Data Protection
1 Responsible party
This dataprotection declaration applies to data processing by us as the responsibleparty in accordance with Art. 4 (7) of the General Data Protection Regulation(DSGVO):
Ben Böhmer-Bärtels
c/o The Principals GmbH
Augsburger Strasse 33
10789Berlin – Germany
E-mail address: info@theprincipals.de
2 Definitions
Insofar asthis data protection declaration does not contain or imply any deviatingdefinition, reference is made to the definitions in Art. 4 DSGVO with regard tothe terms used. According to Art. 4 No. 1 of the GDPR, personal data is anyinformation relating to an identified or identifiable natural person. Thisincludes, for example, first and last name, date of birth, private and businesscontact data.
3 Use ofprocessors
In order tobe able to offer you our app, we rely on the services of Fanbaze GmbH,Köpenicker Str. 7, 10997 Berlin, a processor selected by us.
FanbazeGmbH itself uses servers of 1&1 IONOS SE, Elgendorfer Straße 57, 56410Montabaur, Germany, where the data is ultimately processed. Should data beprocessed elsewhere in exceptional cases, we will point this out againseparately.
FanbazeGmbH was carefully selected by us as a processor and checked in advance. Wehave concluded an agreement with Fanbaze GmbH in accordance with Art. 28 DSGVOand, of course, regularly assure ourselves of the reliability and compliancewith all data protection requirements by Fanbaze GmbH and its sub-processors,so that your data is always safe.
4 Legalbasis for processing
The legalbasis for the temporary storage of data is Art. 6 para. 1 lit. f DSGVO. Ourlegitimate interest lies in the purpose of the data processing.
5 Purpose of data processing
Thecollection and storage of the processed data is carried out for the use of therespective function of our app and are furthermore processed by us for thefollowing purposes:
- Ensuringa smooth and comfortable use of our App
- Toevaluate system security and stability
- Forfurther administrative purposes
-Statistical analysis of user-related data
6 Processing of your personal data
Below weprovide you with an overview of data processing procedures that may affect yourpersonal data in the course of your use of our app:
a. When downloadingand purchasing the app
When youdownload and purchase the app, the necessary information is transferred to theGoogle Play Store (if you use our app on an Android device) or the Apple AppStore (if you use our app on an iOS device). In particular, user name, emailaddress, time of download, payment information and the individual deviceidentification number are required, as well as other data if necessary. We haveno influence on this data collection and processing and are not responsible forit. We only process the data insofar as it is necessary for downloading the appfrom your end device.
Please alsosee the data protection declarations of Google(https://www.google.de/intl/de/policies/privacy/) and Apple(https://www.apple.com/de/privacy/privact-policy/).
b. Registration
If youregister as a user of our app, we collect and store your email address, yourfirst and last name, the user name you entered, city and country, the time(date/time) of your registration as well as the password you selected inencrypted form along with the date it was created. We also assign you an IDnumber. This ID number is used exclusively for your identification within theapp. Your last login date is also stored by us. Finally, we store whether youwant to remain logged in to the app or whether you always want to log in againwhen you start the app.
c. Setting up a profile
Afterregistering, our app offers you the possibility to set up your user profile.Here you can upload and save a profile picture, enter your gender and the cityand country in which you live. We save the data you provide.
d. Whenyou start the app
Every timeyou start the app, your end device establishes a connection to a server of1&1 IONOS SE, Elgendorfer Stra e 57, 56410 Montabaur, Germany.
Thiscreates connection data that is stored in so-called log files.
