INTRODUCTION AND TERMS
With the operation of our websites www.myticket.de and www.myticket.at (hereinafter referred to as "website"), we process personal data. We treat this data confidentially and process it in accordance with the applicable laws - in particular the General Data Protection Regulation (GDPR), Federal Data Protection Act (BDSG - Germany) and the Data Protection Act (DSG - Austria). With our data protection regulations, we want to inform you which personal data we collect from you, for which purposes and on which legal basis we use it and, if applicable, to whom we disclose it. Furthermore, we will explain to you which rights you are entitled to in order to protect and enforce your data protection.
2.1 Personal data
"Personal data" means any information relating to an identified or identifiable person (Art. 4 No. 1 GDPR). Information of an identified person can be, for example, the name or the e-mail address. However, personal data is also data for which the identity is not immediately apparent, but can be determined by combining one's own information or that of others and thus finding out who it is. A person can be identified, for example, by providing his or her address or bank details, date of birth or user name, IP addresses and/or location data. Relevant here is all information that in any way allows a conclusion to be drawn about a person.
Under Art. 4 Par. 2 of the GDPR, “processing” describes any process applied to personal data. This especially includes the collection, capture, administration, classification, recording, amendment, printing, making available, use, disclosure, sharing, dissemination, provision, comparison, linking, restriction, erasure or destruction of personal data.
DATA CONTROLLER AND DATA PROTECTION OFFICER
Responsible for data processing is:
Company: mytic myticket AG ("we")
Legal representative: Moritz Schwenkow (Executive Board and CEO), Lukas Goy (Executive Board and COO)
Address: Johannisbollwerk 20, 20459 Hamburg
Phone: 040-2372 400 30
4. DATA PROTECTION OFFICER
We have appointed an external data protection officer for our company. You can reach him under:
Name: Reinher Karl
Address: HABEWI GmbH & Co. KG, Palmaille 96, 22767 Hamburg, Germany
Phone: +49 40 18189800
Within the framework of the website , we process the personal data of you listed in detail below under sections 6 - 13. We only process data from you that you actively provide on our website (e.g. by filling out forms) or that you automatically provide when using our offer.
Your data will exclusively be processed by us and these data will, as a matter of principle, not be sold, leased or provided to any third parties. Insofar as we use external service providers for the processing of your personal data, that will be done in the context of a cooperation with a so-called data processor, where we act as principal and are authorized to give instructions to our contractors.
For the operation of our website, we use external service providers for hosting, and for the maintenance, update and further development. Insofar as other external service providers will be used for individual processing activities that are listed in “Processing activities in detail”, they will be specified there.
We host our website with the external provider Providerdienste.de (Bradler & Krantz GmbH & Co. KG, Kurt-Schumacher-Platz 8, 44787 Bochum, Germany) Data transfer to third countries does not take place and is not planned. We will provide information about exceptions to this principle in the processing operations described below.
THE PROCESSING IN DETAIL
6. PROVISION OF THE WEBSITE AND SERVER LOG FILES
6.1 Description of the processing
Each time you access the website, we automatically record information that your browser transmits to our server. This information is also stored in the so-called log files of our system. This is the following data:
Your IP address
the browser software you use, as well as its version and language
the operating system you are using, if actively sent by the browser
the website from which you have accessed our website (so-called referrer)
the sub-pages you have accessed on our website
the date and time of your visit to our website
Transmitted data volume
The temporary storage of your IP address by the system is necessary in order to be able to deliver our website to a user's terminal device. For this purpose, the user's IP address must remain stored for the duration of the session. However, your IP address is not recorded in our log files.
The processing is carried out to enable the website to be called up and to ensure its stability and security. Furthermore, the processing serves the statistical evaluation and improvement of our online offer.
6.3 Legal basis
The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose named in section 6.2 and, insofar as we require your consent, in Art. 6 para. 1 lit. a GDPR, which we obtain via a cookie consent tool.
