1. Scope of Application
2. What Data Do We Collect from You?
a) Data you give us...
We collect personal data from you when you use the services offered on our website, for example, when you apply for/buy a ticket or purchase a product, create a customer account, share information with us through our contact form, or update your details.
…when applying for or buying tickets, subscriptions or other products
You can register in our online shop in order to purchase tickets or other products. As part of the order process, all the information you provide when registering or that you have saved in your customer account is collected and stored. If you do not create a customer account, we collect the following mandatory information about you as part of the purchase process: your name and surname, form of address, your postal address (street, house number, postcode, town and country), email address, your password and the payment method provided by you, as well as – if applicable – postage and invoicing details submitted by you for the purchase or postage of an item.
At the time your data is collected we will inform you which data you can give voluntarily. This includes any titles as well as your date of birth and telephone number. You will not be at any disadvantage if you prefer not to provide such data, but it may – as part of the purchase or order process – mean that we are unable to provide you with the best possible service, for example, if we are unable to contact you when it is not possible to complete a purchase or order process begun by you.
When you register in our online store, you will be assigned a unique customer number, and data regarding how long you have been a customer of ours will be stored.
If you make a booking as a guest without creating a customer account, we only collect your email address.
…when you subscribe to our newsletter or get in touch with us
On our websites you have the option of getting in touch with us through our contact form. When you do so, we collect and store your email address to allow us to process your query. If you would like to register for our newsletter, we collect and store your email address, which you must provide. If you also submit your name, form of address and title (voluntary information), we will also collect and store that data. You will not be at a disadvantage if you decide not to provide the voluntary information. In that case, however, we may not be able to provide you with information in personal form, only in a general form.
…when you apply to take part in one of our non-professional ensembles
When you apply to sing or play with one of our orchestras, choirs or ensembles, we only process the data you have provided within the framework of the data collection for the purposes of organising and realising the respective project. You can register by booking directly through our online shop, downloading and completing a form, or sending an email to email@example.com. At the time your data is collected we will explain to you what information is required and what information you can give to us voluntarily, and for what purposes we use this data.
…when you contribute an entry to the Elbphilharmonie Guest Book
When making an entry in the Elbphilharmonie Guest Book, you decide yourself whether you want to send us your photo and any comments. For this we need your email address, which is also required if you would like to receive your photo.
…when you take part in a competition
We occasionally hold online competitions on our website. We only use the personal data you send us when taking part to identify and contact the winner.
…when you apply for a job with us
When you apply for any of the jobs we advertise, your personal information and data is used to process your application.
…which we use on the basis of your consent
Protecting your privacy is very important to us. A key aspect in the design of our website was making it possible for it to be used anonymously. When you visit our websites, we collect your IP address, which your browser transmits to us. With the aid of the web-tracking tool Google Analytics, the data stored on your end device can be read in anonymised form. In this way we are able to recognise visitors and count them as such.
Your data will only be collected and analysed using Google Analytics if you have given your consent to this data processing. You give consent by clicking on »Yes, I agree« on the cookie banner that appears the first time you visit our website. If you do not click on the button, your data is not collected or analysed using Google Analytics.
If you register for the newsletter, we will send you an email containing a link that you must click on to provide your consent to us sending you the newsletter at regular intervals.
b) Data we collect automatically
We use different kinds of cookies on our website. Cookies are small text files stored on your computer. These make it possible to, for example, identify when you return to visit a website more than once from the same computer.
Most of the cookies we use are functionality cookies, also known as »session cookies«, which are only stored on your computer for the duration of one internet session. These cookies are essential for the basic functioning of the website or are required to process transactions (for example, to complete a purchase) and are therefore always activated.
For certain functions we use persistent cookies that serve to recognise returning visitors – these are stored on your computer for future sessions. These cookies allow us to improve the functions of our webpages by tracking user behaviour. In some cases, these cookies can improve the speed at which we process your queries, and help to remember the page settings you have chosen. If you object to the use of these cookies, it may make it impossible to provide our services to you to the usual level of quality because, for example, recommendations are poorly tailored to you or the webpage as a whole is slow in responding.
Ticket delivery by text message (SMS)
If you would like to receive your tickets by text message, the relevant messenger service collects your data.
3. How We Use Your Data...
…to process your order and for the performance of the contract. The legal basis for this is Art. 6 Par. 1 Point b GDPR.
– We use the data you provide when you place an order in our online store to process your purchase, to update you about the status of your purchase and to deliver the products (and concert tickets in particular) that you have purchased. Furthermore, we can use the information you provide about your date of birth to establish whether you are eligible for a concession. Your personal data will necessarily be processed to allow us to perform the contract that you conclude with us.
