1) Processing activity
- a) Provision of information about brut and its events
- b) Fulfilment of the event contract with customers1
2) Responsible party
Koproduktionshaus Wien GmbH
Nordwestbahnstraße 8-10, 1200 Vienna
E-mail: info@brutwien.at, T: +43 1 5878774
3) Purposes of data processing on the legal basis of
- freedom of communication
- a) The primary purpose of data processing by the data controller is to provide information about events of "brut". Data processing in this area is carried out on the basis of freedom of the press, freedom of opinion and freedom of communication, which is protected by convention and constitutional law (Art 13 StGG; Art 10 ECHR).
-
b) Advertising the activities of the cooperation partners
- The fulfilment or preparation of the contract
- c) Sale of tickets, annual tickets and vouchers
- d) keeping information about the event and services of the responsible person and their cooperation partners available for (potential) customers
- e) provision of communication channels for the dissemination of information and servicing of the customer relationship
- f) operating venues for events
- g) planning and executing theatre performances, workshops and other events (hereinafter collectively referred to as "Events")
-
h) Fulfillment of the event contract with customers, that bought a ticket
- the consent
-
i) Provision of newsletters to interested parties on the basis of consent with the possibility of opting out at any time
- of personal interest
- j) Dissemination of (also promotional) information for services and events of the responsible party as far as for members by way of direct advertising ("marketing purposes"), as far as legally permissible
- k) Maintaining and increasing customer satisfaction and customer loyalty by analysing user behaviour with the aim of improving the services offered, this using Google Analytics
- l) making film recordings of events for (also promotional) documentation purposes and current media coverage
- m) Provision of newsletters to interested parties on the legal basis of § 174 para 4 TKG with the possibility of opting out at any time
4) Legal basis of data processing
- 1) Fulfilment of contract
- a) Online use: The use of the online media of the responsible party is based on a contract within the meaning of Art 6 (1) (b) DSGVO 2 through registration a registration relationship is created.
-
b) Participation in events: When purchasing tickets and participating in events of the controller, the data processing is based on the legal basis of the event contract.
-
2) Additional services: Consent. For individual services (e.g. newsletters), the responsible party explicitly obtains consent from the customer. This consent can be revoked at any time with effect for the future.
- 3) Predominant legitimate interests (see point 6.)
5) Description of the (predominant) legitimate interests for purposes of
-
IT security:
The responsible party stores the IP addresses of its customers for a period of 7 days in order to be able to respond to targeted attacks in the form of server overload ("denial of service" attacks) and other damage to the systems. The controller has an predominant legitimate interest in this data processing for the purpose of maintaining the functionality of its services provided online (recital 49 of the GDPR).
-
the dissemination of information/direct advertising 3:
The controller also processes the customer data (but not those of children or special categories of personal data within the meaning of Art 9 of the DSGVO4 ("sensitive data")) in order to use them for the purpose of direct advertising for (further) offers of the controller and the members of the association. The controller has a legitimate interest in processing personal data for the purpose of direct marketing (Recital 47, last sentence of the DSGVO). In doing so, the responsible party relies on its freedom of acquisition (Art. 6 of the Austrian Constitution) and freedom of communication (ins. Art. 10 of the EMRK, which also protects advertising measures), which are protected by the Convention and the Constitution, and on the rights to
- the transmission of postal advertising;
- transmit electronic mail on the basis of the contractual relationship, after consent and according to § 174 para 4 TKG.
When using this data, the responsible party complies with the provisions of communications law, in particular § 174 TKG.
-
The accounting of funding:
The responsible party is funded by public bodies and is subject to the control of the funding bodies when accounting for the funding. During the controls of the funding agencies, data of the customers may be disclosed (on a random basis) for the purpose of proving proof, over which the responsible party has no influence.
-
Sound and image recordings of events:
At its events, the responsible party records the sound and the image in order to be able to document the event and the activity of the responsible party, to report (live) and to advertise. Although the main interest is the stage or the podium, it cannot be excluded that event participants are also captured by the sound and image recordings. The responsible party has a legitimate interest in the sound and image recordings, which is based on the freedom of the press, freedom of opinion and freedom of communication, which is protected by convention and constitutional law (Article 13 of the Austrian Constitution and Article 10 of the European Convention on Human Rights).
6) Change of purpose:
-
Information dissemination/direct advertising:
The responsible party informs that it also processes the personal data of the customer for the purpose of information dissemination/direct advertising. In this way, the data responsible party intends to provide information about its own services and the services of cooperation partners. There is no incompatibility with the purpose of the original data collection.
The customer may object to the use of his/her personal data for direct advertising purposes at any time and without giving reasons.
7) Assessments of personal aspects of the customer:
An evaluation of personal aspects of the customer does not take place.
8) Obligation to provide data:
The customer is not obliged to provide data. Association members are obliged to provide full contact details.
9) Automated decision making:
The customer is not subject to any automated decision-making that has legal effect for him/her.
10) Types of data processed:
- Disclosed by clients/concerned parties:
- Name, academic degree
- Telephone and fax number
- E-mail address
- Address
- Working in which company/organisation
-
Job title/position in company/organisation
- additionally collected by the responsible person
- IP addresses (log files)
- Data on the terminal device
- Browser used
- Device used, type of device
- Communication protocol
- Reactions to email newsletters, campaign details (receipt, opening, click)
11) Data sources (unless disclosed by the client or collected by the data responsible party):
- Source:
-
Cooperation partner (as far as legally permissible).