6.4 Storage period
Your data will be erased as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. The log files are erased after 14 months unless legal retention obligations, in particular in connection with a contractual relationship, make longer retention periods necessary.
7. REGISTRATION AND PROFILE
7.1 Description of the processing
Individual functions and offers on our website are only available to you as a registered user. By registering, you enter into a free user agreement with us. By registering, you receive your own user account on our website. Registration takes place by filling in the registration form on www.myticket.de and sending it to us electronically. To register, you must enter your title/gender, first name, surname, address (street, house number, postcode, town, country), your e-mail address and a password of your choice. By clicking the button "Register" you submit the form to us. You will then receive an automatic welcome e-mail. This contains a link to confirm your e-mail address. Only after successful verification of your e-mail address by clicking on the confirmation link will your account on our website be activated. As a registered user, you can shop on our website more quickly and conveniently by entering your billing and delivery addresses in your user profile. This means that you do not have to re-enter your personal data for subsequent (further) purchases.
In addition to the information you provide during registration, we process the following personal data from you for the purpose of setting up and maintaining your user account, insofar as you provide this personal data: Company, address suffix, telephone number, birthday, VAT. ID delivery address
The processing is carried out in order to provide you with the functions of our website for registered users.
7.3 Legal basis
The processing is necessary for the conclusion and fulfilment of the user contract (Art. 6 para. 1 lit. b GDPR). Without providing your personal data as part of the registration process, we cannot provide our contractually owed services.
7.4 Storage period
The data will be automatically erased by us upon termination of your user contract. You can terminate the user contract independently by informing us by e-mail to email@example.com, by post to mytic myticket AG, Johannisbollwerk 20, 20459 Hamburg or by fax to 040-4133018-66 that you no longer wish to be a registered user of our website. We will then delete your user account immediately. Furthermore, as a logged-in user, you can edit and remove your own contributions, details and information at any time.
8.1 Description of the processing
You can purchase tickets, ticket vouchers, gift sleeves, VIP packages (e.g. meet & greets, merchandise, etc.), ticket insurance, hotel travel packages (ticket + hotel accommodation), travel packages (maxdome voucher, Deutsche Bahn voucher + myticket voucher), and occasionally merchandise (e.g. CDs) as a guest or as a registered user on our website. As part of your order process, we process personal data of you and possibly third parties with whom you attend the event. If you provide data of a third party when purchasing tickets, please ensure that the third party has been sufficiently informed by you about the processing of their data and that you are authorised to provide the data. The mandatory fields marked with an asterisk "*" in our online shop must be completed by you.
Otherwise, it is not possible for us to conclude a purchase contract with you, to inform you of changes at short notice and to send you the desired goods. For certain events, tickets are personalised. In this case, we use your name and the names of the other persons to personalise the tickets. All other information is optional. When making a purchase on our website, you can also select one of the payment methods offered (PayPal, purchase on account/immediate transfer via Klarna, credit card via BS Payone, Amazonpay and prepayment) to settle the purchase price. When you complete your order, the data required for payment will be passed on to the respective payment service provider. If you shop on our website as a registered user, you can store your billing and delivery addresses as well as your preferred payment method in your user profile for faster and more convenient ordering. In addition, your first name, surname and address will be transmitted to UPS as the shipping service provider in order to process the delivery.
If you have given your consent by ticking the appropriate box during the ordering process, we will also pass on your UPS e-mail address so that you are informed directly by the shipping service provider by e-mail about the current status of your order shipment.
The processing is necessary to fulfil our contractual obligations. The provision of your telephone number is necessary so that we can inform you at short notice, in particular in the event of significant changes, postponements or cancellations in connection with the event. Personalisation is necessary so that you and the other persons can attend the event and the personalised data can be passed on to the organiser for infection chain tracking. Otherwise, the contract is not feasible.