– The data you provide in our online store is also used for the provision of the payment handling service, that is, the provision of certain payment methods.
– We also use the data collected during the purchase process to resolve any problems that may arise during the purchase process. We will always contact you personally, that is, our own staff, not via a call centre.
– We process the information that you send to us when you contact us to answer your query or to process the information that you give us.
– We use the data to enforce our General Terms and Conditions and our House Regulations.
…to pursue our legitimate interests, except where your rights and freedoms override them. The legal basis for this is Art. 6 Par. 1 Point f GDPR.
– We use your personal data to assess your credit rating and to prevent fraud. For this purpose, we can pass on your personal data to our credit ratings agency (see »To whom do we pass your personal data«). This is necessary as part of our legitimate interests in order to ensure that we do not fall victim to fraud and in order to protect our rights as laid down in the General Terms and Conditions.
– We also use your data to monitor the ban on buying and selling outside our sales channels, specifically to monitor the ban on ticket sales at inflated prices and/or that breach our General Terms and Conditions. This data use is in our legitimate interests because we want to make sure that our contractual provisions are adhered to and that the black-market trade in tickets is stopped or limited as far as possible.
– We also use the collected data to improve our services, for example, to identify and solve problems that arise as part of the purchase process.
– We can use the collected data to contact you to let you know about special events or ticket offers, and to provide you with information about discounts and competitions. We also use your data to carry out marketing measures.
– If you take part in one of our non-professional ensembles we need the data collected about you to prepare for and carry out the respective music participation project, for example, in that we put together the groups for the audition date, select the musical repertoire, organise rehearsal dates or arrange to have loan instruments available.
…that we have received on the basis of your consent. The legal basis for this is Art. 6 Par. 1 Point a GDPR.
– In order to design our website in a way that ensures it fulfils its purpose, we – on the basis of your consent – create pseudonymous user profiles with the aid of Google Analytics in order to allow us to identify returning visitors. This means we can learn how often our websites are visited by various users.
– With your consent we use your personal data to send you promotional emails.
– With your consent we use your photo and your entry in our Photo Booth at the Elbphilharmonie to display this data in our online guest book or to send you this data by email.
– When you have provided your consent to have your photo taken when participating in a workshop or concert or attending an event in one of our concert halls, we will use this photo, for example, in our publications, on the info screens in the Elbphilharmonie concert area or on our website within the framework of the consent you gave.
– With your consent we retain the data that you have given us as part of your application until a later date.
– If you take part in one of our competitions and win, we – with your explicit agreement – will also publish your name on our website.
4. To Whom Do We Pass Your Data?
…between the associated companies of the entire operation
The Elbphilharmonie and Laeiszhalle are run by the two companies HamburgMusik gGmbH and Elbphilharmonie und Laeiszhalle Betriebsgesellschaft mbH, both of which operate under the same management. The data processing is therefore carried out within this group of companies in order to provide joint content and services that are performed by the companies proportionately in accordance with the purpose of their respective articles of association for the joint operation of the concert halls.
…to the Elbphilharmonie Stiftung and the Freundeskreis Elbphilharmonie + Laeiszhalle e.V.
The Elbphilharmonie Stiftung and the Freundeskreis Elbphilharmonie + Laeiszhalle e.V. are long-term partners of the Elbphilharmonie. The purpose of the societies necessitates a close collaboration and coordination of projects and funders. In this context, data for the planning and execution of joint events, as well as for providing support to patrons and donors, is passed on to these societies.
…to service providers as part of the purchase process in order to deliver the tickets and process payments
We pass on your data to external service providers who support us with our business operation, in particular as part of payment processing.
When the customer selects the payment methods »invoice« or »direct debit«, they consent to us carrying out a credit check on them. The credit check is conducted by Wirecard Bank AG (Einsteinring 35, 85609 Aschheim, Germany) and they, in turn, work with RatePay GmbH (Schlüterstraße 39, 10629 Hamburg, Germany). The credit check includes a risk check that determines the probability of proper payment.
In order to process the above-named payment methods, the above-named service providers use all the data available and the results generated from the analysis in order to determine which payment methods can be offered to the customer. As part of this process, the data is also transmitted to the following credit rating service providers:
SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany
Creditreform Boniversum GmbH, Hellersbergstr. 11, 41460 Neuss, Germany
Infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany
Bürgel Wirtschaftsinformationen GmbH & Co. KG, Postfach 500166, 22701 Hamburg, Germany
Deltavista GmbH, Dessauerstr. 9, 80992 München, Germany
This data is transmitted on the basis of Art. 6 Par. 1 Point f GDPR for the purpose of gaining credit information based on mathematical and statistical methods, into the calculation of which address data is also fed.
