Privacy Policy

Privacy Policy Rock am Ring / Rock im Park

  1. Data protection, Controller and Data Protection Officer

Below we inform you about the processing of personal information when using our mobile iPhone and Android app (hereinafter referred to as “app”). Personal information are all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.

This privacy policy explains what data we process when you use the app and what we use it for. It also explains how and for what purpose this is done.

If we process your data, this is regularly done on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, for the purpose of contract fulfillment in accordance with Art. 6 para. 1 lit. b GDPR or on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, which are always weighed against your interests.

We would like to point out that data transmission over the Internet may be subject to security vulnerabilities. Complete protection of data against access by third parties is simply not possible.

Unless a more specific storage period has been specified in this privacy policy, your personal information will remain with us until the purpose for the data processing no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal information (e.g. retention periods under tax or commercial law); in the latter case, the deletion will take place after these reasons no longer apply.

  1. Contact details of the Controller and the Data Protection Officer

This privacy policy applies to data processings by

Controller:

eventimpresents GmbH & Co. KG

c/o CTS EVENTIM AG & Co. KGaA

Contrescarpe 75a

28195 Bremen, Germany
mail: info@eventimpresents.com

You can contact our data protection officer here:

datenschutz@eventimpresents.com

  1. General notes and mandatory information

  2. Download and installation of the app

You can download our app from an app store of your choice (Apple App Store or Google Play Store) to your devices (e.g. smartphone). When you download the app to your mobile device, the necessary information is transferred to the respective app store, in particular your user name, email address and customer number of your account, the time of the download and the individual device identification number. However, we have no influence on this data procession and are not responsible for it. We process the data provided to the extent necessary to download the app to your mobile device. It will not be stored beyond this. The legal basis for this data processing is Art. 6 para. 1 lit. b and f GDPR, as it may be in our legitimate interest as well as the fulfillment of the contract to process the data required for the download and installation.

When using the stores, please note their privacy policies: Apple App Store: https://www.apple.com/de/privacy/

Google Play Store: https://policies.google.com/privacy

b) SSL- and TLS-encryption

This app uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content that you send to us as the app operator. This encryption prevents the data you transmit from being read by unauthorized third parties.

c) External app hosting

In addition to the local storage of data on your device (e.g. smartphone), it is necessary to store your device data on the servers of our IT service provider in order to ensure the functionality of the app.

Our provider uses Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter referred to as AWS) for hosting.

The servers have been carefully selected and are located exclusively within the EU/EEA, specifically in Frankfurt.

However, we cannot completely rule out the possibility that personal information may be transferred to the parent company of AWS in the USA in exceptional cases. The data transfer to the USA is based on the EU standard contractual clauses.

You can find details here:

https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.

You can find further information in AWS’s privacy policy at

https://aws.amazon.com/privacy/?nc1=h_ls.

The use of AWS is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the most reliable presentation of our application.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). This is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link:

https://www.dataprivacyframework.gov/s/participant-search/participantdetail?%20%20contact=true&id=a2zt0000000TOWQAA4&status=Active.

  1. Access rights for the app

In order to provide our services via the app, we require the access rights listed below, which enable us to access certain functions of your device.

  • location data

Access to the device functions is necessary to ensure the functionalities of the app, such as the use of the map. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR, your consent within the meaning of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG and - if a contract has been concluded - the fulfillment of our contractual obligations (Art. 6 para. 1 lit. b GDPR).

The photos are not stored on the server. It is important to us that you have control over your data. We therefore rely on local storage as far as possible.

5. Data procession within the app

a) Use of cookies or similar technologies

  1. General information

Our app uses cookie-like technologies / tokens. These may be digital certificates, for example, but they do not cause any damage to your end device. They are either stored temporarily for the duration of a session or permanently on your device to keep the logged-in session active.

These technologies have various functions and may be technically necessary, as certain app functions such as login would not work without them. Others may be used to evaluate user behavior in order to better understand the use of our own products or to analyze the stability of our services. Depending on the purpose, these are regularly stored on the basis of Art. 6 para. 1 lit. f GDPR, as we have a legitimate interest in the storage for the technically error-free and optimized provision of our services.

If consent to storage has been requested, e.g. because measurements of user behavior are carried out, the storage takes place exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR); the consent can be revoked at any time.