The datacontain:
- Device IDof your terminal
- Versionof your operating system
- IPaddress
- Date andtime of the request
- Languagesettings
This datais necessary for us to provide you with our app and to be able to assign yourterminal device, as well as to improve the app and our services. The legalbasis for this processing is Art. 6 para. 1 p. 1 lit. f DSGVO. The deletiontakes place after seven days.
e. Useof push messages
You cansubscribe to so-called push notifications in the mobile apps. This function isprovided by the respective provider of the operating system that uses theirdevices and is recorded by the app. If you use this service, it is necessaryfor the provider of your operating system (Apple or Google) to collect datafrom you in order to provide you with the service. The legal basis for the dataprocessing is the consent that you give directly on your device.
f.Transmission of content
We collectthe content that you submit in the App. This includes your comments, includingtext, links, images GIF and videos.
g. Interactions with content and other app users
We collectinformation about the actions you take when using the App. This includes yourinteractions with content and other users, such as liking, replying incomments, subscribing and reporting. We collect your interactions on the commentsections.
h. Whenforwarding to ticket shops
By clickingon the individual events, you will be redirected through the app via your webbrowser to various ticket providers. If you use the offers of these providers,the terms and conditions and the data protection information of the respectiveproviders apply here, which can be accessed within the respective websites.
9 Visible data and information
When you commentin the comment section on the content detail page or event detail page, all Appusers will be able to see your comment, your username, your profile picture andthe date and time you originally submitted the comment.
10 Usageanalysis
To enableus to further improve the app, anonymous statistics are automatically compiledon how you use the app, such as how often, on which days and on which devices.The data on how you use our app is necessary for us to ensure and furtherimprove the stability and security of the app. The data collected in this wayis not merged with your other profile information, but is used in anonymousstatistics that help us to get to know our users better and to better adapt theapp to their needs. This processing is necessary to ensure and further improvethe stability and security of the app and is done on the basis of Art. 6 para.1 p. 1 lit. f DSGVO.
11 Transfer to third countries
We onlyprocess your personal data in a third country (i.e. outside the European Union(EU) or the European Economic Area (EEA)) if it is necessary for the fulfilmentof our (pre)contractual obligations (pursuant to Art. 6 para. 1 p. 1 lit. bDSGVO), on the basis of your consent (pursuant to Art. 6 para. 1 p. 1 lit. aDSGVO), on the basis of a legal obligation (pursuant to Art. 6 para. 1 p. 1lit. c DSGVO) or on the basis of our legitimate interests (pursuant to Art. 6para. 1 p. 1 lit. f DSGVO). The same applies if third parties process your dataon our behalf in a third country. Furthermore, data will only be transferred toa third country if this is permitted in accordance with Art. 44 et seq. DSGVO.
12 Your other rights
Under the GDPR, you have the following rights:
- A right to information in accordance with Art. 15 DSGVO.
- The right to rectification according to Art. 16 DSGVO
- The right to erasure pursuant to Art. 17 DSGVO
- The right to restriction of processing pursuant to Art. 18 DSGVO
- The right to object pursuant to Art. 21 DSGVO
You also have the right to complain to a supervisory authority for dataprotection about the data processing carried out by us.
13 Security measures
We take organisational, contractual and technical security measures inaccordance with the state of the art to ensure that the provisions of the dataprotection laws are complied with and thus to protect the data processed by usagainst accidental or intentional manipulation, loss, destruction or againstaccess by unauthorised persons. These measures can be found in Appendix 1(TOM).
14 Changes to this privacy policy
We reserve the right to change our privacy policy if this should be necessarydue to new technologies or changes in our data processing procedures or inorder to adapt it to changes in the legal situation applicable to us. However,this only applies to this privacy policy. If we process your personal data onthe basis of your consent or if parts of the data protection declarationcontain provisions of the contractual relationship with you, any changes willonly be made with your consent. You can access the current version of our dataprotection declaration in our app at any time.
Appendix 1: Technical Organisational Measures (TOM)
Preamble
The controller has implemented appropriate measures for confidentiality,integrity, availability and resilience as well as procedures for regularreview, assessment and evaluation.
The general part describes technical and organisational measures that applyindependently of the respective services, locations and customers. The annexesdescribe measures that apply beyond those documented in the general part.
1 Confidentiality
Confidentiality is the property that personal data is not made available ordisclosed to unauthorised persons, entities or processes.
Access control
- Reception and security services
- Individual, documented and role-dependent access authorisations (cards,
- transponders and keys)
- Staff and visitor badges
- Visitors are only allowed in the building when accompanied by a member ofstaff.
