via the pseudonym carrier.
If you do not consent to the storage and analysis of these data from your visit, you can object to the storage and use at any time by clicking below.
In this case a so-called opt-out cookie is stored in your browser, with the result that Matomo collects no session data whatsoever. Please note that deleting all your cookies will also result in deletion of the opt-out cookie and you may have to reactivate it if needed.
2.6. Length of storage
Unless specifically indicated, we store your personal data only as long as necessary to fulfill the intended purposes.
3. Processing inventory data
Furthermore, we process the inventory data described below.
3.1. Execution of orders
We process your master data, communication data, and payment data for the execution of your order so that we can confirm receipt of your order, communicate with you and execute the order. We take execution of the order to mean performing reservations, bookings and payments and in case of postal mail sending the tickets to the named delivery address, if necessary performing order cancellations and transacting refunds, and providing information about an event’s cancellation/rescheduling or program changes via e-mail, telephone or text message.
The legal basis for this data processing is GDPR Art. 6 (1) (b).
3.2. Customer account
In order to be able to offer you a convenient shopping experience in our online shop, you can register on our website by entering your personal data. Then you will not have to reenter your data for every order in the future.
For new registrations we collect master data (e.g. name, address), communication data (e.g. e-mail address), payment data (bank account) and access data (username and password).
In order to ensure your proper registration and prevent unauthorized registrations by third parties, you will receive an activation link via e-mail after registering in order to activate your account. Only after successful registration do we permanently store the data you provide in our system.
Once you have created a customer account you can have us delete it at any time without incurring other costs than the transmission costs according to the basic rates. A message in text form to the contact information named in item 1 (e.g. e-mail, fax, letter) is sufficient. We will then delete your stored personal data unless we still have to store these data in order to execute orders or on the basis of legal storage requirements.
The legal basis for this data processing is GDPR Art. 6 (1) (a), (b), and (f). Our interests in the data processing particularly include initiating, concluding and fulfilling contracts and simplifying your ordering process.
We use the so-called double opt-in method in order to be able to send you our newsletter. Only if you have previously expressly confirmed that you wish to receive the newsletter will we send you an activation e-mail and request that you confirm that you wish to receive our newsletter by clicking on one of the links contained in the e-mail message.
You can unsubscribe at any time without incurring any costs other than the transmission costs according to the basic rates. A message in text form to the contact information named in item 1 (e.g., e-mail, fax, letter) is sufficient. Naturally you will also find an unsubscribe link in each newsletter.
The legal basis for this data processing is GDPR Art. 6 (1) (a).
3.4. Customer service
If you sell tickets or gift certificates, we also process your personal data for customer service purposes in addition to settling the order. We take customer service to mean marketing activities that provide important information and therefore benefits to you, such as sending information about the event program we distribute, exclusive introductory offers, and new features on the website.
Otherwise we process your personal data for customer service purposes only if you have given your consent. Regardless of the newsletter, we regularly send you product recommendations by e-mail. In this way we provide you with information about products we offer that might be of interest to you on the basis of your recent purchases. We strictly follow the legal requirements when doing this. You can object to it at any time without incurring any costs other than the transmission costs according to the basic rates. A message in text form to the contact information named in item 1 (e.g., e-mail, fax, letter) is sufficient. Naturally you will also find an unsubscribe link in each e-mail message.
The legal basis for this data processing is GDPR Art. 6 (1) (f). Our interests in the data processing particularly include initiating, concluding, and fulfilling contracts, and direct advertising.
3.5. Length of storage
Unless specifically indicated, we store your personal data only as long as necessary to fulfill the intended purposes, or as long as required by law.
4. Your rights as a data subject
Under the applicable laws you have various rights regarding your personal data. If you wish to assert those rights, please direct your inquiry to the address named in part 1 by e-mail or postal mail, clearly identifying yourself.
You will find a summary of your rights below.
4.1. Right of confirmation and information
At any time, you have the right to receive confirmation from us as to whether personal data concerning you are processed. If so, you have the right to obtain information free of charge concerning the personal data stored about you, as well as a copy of that data. In addition, there is a right to the following information:
- Purpose of the processing;
- Categories of personal data that are processed;
- Recipients or categories of recipients to whom the personal data was or will be disclosed, particularly in case of recipients in third countries or for international organizations;
- If possible, the planned length of time the personal data are stored or, if this is not possible, the criteria for determining that period;
- The existence of a right to correct or delete the personal data concerning you or to limit processing by the controller or a right to object to such processing;
- The existence of a right to file a grievance with a supervisory agency;
- If the personal data are not collected from you, all available information concerning the origin of the data;
- The existence of any automated decision-making process, including profiling, according to GDPR Art. 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved and the consequences and desired effects of such processing for you.