8.3 Legal basis
The processing is necessary for the conclusion and fulfilment of the purchase contracts existing between you and us (Art. 6 para. 1 lit. b GDPR). This also concerns the transfer of the data required for the processing of payments to the respective payment service provider and the transfer of the data required for the delivery of goods shipments to the shipping service provider UPS. The transmission of your e-mail address for the sending of UPS shipment notification e-mail is based on consent (Art. 6 para. 1 lit. b GDPR).
8.4 Storage period
Due to commercial and tax law requirements, we are obliged to store your address, payment and order data for a period of ten years. However, we restrict processing after two years. I.e. your data will then only be stored separately to comply with the statutory retention periods and will be erased immediately after their expiry.
Consent to the transmission of your e-mail address for the purpose of sending UPS shipment notification e-mails is voluntary and can be revoked by you at any time by simple declaration (by e-mail to: firstname.lastname@example.org, by post to: HABEWI Datenschutz, Palmaille 96, 22767 Hamburg or by fax to 040/ 46008977) with effect for the future.
In order to process your payment, personal data will be passed on to one of the external payment service providers listed below and selected by you as part of your purchase:
• PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. PayPal reserves the right to transmit personal data to credit agencies under certain circumstances for the purpose of checking identity and creditworthiness. Further information on data protection at PayPal can be found at www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.
• Klarna Invoice Purchase/Instalment Purchase/Direct Debit/Instant Bank Transfer: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, www.klarna.com. You can find more information about data protection at Klarna at: www.klarna.com/de/datenschutz/
• Credit card: BS PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, Germany For further information on data protection at BS PAYONE, please visit: https://www.payone.com
• Amazon Pay: Amazon Pay is a service provided by Amazon Payments Europe s.c.a., 38 avenue J.F. Kennedy, L-1855 Luxembourg ("Amazon Payments"). To pay with Amazon Pay, you must have an Amazon account. You can find more information on data protection with Amazon Pay at: pay.amazon.de/help/201212490
• Giropay: GiroSolution GmbH, Hauptstraße 27, 88699 Frickingen Further information on data protection with Giropay can be found at: https://www.giropay.de/
• Prepayment: No data will be passed on to third parties.
In order to carry out and process the delivery of goods, we will pass on the data required for this to the shipping service provider UPS. In the event of corresponding consent, we will also transmit your e-mail address to UPS for the purpose of sending UPS shipment notification e-mails.
9. CONTACT FORM AND CONTACT BY E-MAIL
9.1 Description of the processing
To contact us, we have provided a contact form on our website. In this form, you are asked to enter your e-mail address, your name, the subject of your request and, if applicable, your order number and a message to us. When you click the "Send" button, the data is transmitted to us using SSL encryption (see section 13). The contact form can only be transmitted if you accept our data protection regulations by clicking on the corresponding checkbox. You can also contact us via the e-mail addresses provided on the website and write and publish reviews of artists. In this case, the user's personal data transmitted with the e-mail or the recession will be processed by us.
By providing a contact form on our website, we want to offer you a convenient way to get in touch with us. The data transmitted with and in the contact form or your e-mail will be used exclusively for the purpose of processing and responding to your request.
9.3 Legal basis
The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose named in section 9.2. If the e-mail contact is aimed at the conclusion or fulfilment of a contract, the data processing is carried out for the fulfilment of the contract (Art. 6 para. 1 lit. b GDPR).
9.4 Storage period
We delete the data as soon as it is no longer required to achieve the purpose for which it was collected. This is usually the case when the respective communication with you has ended. The communication is ended when the circumstances indicate that your concern has been conclusively clarified. If legal retention periods prevent deletion, the data will be erased immediately after the legal retention period has expired.
10. COOKIES AND TRACKING TECHNOLOGIES
10.1 Description of the processing
We use the following third-party services if you have given us your prior consent:
Amazon Advertising, Belboon, eKomi, Freshdesk, Google Ads Conversion Tracking, YouTube Cookies (ytimg), Google Analytics, Google Tag Manager, Clarity, Twitter, DoubleClick Floodlight, Google Ads Retargeting, Facebook Pixel, TikTok Pixel and Microsoft Bing Ads.