  1. Consent with ConsentManager

Our app uses the consent technology of ConsentManager to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in compliance with data protection regulations. The provider of this technology is Jaohawi AB, Håltegelvägen 1b, 72348 Västerås, Sweden, Website: https://www.consentmanager.de

When you use our app, a connection is established to the ConsentManager servers in order to obtain your consent and other declarations regarding the use of cookies. ConsentManager then stores a cookie in order to be able to assign the consents given or their revocation. The data processed in this way is stored until you ask us to delete it, delete the ConsentManager provider cookie yourself or the purpose for data storage no longer applies.

Mandatory statutory retention obligations remain unaffected.

The Consent Manager is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that it only processes the personal information of our website visitors in accordance with our instructions and in compliance with the GDPR.

  1. Use of cookies in the ticket store

The ticket store is provided by our ticketing partner CTS Eventim KGaA & Co. KG as the controller in terms fo the GDPR. You can access it via a link within the app. Please note the privacy policy applicable there at https://www.eventim.de/help/data-protection/, as this is no longer under our control.

b) Analytical data

  1. Google Firebase Crashlytics

This app uses the technology of Google Firebase (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, “Google”), an analysis service of Google Inc. for crash reporting and to ensure the operation of the app.

The information generated about usage (app version, type and version of the device used, version of the operating system, date and time of use, app crashes, updates and the IP address used during use) is transferred to a Google server in the USA and stored there.

For the relevant data transfers to the USA, Google Firebase refers to the standard contractual clauses of the EU Commission. You can find details on this here: https://firebase.google.com/support/privacy.

The legal basis for the use and evaluation of the data is a legitimate interest in the high-performance operation of the app within the meaning of Art. 6 para. 1 lit. f GDPR.

You can find out which subcontractors Google uses at the following link: https://firebase.google.com/terms/subprocessors.

You can find more information about Google Firebase and data protection here:

https://firebase.google.com/terms/data-processing-terms,

https://firebase.google.com/terms/, https://firebase.google.com/support/privacy/.

  1. Google Firebase Cloud Messaging

If you have activated the push function to inform you about security-relevant events and to receive information about the festival, Firebase Cloud Messaging is used, which is necessary to send push messages to Android devices. This technology is also a Firebase service of the provider Google Inc (hereinafter Google), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

With your express consent, your IP address will be transmitted to Google servers.

For the relevant data transfers to the USA, Google Firebase refers to the standard contractual clauses of the EU Commission. You can find details on this here: https://firebase.google.com/support/privacy.

We have concluded an order processing agreement and standard contractual clauses with Google to ensure that a level of data protection comparable to that in the EU/EEA is maintained.

You can find more information about Google Firebase and data protection here: https://firebase.google.com/terms/data-processing-terms and https://firebase.google.com/terms/.

  1. Google Firebase Analytics

We also use functions of the web and app analysis service Google Analytics via Firebase. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the app operator to analyze user behavior. In doing so, we receive reports on usage data, such as visits, length of stay, operating systems used and origin of the user. This data is summarized in a user ID and assigned to the respective end device of the user. We can also use Google Analytics to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modeling approaches to supplement the processed data records and uses machine learning technologies for data analysis.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies, tokens or device fingerprinting).

The information collected by Google about the use of this app is usually transferred to a Google server in the USA and stored there. In Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address is shortened by Google. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. According to the provider, the IP address transmitted by Google Analytics will not be merged with other Google data.

The aforementioned data for the analysis of user behavior using Google Analytics 4 for Firebase is automatically deleted after 14 months.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.

Google is also certified in accordance with the EU-US Data Privacy Framework (DPF), an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every DPF-certified company undertakes to comply with these data protection standards. You can find more information on this under the following link: https://www.dataprivacyframework.gov/participant/5780.

  1. Online-/Social Media-Marketing with EDGE

For marketing measures on our website, app and social networks, we use EDGE for support. The provider is EDGE Entertainment Digital GmbH, a subsidiary of CTS EVENTIM AG & Co. KGaA.

The legal basis for the use is Art. 6 para. 1 lit. f. GDPR. Our legitimate interest is to effectively set up campaigns on high-reach platforms such as Facebook, Instagram, Google, YouTube and TikTok.

If you purchase products on our platforms, we transmit your personal information to Edge Entertainment Digital GmbH for the purpose of carrying out advertising measures if you give us your consent within the meaning of Art. 6 para. 1 lit. a GDPR.