If personal data are transmitted to a third country or international organization, you have the right to be notified about the appropriate guarantees according to GDPR Article 46 in connection with such transmission.
We collect and process the personal data of applicants in accordance with the European and German legislative provisions. This includes all applicants for training and internships. Therefore, as the responsible body, we subsequently inform you about how, for what purpose and on what legal basis we process personal data that we collect in the context of our application process.
4.2.1 Information about the responsible person
Deutsches Theater München Betriebs GmbH
represented by the CEOs
Carmen Bayer and Werner Steer
Contact person: Ingo Stelzel
Schwanthalerstraße 13, 80336 München
Phone 089 – 55 234 0
Fax 089 – 55 234 101
4.2.2 Purposes and legal basis for the processing of personal data
Data processing is carried out for the purpose of carrying out the application procedure and deciding on the employment relationship on basis of Art. 6 Par. 1 Letter B and c, Art. 9 Par. 2 Letter B und h as well as Art. 88 of the GDPR in combination with § 26 and § 22 Par. 1 Letter B of the BDSG (BGBI. I S. 2097)
4.2.3 Recipients or categories of recipients to whom personal data are made available
– Personnel management
– Responsible departments
4.2.4 Transfer of personal data to a third country
Your personal data will not be transferred to a third country.
4.2.5 Further data protection information accordingn to Art. 13 Par. 2 GDPR
Further information, such as the duration of storage and data subject rights can be obtained from our data protection officer.
4.3. Right of correction
You have the right to demand that we promptly correct incorrect personal data concerning you. Taking the purpose into account, you have the right to demand that incomplete personal data be made complete, including with a supplementary statement.
4.4. Right of deletion
You have the right to demand that we promptly delete personal data concerning you, and we are required to promptly delete personal data provided any of the following reasons apply:
- The personal information is no longer needed for the purpose for which it was collected or otherwise processed.
- You revoke your consent on which the processing was based according to GDPR Article 6 (1) (a) or GDPR Article 9 (2) (a) and there is no other legal basis for the processing.
- You file an objection to the processing pursuant to GDPR Article 21 (1) and there are no overriding justified grounds for the processing, or you file an objection to the processing pursuant to GDPR Article 21 (2).
- The personal data were not processed lawfully.
- Deletion of the personal data is necessary to fulfill a legal obligation under EU law or the law of member states we are subject to.
- The personal data were collected in regard to services offered by the information society according to GDPR Article 8 (1).
If we have made the personal data public and are accordingly required to delete it, then we, taking into account the available technology and the implementation costs, will take reasonable steps (including of a technical nature) to notify the controllers processing the personal data that you have demanded that they delete all links to such personal data and copies or duplications of such personal data.
4.5. Right to restrict processing
You have the right to demand that we restrict processing if any of the following conditions apply:
You dispute the accuracy of the personal data; this applies for a period allowing us to verify the accuracy of the personal data;
The processing is unlawful and you opted against deletion of the personal data, instead demanding that use of the personal data be restricted;
We no longer require the personal data for the processing purpose but you require the data to assert, exercise, or defend legal rights or claims; or
You have filed an objection to the processing pursuant to GDPR Article 21 (1), as long as it is not yet clear whether our company’s justified reasons outweigh yours.
4.6. Right of data portability
You have the right to obtain personal data concerning you (which you provided to us) in a structured, common, and machine readable format, and you have the right to send such data to another controller without interference from us, provided that:
the processing is based on consent pursuant to GDPR Article 6 (1) (a) or GDPR Article 9 (2) (a) or on a contract pursuant to GDPR Article 6 (1) (b), and
the processing is performed using automated methods.
When exercising your right to data portability according to paragraph 1, you have the right to have the personal data transmitted by us directly to another controller, to the extent this is technically feasible.
4.7. Right of objection
You have the right to file an objection at any time, due to reasons resulting from your special situation, to the processing of personal data concerning you that is performed on the basis of GDPR Article 6 (1) (e) or (f); this also applies to any profiling based on these provisions. We will no longer process the personal data unless we can show compelling protected reasons for the processing that outweigh your interests, rights, and freedoms, or the processing serves the purpose of asserting, exercising, or defending legal rights or claims.
If personal data are processed by us in order to conduct direct advertising, you have the right to file an objection at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct advertising.
You have the right to file an objection at any time, due to reasons resulting from your special situation, to the processing relating to you of personal data concerning it that is performed for scientific or historical research purposes or for statistical purposes on the basis of GDPR Article 89 (1), unless the processing is necessary in order to fulfill a task that is in the public interest.