Furthermore, the credit check service providers also use the risk assessments described for the operators of other online shops if you have placed a specific order there using a Wirecard payment method.
You can inquire about the data concerning you that is stored by the credit checking service providers at any time via the addresses listed above.
You can see Wirecard Bank AG’s additional data protection provisions, which apply to the »invoice« and »direct debit« payment methods, here:
…within the framework of the ticket sale process for administration and handling, as well as for printing and shipping tickets and other print products
As part of the ticket sale process, we pass on data to external service providers who provide and host the sales system for concert tickets/Plaza tickets, and to service providers who support us with the printing and shipping of tickets and other print products.
…to service providers for box office services and Plaza operations
We transfer data to external service providers who support us with tasks relating to the provision of the concert schedule. This includes front of house services, catering services and the performance of box office services. In this context we provide access to our ticket sales systems and access to any customer data relevant to the performance of these services.
…to financial institutions and service providers
Your data is also transmitted to financial services providers and institutions that we work with and that support us with the processing of payment transactions.
…within the context of designing, operating and maintaining our website and online shop
We work with various service providers that help us with the operation of our website and associated processes, and that also have access to personal data as a result. These include hosting service providers, web analytics providers and agencies.
…to design our website in a way that ensures it fulfils its purpose
The information produced by the cookie about your use of this website is as a rule transmitted to a Google server in the USA and stored there. However, because we have activated IP anonymisation on this website, your IP address is truncated by Google beforehand within a member state of the European Union or in another country that is a party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. Google will use this information to analyse your use of the website on our behalf, to compile reports about website activity and to provide other services to us associated with the use of the website and the use of the internet.
Your data is transmitted to Google and stored in the USA. An appropriate level of data protection is provided for pursuant to Art. 45 Par. 1 GDPR as a result of Google’s participation in Privacy Shield. We have also concluded a contract with Google Inc. (USA) for contract data processing pursuant to Art. 28 GDPR. Google is consequently only permitted to use all information for strictly specified purposes, to analyse the use of our website on our behalf, and to compile reports about website activity.
You can retract your consent to this, which you provided through our cookie banner, at any time: deactivate Google Analytics (see also »Your Options with Regard to the Collected Data«).
…to law enforcement authorities or within the context of legal proceedings
Where we are legally obliged (for example, on the basis of a request for information) to hand over data to law enforcement authorities or to the competent authority as part of legal proceedings, we will transmit your data to the authority making that request.
Data transmission to third countries
In the case of Google Analytics (USA), we transmit personal data to a third country outside the European Union. Through participation in the Privacy Shield agreement (Art. 45 Par. 1 GDPR) we have ensured an appropriate level of data protection.
We will not sell your personal data to third parties or exploit it commercially in any other way.
Our service providers are strictly bound by instructions and are correspondingly liable under contract within the framework of a contract data processing agreement pursuant to Art. 28 GDPR.
5. The Use of Your Data by Third Parties
Embedded Vimeo videos
On our websites and apps we have embedded the video playing services of Vimeo, Inc., 555 West 18th Street, New York 10011 (www.vimeo.com). The videos are embedded on our webpages as iFrame. When you visit these pages, a connection will be established between your browser (end device) and Vimeo’s servers. That could potentially result in your data, for example, your IP address and the end device used by you to visit the page, as well as your activity, being processed. Loading the video and further interaction with the video player service could result in additional information about you being processed by Vimeo in order to, for example, analyse the videos you watch or your interests. Finally, Vimeo uses web-tracking methods on its own pages and within the video player service. These are active no matter whether you are registered or logged in with Vimeo. Unfortunately, we have no influence over the web-tracking methods used by Vimeo or the linked services. Please be aware that we cannot rule out the possibility that Vimeo will use your profile data to analyse your approximate location, interests, the videos you watch, etc.
Embedded YouTube videos
We embed YouTube videos on some subpages on our website. Viewing these subpages can result in you loading YouTube content. When you do so, YouTube also receives your IP address, which is a technical necessity in order to view the content. We have no influence over how YouTube processes this data further. However, when embedding the videos, we do ensure that the enhanced data protection mode offered by YouTube is activated.