We are jointly responsible with EDGE for the processing of your personal information.

c) Procession of location data

You can use the location function on your smartphone to determine your location for selected functions. For example, we can automatically provide you with up-to-date information on stages, food spots or awareness points in your vicinity. Location services can be deactivated at any time via your device’s system settings.

Mapbox

We have integrated Mapbox for this purpose. The provider is Mapbox, Inc. 740 15th Street NW, 5th Floor, Washington, District of Columbia 20005, USA (hereinafter “Mapbox”). With the help of this service, we can integrate map material on our website.

To use the functions of Mapbox, it is necessary to store your IP address, Session ID and Geo data. This information is transmitted anonymously and encrypted to a server of Amazon Web Services in the USA and stored there. The provider of this site has no influence on this data transfer.

This constitutes a legitimate interest on the part of the provider within the meaning of Art. 6 para. 1 lit. f GDPR.

Further details can be found in the provider’s privacy policy at https://www.mapbox.com/legal/privacy.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF), which is intended to guarantee a level of data protection similar to that of the EU and has been classified as appropriate by the EU.

6. Transfer of personal information

a) Legal basis

We only pass on your personal information to third parties if this is necessary to achieve our purposes and at least one of the following legal bases exists

  • you have expressly given your consent in accordance with Art. 6 para. 1 lit. a GDPR,

  • this is legally permissible and necessary for the processing of contractual relationships with you in accordance with Art. 6 para. 1 lit. b GDPR

  • in the event that there is a legal obligation for disclosure pursuant to Art. 6 para. 1 lit. c GDPR, and

  • the disclosure pursuant to Art. 6 para. 1 lit. f GDPR is necessary to safeguard our legitimate interests, unless your interests, fundamental rights and freedoms, which require the protection of your personal information, prevail.

b) US-transfer of personal information

For the most part, but not exclusively, we rely on service providers based within the EU/EEA or a third country for which the European Commission has adopted an adequacy decision within the meaning of Art. 45 GDPR. However, even in the case of service providers based within the EU/EEA, we cannot guarantee in individual cases that they will only store or process your data on servers in countries with a level of protection comparable to that in the EU/EEA.

Among other things, we use tools from companies based in the USA. If these tools are active, your personal information may be transferred to these third countries and processed there. We would like to point out that the European Commission has adopted an adequacy decision for the EU-U.S. Data Privacy Framework (successor to the “Privacy Shield”). The decision states that the United States will ensure an adequate level of protection - comparable to that of the European Union - for personal information transferred from the EU to US companies under the new framework. Based on this sectoral adequacy decision, personal information can be transferred securely from the EU to US companies participating in the framework (“Data Privacy Framework”) without the need to implement additional data protection safeguards. To participate, companies must be certified by the U.S. Department of Commerce. If you have not done so, the adequacy decision does not serve as a basis for secure data transfer. In these cases, we conclude standard contractual clauses (SCC) with the service providers. By concluding the standard contractual clauses within the meaning of Art. 46 para. 2 lit. c GDPR, we provide guarantees for the protection of your data.

We also encrypt or pseudonymize personal information before transferring it to a service provider in a third country if this is technically possible and appropriate.

7. Rights of data subjects

You have the right

  • to request information about your personal information processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal information, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not processed by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;

  • in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal information stored by usgemäß Art. 17 DSGVO die Löschung deiner bei uns gespeicherten personenbezogenen Daten zu verlangen, soweit nicht die Verarbeitung zur Ausübung des Rechts auf freie Meinungsäußerung und Information, zur Erfüllung einer rechtlichen Verpflichtung, aus Gründen des öffentlichen Interesses oder zur Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen erforderlich ist;

  • in accordance with Art. 18 GDPR, to demand the restriction of the processing of your personal information if the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to delete it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR

    • in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller
    • in accordance with Art. 7 para. 3 GDPR, to revoke your consent to us at any time. As a result, we may no longer continue the data processing that was based on this consent in the future; and
  • to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

8. Right of objection

If your personal information is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, you have the right to object to the processing of your personal information in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation.

If you wish to exercise your right to object, simply send an email to datenschutz@eventimpresent.com.

9. Data Security

We use the widespread SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your browser when you access the app. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead.

We also use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

10. Modification of this privacy policy

This privacy policy is currently valid and is dated August 2024.

It may become necessary to amend this privacy policy as a result of the further development of our app and offers or due to changes in legal or official requirements.