4.8. Automated decision-making, including profiling
You have the right not to be subjected to an automated decision-making process based exclusively on automated processing, including profiling, that develops a legal effect concerning you or that similarly has a considerable negative impact on you.
No automated decision-making process is performed on the basis of the collected personal data.
4.9. Right to revoke legal consent
You have the right to revoke at any time your consent for the processing of personal data.
4.10. Right to file grievance with a supervisory agency
You have the right to file a grievance with a supervisory agency, particularly in the member state of your place of residence, place of work, or the location of the presumed violation, if you are of the opinion that the processing of personal data concerning you is unlawful.
5. Data security
We take maximum efforts for the security of your data as part of the applicable data protection laws and technical possibilities.
We transmit your personal data in encrypted form. We use the secure transmission method “SSL Secure Socket Layer with 256-bit encryption” to send customer and credit card data. You can identify this from the fact that an “s” is added to the http:// address component: https://. The SSL connection used by us was certified by COMODO CA Limited with regard to security and confidentiality.
This encryption method is the recognized standard that is also used by Internet banks for data transactions.
To secure your data we maintain technical and organizational security measures conforming to GDPR Art. 32, which we continuously keep up to the state of the art.
We do not guarantee, however, that our content is available at specific times; disruptions, interruptions, and outages cannot be precluded. The servers we use are backed up regularly and carefully.
6. Online presence in social media
We maintain an online presence within social networks and platforms so that we can communicate with customers, potential customers, and users who are active there and inform them of our services there.
We point out that data of the users outside the area of the European Union can be processed. This may result in risks to users because, e.g. the enforcement of user rights could be made more difficult. With respect to US providers certified under the Privacy Shield, we point out that they are committed to respecting EU privacy standards.
Furthermore, the data of the users are usually processed for market research and advertising purposes. Thus, e.g. user profiles are created from the user behavior and the resulting interests of the users. The usage profiles may in turn be used to e.g. Place advertisements inside and outside the platforms that are allegedly in line with users’ interests. For these purposes, cookies are usually stored on the computers of the users, in which the user behavior and the interests of the users are stored. Furthermore, in the usage profiles, data can also be stored independently of the devices used by the users (in particular if the users are members of the respective platforms and logged in to them).
The processing of users’ personal data is based on our legitimate interests in effectively informing users and communicating with users according to Art. 6 Par. 1 Letter f GDPR. If the users are asked by the respective providers of the platforms for a consent to the above-mentioned data processing, the legal basis of the processing is Art. 6 Par. 1 Letter a., Art. 7 GDPR.
For a detailed description of the respective processing and the possibilities of contradiction (opt-out), we refer to the following linked information of the provider.
Also in the case of requests for information and the assertion of user rights, we point out that these can be claimed most effectively from the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, then you can contact us.
Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland), Facebook pages based on an agreement on joint processing of personal data – Data protection declaration: https://www.facebook.com/about/privacy/, Opt-Out: https://www.facebook.com/settings?tab=ads und http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland) – Data protection declaration: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Data protection declaration / Opt-Out: http://instagram.com/about/legal/privacy/.
Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Data protection declaration: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
7. Integration of videos from the provider Vimeo
We use the provider Vimeo for integration of videos, among others. Vimeo is operated by Vimeo, LLC, whose main office is at 555 West 18th Street, New York, New York 10011.
We use plug-ins from the vendor Vimeo on some of our webpages. When you access the webpages of our Internet presence containing such a plug-in, a connection is established to the Vimeo servers and the plug-in is displayed. This notifies the Vimeo server which of our webpages you visited. If you are logged in as a Vimeo member, Vimeo matches this information to your personal user account. When using the plug-in, for instance clicking the start button of a video, this information is also matched to your user account. You can prevent such matching by logging out of your Vimeo user account before using our website and deleting the corresponding Vimeo cookies.
More information on data processing and data protection notes from Vimeo are available at https://vimeo.com/privacy.
8. Sharing data with third parties, no data transmission to non-EU countries
We fundamentally use your personal data only within our company.
To provide our services we transmit your data to third parties only insofar as this serves the purpose of fulfilling contracts (such as logistics providers).
The legal basis for the data transmission is GDPR Art. 6 (1) (b).
In the event we outsource certain elements of data processing (“commissioned processing”), we contractually require commissioned processors to use personal data only in conformance with the requirements of data protection laws and to ensure that the rights of data subjects are protected.
No data transfer occurs or is planned to entities or individuals outside the EU, other than the cases named in item 7 of this statement.
9. Data protection officer
If you have other questions or concerns about data protection, please contact our data protection officer:
Deutsche Theater München Betriebs GmbH
Mr. Ingo Stelzel
Schwanthalerstraße 13, 80336 München