Embedded SoundCloud/Spotify content
On our websites we embed audio files via the online music services SoundCloud (SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany, www.soundcloud.com) and Spotify (Spotify AB Regeringsgatan 19, SE-111 53 Stockholm, Sweden, www.spotify.com). When you view these pages, a connection is established between your browser (end device) and the SoundCloud/Spotify servers. It is possible that your data, for example, your IP address and the end device you use to visit the page, as well as your activity, is also processed. By loading the audio file and initiating any other interaction with the player service, it is possible that SoundCloud/Spotify can then process further information about you, for example in order to analyse the music you listen to or your interests. Finally, SoundCloud/Spotify use web-tracking methods on their own webpages and within the audio player service. These are active regardless of whether you are registered or are logged in with SoundCloud or Spotify. Unfortunately, we have no influence or control over the web-tracking methods used by SoundCloud/Spotify or the linked services. Please be aware that we cannot rule out the possibility that SoundCloud/Spotify will use your profile data to analyse your approximate location, interests, the audio files you listen to, etc.
Forwarding to other websites and social networks
On the basis of Art. 6 Par. 1 Point f GDPR, we officially have a presence on the following social networks:
These services allow us to stay in touch with our visitors in a variety of ways, and these networks also make it possible for us to promote our events and services, and to get people interested and excited in our concert halls.
6. Your Options with Regard to the Collected Data
You can retract your consent to the use of Google Analytics, which you gave via our cookie banner, at any time: deactivate deactivate Google Analytics
Please note that if you use this solution, web analysis will only be blocked for as long as the opt-out cookie is stored in your browser.
Once logged into your customer account, you can make changes to your data and deactivate your account at any time.
We will only send you our free newsletter if you order it using the form provided. If you no longer wish to receive the newsletter, you can unsubscribe at any time by clicking on the unsubscribe link at the end of each newsletter.
7. Your Rights as a User
1. Right of access by the data subject (Art. 15 GDPR)
You have the right to receive confirmation as to whether or not personal data concerning you is being processed. If that is the case you have the right to access this personal data and the right to access the information listed in Art. 15 GDPR.
2. Right to rectification and erasure (Art. 16 and 17 GDPR)
You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay and, if applicable, the right to have incomplete personal data completed.
You also have the right to obtain the erasure of personal data concerning you without undue delay where one of the grounds listed in Art. 17 GDPR applies, for example, if the data is no longer necessary for the purposes for which it was collected.
3. Right to restrict processing (Art. 18 GDPR)
You have the right to obtain a restriction of processing where one of the conditions listed in Art. 18 GDPR applies, for example, if you have objected to processing pending a verification.
4. Right to data portability (Art. 20 GDPR)
In certain cases, which are listed in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to have that data transmitted to another data controller.
5. Right to object (Art. 21 GDPR)
Where data is collected on the basis of Art. 6 Par. 1 Point f (Data processing for the purposes of a legitimate interest), you have the right to object, on grounds relating to your particular situation, at any time to processing of data concerning you. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or if the processing is for the establishment, exercise or defence of legal claims.
6. Right to lodge a complaint with a supervisory authority
In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the Member State of your habitual residence, of your place of work, or of the place of the alleged infringement.
In Hamburg, the responsible supervisory authority is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), Kurt-Schumacher-Allee 4, 20097 Hamburg, Germany.
8. How Long Do We Store Your Personal Data?
How long we keep your personal data depends, firstly, on the relevant legal regulations that require us to adhere to a certain retention period. Such regulation includes laws governing data retention and laws relating to commercial and tax issues, for example, the tax code and the commercial code.
Secondly, the retention period for personal data depends on how long we need the data in order to perform the services we offer.
If you ask us to erase your data, we will comply with the request within a reasonable period of time, after checking any obligations that may prevent us from erasing the data.
Besides that, we store your personal data in accordance with your given consent.
9. Data Controllers for Your Data
When you buy a concert ticket from us, you – as a concertgoer – conclude an event contract with the promoter of that respective concert. You will find the respective promoter for each concert named in our concert calendar.
The company that serves as your contractual partner is the data controller with regard to the data collected in connection with the contractual relationship, and they are responsible for collecting, using, passing on, storing and protecting your personal data.
Insofar, Elbphilharmonie und Laeiszhalle Betriebsgesellschaft mbH is commissioned to process data as a contract processor on behalf of the promoter. You can therefore send any concerns you may have to firstname.lastname@example.org. We will forward your concerns to the relevant data controller for a decision.
You will find contact data for the data protection officer of HamburgMusik gGmbH and of Elbphilharmonie und Laeiszhalle Betriebsgesellschaft mbH in section 11: »Data protection officer«.
10. Questions, Comments and Information
Should you discover that the data we store concerning you is incorrect, you can – and should – correct the data yourself in our online shop. To do so, simply log in using your email address and your password. You can also contact us in such a case. If you have any other questions or comments regarding data protection with us, please feel free to contact us on email@example.com.
Hamburg, May 2018