When you visit our website, you will see a cookie symbol at the bottom left. If you click on the symbol, the settings page of our cookie consent tool opens and you can access detailed information pursuant to Art. 12 (1) GDPR on the purpose, duration, location and legal basis of the processing of personal data and revoke your consent at any time.
10.3 Legal basis
The processing is necessary with regard to technically required cookies to protect the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose named in section 10.2. With regard to the processing of all other cookies - i.e. cookies that are not technically necessary - the legal basis is consent (Art. 6 para. 1 lit. a GDPR). Such consent is voluntary.
10.4 Storage period, revocation of consent
10.5 Recipients and transmission to third countries
When using third-party cookies, data may be transmitted to the corresponding providers of these third-party services. Under certain circumstances, data may also be transferred to third countries outside the European Union or the European Economic Area. We provide information about the recipients of data and the transmission to third countries in the settings of the cookie banner/cookie consent tool or in the corresponding passage on the third-party service or processing in these data protection provisions.
11.1 Description of the processing We send out a newsletter at irregular intervals. With the newsletter we inform you about advance booking starts for concerts, shows and events of all kinds as well as current event recommendations, competitions and marketing campaigns. You will only receive our newsletter if you actively subscribe to our mailing list. You can subscribe to it by filling out and submitting a newsletter registration form on our website or as part of an order in our online shop. For the newsletter registration, only your e-mail address is required. All other details (such as your first name and surname) are voluntary and are used solely to personalise the e-mails. We use the so-called double opt-in procedure to carry out and verify newsletter registrations. Registration takes place in several steps. First, you register for the newsletter on our website. You will then receive an e-mail from us at the e-mail address you have provided. In this e-mail, we ask you to confirm that you have actually registered for the newsletter and wish to receive it. Confirmation takes place by clicking on a confirmation link in the e-mail. Only after successful confirmation will we add you to our newsletter distribution list and send you future e-mails. As part of the double opt-in process, we save the date, time and your IP addresses both during registration and confirmation.
If we receive your e-mail address in connection with the sale of a product or service and you have not objected to this, we reserve the right to subsequently send you offers on similar products to those already purchased from our range by e-mail within the framework of the so-called existing customer newsletter on the basis of § 7 para. 3 UWG (Germany) and § 174 para. 4 TKG (Austria) without your consent. This serves to protect our legitimate interests in addressing our customers in an advertising manner, which outweigh our interests in the context of a balancing of interests. You can object to this use of your e-mail address at any time by sending a message to the contact option described below or via a link provided for this purpose in the advertising e-mail, without incurring any costs other than the transmission costs according to the basic rates.
The processing takes place in order to offer the newsletter function and to be able to send newsletter emails to subscribers and existing customers. The collection and storage of the date, time and IP addresses when subscribing to the newsletter serves to document the consent given and to protect against the misuse of e-mail addresses.
11.3 Legal basis
The processing of our subscriber newsletter is based on consent in accordance with Art. 6 Para. 1 lit. a GDPR. You can request the declaration of consent from us at any time via e-mail. Your consent is voluntary. The collection and storage of date, time and IP addresses during newsletter registration is necessary to protect the overriding legitimate interests of the responsible party (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose named in section 11.2. In the case of our newsletter for existing customers, processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR to protect the overriding interests of the controller. Our legitimate interest lies in direct advertising to existing customers. This is permissible within the framework of § 7 para. 3 UWG and § 174 para. 4 TKG, which we observe.
11.4 Storage period and revocation of consent
If you do not confirm your subscription to our newsletter within 31 days of receiving the corresponding registration email, your data will be erased. We process your personal data for the duration of your newsletter subscription. You can cancel your subscription to our newsletter at any time by revoking your consent. A simple declaration is sufficient for this (by e-mail to email@example.com, by post to mytic myticket AG, Johannisbollwerk 20, 20459 Hamburg) or via the link provided for this purpose in the newsletter, without incurring any costs other than the transmission costs according to the basic rates. Upon revocation of your consent, you will no longer be sent newsletters and your personal data will be removed from our active distribution list. In order to enforce your revocation, we will add your e-mail address to our so-called black list in a restricted manner. In this way, we can ensure that you will not receive any newsletters from us in the future and that your email address will not be misused by third parties.