- Data types:
12) External recipients of data
- A ) external operation ticket shop:
- B) Order data processor
The responsible party expressly reserves the right to use further commissioned data processors. These will then be identified in the update of the data protection information following the start of use. These data processing operations by the commissioned data processors take place under the responsibility of the data responsible party.
13) Internal recipients:
- System administration
- Management
- Departments
14) Third country transfer:
The following data is transferred to countries outside the EU in the course of data processing:
- Country: USA
- Application: Google (EU-US Privacy Shield)
- Types of data: Google Analytics: anonymised IP address, website title, browser-specific information, information on website usage
15) Appearances in social media channels:
The data responsible party informs that it maintains independent online presences in social media channels for the purposes of advertising and communicating with customers. In these online presences, the customer's data may be processed outside the European Union, which increases the risk of a breach of data protection. The operators of the social media channels, insofar as they are based in the USA, have for the most part submitted to the EU-US Privacy Shield.
These online presences are kept accessible in the technical environment of the respective social media operator. The social media operators then use the customer's visit to the online presence for their own purposes, in particular to display (interest-based) advertising. The social media operators use the visit to place "cookies" on the customer's end device, to read existing cookies/identifiers, to infer the customer's interests from the usage behaviour and thus to enrich the usage profile created for the customer or identifier. The aim is to display interest-based advertising to the customer, which can also be displayed on websites of third parties visited later.
The processing of the customer's personal data is based on the predominant legitimate interests of the responsible party in the advertising measures and customer communication, which is protected by the freedom of acquisition (Art 6 of the Austrian Constitution) and freedom of communication (ins. Art 10 ECHR, which also protects advertising measures) under convention and constitutional law. If the customers are users of the social media channels, the data processing may also be covered by the customer's consent.
The responsible party informs that it does not have any access to the client's data. The responsible party therefore recommends that the customer contacts the respective social media channel directly in the event of asserting his or her rights to information, correction, deletion, restriction, objection and data portability. The users of social media channels can also make changes themselves in the area of their privacy settings. The data responsible party will support the customer in doing so, should this be necessary. The customer can find further information at:
-
Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland)
Datenschutzerklärung: https://www.facebook.com/about/privacy/
Opt-Out: https://www.facebook.com/settings?tab=ads und http://www.youronlinechoices.com
- Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) Datenschutzerklärung: https://twitter.com/de/privacy Opt-Out: https://twitter.com/personalization
- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) Datenschutzerklärung/ Opt-Out: http://instagram.com/about/legal/privacy/
- Vimeo: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA https://privacy.google.com/# Opt-Out: https://tools.google.com/dlpage/gaoptout?hl=de
16) Storage period:
- Non-registered customers: The personal data (esp. IP address) of (non-registered) website visitors are stored for 7 days for the purpose of IT security and then deleted.
- Legal basis contractual relationship: The data are processed by the responsible party on the basis of the above-mentioned legal basis until 40 months after termination of the contract (= 36 months of possible contractual claims for damages + max. 4 months of service of a lawsuit) and then deleted (in any case the personal reference). Insofar as there is a legal obligation to store data, in particular in accordance with § 132 para. 1 BAO (Federal Fiscal Code), personal data processing of accounting-relevant data shall continue until the end of the legal storage obligation (currently in principle 7 years after the end of the business year in which the data occurred).
17) Rights of the data subject:
- Basis: Content
- Art 15 DSGVO "Information": The customer/affected person has the right to request information as to whether and to what extent personal data relating to him/her are being processed.
- Art 16 DSGVO "Correction": The customer/stakeholder has the right to demand the correction of inaccurate personal data or its completion without delay.
- Art 17 DSGVO "Erasure": The customer/stakeholder has the right to request that the personal data be erased without undue delay, provided that the grounds set out in Art 17(1) DSGVO are met.
- Art 18 DSGVO "Restriction": The customer/data subject has the right to request that the processing of the personal data be restricted, provided that the grounds referred to in Art 18(1) DSGVO are met.
- Art 21 DSGVO "Objection": The customer/data subject has the right to object to the processing of his/her personal data on the basis of predominant legitimate interest.
- Article 20 of the DSGVO "Data portability": The customer/data subject has the right to receive the personal data he/she has disclosed in a structured, common and machine-readable format.
18) Right of complaint:
Art 77 DSGVO § 24 DSG: Every customer/affected person has the right to lodge a complaint with the supervisory authority if he/she is of the opinion that the processing of personal data concerning him/her violates this Regulation.
19) Supervisory authority:
Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at
1 If terms referring to natural persons in this data protection information are only given in the masculine form, they refer to women and men in the same way. When applying the term to certain natural persons, the respective gender-specific form must be used. Customers are understood to include both consumers and entrepreneurs.
2 Kühling/Buchner DS-GVO2, Art 6 Rz 59.
3 Direct marketing is the direct approach of the data subject for advertising purposes, such as sending letters or brochures, by telephone calls or electronic messages.
4 Basic Data Protection Regulation, available at http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32016R0679.