11.5 Recipients and transmission to third countries
We use the services of the newsletter provider SecuTix Deutschland GmbH to manage our newsletter distribution list and to send the emails. This takes place within the framework of order processing. SecuTix Deutschland GmbH is a service provided by mytic myticket AG, Landsberger Str. 302, 80687 Munich. Further information on data protection at SecuTix Deutschland GmbH can be found at https://www.elca.ch/de/datenschutzerklaerung.
12. SOCIAL NETWORKS
12.1 Description of the processing
Our website does not use any so-called social media plugins. The Facebook, Instagram and Twitter logos displayed on our website are merely linked to the corresponding profiles of our company on the social networks. A data transfer to the social networks does not take place with the integration of the logos. If you click on one of the logos, you will only be redirected to the external website of the respective social network.
However, our profiles within the social networks constitute data processing. If you are logged in to the respective social network when you visit such a profile, this information will be assigned to your user account there. If you interact with our profile, e.g. comment, "share", "like" or "retweet" a post, this information will also be stored in your user account. As a rule, your interactions with our profile can also be viewed by us.
On the social networks Facebook and Instagram, we have the possibility to obtain statistical data about the use of our Facebook page or our Instagram profile via the so-called "Insights" function. These statistics are provided by Facebook and Instagram. The "Insights" function cannot be disabled. We cannot decide to turn this feature on or off. It is available to all Facebook fan page operators and all Instagram business account operators, regardless of whether you use the Insights function or not.
We are provided with the following data via Facebook Insights for a selectable period of time in anonymised form with regard to fans, subscribers, people reached and people interacting: Total page views, likes including origin, page activity, post interactions, reach, post reach (broken down into organic, viral and paid interactions), comments, shared content, replies and demographic analysis, i.e. country of origin, gender and age. In the Insights statistics, it is not possible for us to identify subscribers and fans of our site and to view their profiles.
Furthermore, we receive anonymised data about the development and reach of our Instagram profiles, as well as the posts, stories and videos we post there, via Instagram insights. We also receive statistical information on the place of origin, gender and age of the subscribers to our Instagram profile in the Instagram insights.
The social networks with which you communicate store your data using pseudonyms as usage profiles and use them for advertising purposes and market research. For example, you may be shown advertisements within the social network and on other third-party websites that match your presumed interests. Cookies are usually used for this purpose, which the social network stores on your end device. You have the right to object to the creation of these user profiles, for the exercise of which you must contact the social networks directly.
We maintain profiles on the aforementioned social networks for the purpose of timely and supportive public relations and corporate communication with customers and interested parties.
We use the "Facebook Insights" function to make our posts on our Facebook fan page more attractive to our visitors. For example, we can use visitors' favourite visiting times to optimise the timing of our posts.
12.3 Legal basis
The legal basis for data processing in the context of our profiles on social networks is the protection of our overriding legitimate interests (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the data processing described in para. 12.2 named in point 12.2. If you are asked for consent by the respective operator of a social network, the legal basis is Art. 6 para.1 lit a GDPR. The data processing with regard to our presence on Facebook and Instagram is also based on joint responsibility in accordance with Art. 26 GDPR.
12.4 Recipients and transfer to third countries
The respective social networks are operated by the companies listed below. Further information on data protection with regard to our profile on the social networks can be found in the linked data protection provisions.
• Facebook: Meta Platforms, Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA or Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Data protection provisions: www.facebook.com/policy.php; www.facebook.com/help/186325668085084, www.facebook.com/about/privacy/your-info-on-other#applications and www.facebook.com/about/privacy/your-info#everyoneinfo.
The social networks also process your personal data in the USA.
13. GOOGLE WEBFONTS
13.1 Description of the processing
Our website uses "Google Webfonts", a font substitution service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google"). With Google Web Fonts, the standard fonts of your terminal device are replaced by fonts from Google's catalogue when our website is displayed. If your browser disables the integration of Google Web Fonts, the text of our website will be displayed in the standard fonts of your end device. The Google fonts are loaded directly from a Google server. For this to happen, your browser sends a request to a Google server. As a result, your IP address may also be transmitted to Google in connection with the address of our website. However, Google Webfonts does not store any cookies on your terminal device. According to Google, data processed as part of the Google Webfonts service is transferred to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com. They are not associated with data that may be related to the use of other Google services such as the search engine of the same name or Gmail. Further information on data protection at Google Webfonts is available at https://developers.google.com/fonts/faq?hl=de-DE&csw=1. General information on data protection at Google is available at http://www.google.com/intl/de-DE/policies/privacy/.
The processing is done in order to display the text of our website in a more readable and aesthetically pleasing way.
13.3 Legal basis The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose named in section 13.2.
13.4 Recipients and transfer to third countries By using Google Web Fonts, personal data may be transmitted to Google. Google also processes your personal data in the USA.
14. SAFETY MEASURES
To protect your personal data from unauthorised access, we have provided our website with an SSL or TLS certificate. SSL stands for "Secure Sockets Layer" and TLS for "Transport Layer Security" and encrypts the communication of data between a website and the user's end device. You can recognise active SSL or TLS encryption by a small lock logo that is displayed on the far left of the browser's address bar.
15. AFFECTED RIGHTS
With regard to the data processing by our company described above, you are entitled to the following data subject rights:
15.1 Right of access (Art. 15 GDPR)
You have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you have a right to information about this personal data and to the further information listed in Article 15 of the GDPR under the conditions set out in Article 15 of the GDPR.
15.2 Rectification (Art. 16 GDPR)
You have the right to demand that we correct any inaccurate personal data relating to you without delay and, if necessary, to complete any incomplete personal data.
15.3 Erasure (Art. 17 GDPR)
You have the right to demand that we erase personal data relating to you without delay if one of the reasons listed in detail in Article 17 of the GDPR applies, e.g. if your data is no longer required for the purposes we are pursuing.
15.4 Restriction of processing (Art. 18 GDPR)
You have the right to request that we restrict processing if one of the conditions listed in Art. 18 of the GDPR applies, e.g. if you dispute the accuracy of your personal data, data processing will be restricted for the period of time that allows us to verify the accuracy of your data.
15.5 Data portability (Art. 20 GDPR)
You have the right, under the conditions set out in Art. 20 GDPR, to demand the return of the data concerning you in a structured, common and machine-readable format.
15.6 Withdrawal of consent (Art. 7 (3) GDPR)
You have the right to withdraw your consent at any time in the case of processing based on consent. The revocation applies from the time it is asserted. In other words, it is effective for the future. The processing therefore does not become unlawful retroactively as a result of the withdrawal of consent.
15.7 Complaints (Art. 77 GDPR)
Decisions which have legal effects concerning you or which significantly affect you must not be based solely on automated processing of personal data, including profiling. We inform you that we do not use automated decision-making, including profiling, with regard to your personal data.
15.8 Restraint on automated decision-making/profiling (Art. 22 GDPR)
Decisions which have legal effects concerning you or which significantly affect you must not be based solely on automated processing of personal data, including profiling. We inform you that we do not use automated decision-making, including profiling, with regard to your personal data.
15.9 Objection (Art. 21 GDPR)
If we process your personal data on the basis of Art. 6 para.1 lit. f GDPR (to protect overriding legitimate interests), you have the right to object to this under the conditions listed in Art. 21 GDPR. However, this only applies insofar as there are reasons arising from your particular situation. After an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms. We also do not have to stop processing if it serves the assertion, exercise or defence of legal claims. In any case - also irrespective of a specific situation - you have the right to object to the processing of your personal data for direct marketing at any time.
Status: August 2023