- Alarm and burglar alarm system
- Office rooms are locked outside working hours
Access control
- Formal user and authorisation procedures
- Login only with user name, password and, where required, 2-factorauthentication
- Systemically enforced password policies
- VPN for remote access and through devices managed by the person incharge
- Mobile device management
- Mobile data carriers are encrypted
- Automatic locking of desktops after a few minutes of inactivity
- Clean desk policy
- Access control
- Keeping asset registers and deriving measures based on dataclassification
- Use of cryptographic procedures (e.g. encryption)
- Implementation of authorisation concepts according to the need-to-knowprinciple
- Separation of application and administration accesses
- Logging of access attempts
- Establishment of administrator workstations
- Minimum number of administrators
- Use of document destruction
Pseudonymisation
- If possible or necessary, personal data is processed pseudonymously(separation of allocation data and storage in separate system)
Separation control
- Separation of development, test and productive environments
- Personal data must not be used for testing purposes
- Multi-client capability / logical separation of data for relevantapplications: Separate databases, schema separation in databases, authorisationconcepts and/or structured file storage.
2 integrity
The integrity of personal data is ensured if it is correct, unchanged andcomplete.
Forwardingcontrol
- Provisionof data via encrypted connections (e.g. SFTP)
-Disclosure of personal data according to the need-to-know / need-to-doprinciple.
- Personaldata is classified according to its need for protection, whereby confidentialdata may only be transferred via secure communication channels.
- E-mailencryption is used where possible
- Wherepossible, personal data is only transmitted in pseudonymised or anonymised form
-Documentation of the transfer of physical storage media
- Transferof paper documents containing personal data in a sealed opaque envelope
Inputcontrol
- Technicallogging of input, modification and deletion of personal data as well as controlof logs
-Traceability of input, modification and deletion of data through individualuser names (not user groups)
-Role-based authorisation concept (read, write and delete rights)
- Logging of administrative changes
3 availability and resilience
The availability of personal data exists if it can always be used by users asintended.
- Use ofhardware and software firewalls
- Intrusiondetection systems
- Surgeprotection of the building exterior against lightning strikes
-Uninterruptible power supply (UPS)
- Emergencymanuals for data recovery, protection against accidental destruction and loss
- Carryingout recovery tests
- Use ofredundant systems where necessary (e.g. RAID)
- Regulartesting of data backups
- Externalaudits and security tests
4 procedures for regular review, assessment and evaluation.
How is itensured that the above data protection measures are regularly reviewed?
Dataprotection management
- Dataprotection officers and an information security officer are appointed
-Establishment of a data protection and information security organisation
- Allemployees are obligated to maintain confidentiality when handling personal dataand are made aware of the secrecy of telecommunications.
- Employeesare sensitised to the handling of personal data
- Newemployees receive information material on the handling of personal data.
- Aregister of processing activities is maintained and data protection impactassessments are carried out as required
- Processesfor exercising data subjects' rights are established
Ordercontrol
- Dataprocessed on behalf of the client are only processed according to the client'sinstructions.
-Contractors are carefully selected with regard to technical and organisationalmeasures taken to protect personal data
-Instructions on the handling of personal data are documented in text form.
- Wherenecessary, order processing agreements or suitable guarantees for the transferof data to third countries are concluded.
Dataprotection-friendly default settings
- Processesare in place to ensure that systems and products are developed in a dataprotection-friendly manner.
- Onlythose personal data are collected that are necessary for the respectivepurpose.
Incidentresponse management
-Documented process for recognising, reporting and documenting data protectionviolations with the involvement of the data protection officer
-Documented process for handling security incidents with the involvement of theInformation Security Officer.
Annex 1.2:
Specialtechnical and organisational measures for data centres
- All datacentres are certified according to the ISO 27001 standard.
-Electronic access control systems monitor and ensure access to the respectivedata centre only for authorised persons
- Securitygate
- Videocameras and intrusion and contact detectors monitor the outside of the building
- Definedsecurity zones
- Highlyredundant network infrastructure
- Fireand/or smoke detectors have a direct connection to the local fire brigade
- Coolingsystem in the data centre / server room
- Serverroom monitoring temperature and humidity
- Nosanitary connections in or above data centres
- Alarmsignal in case of unauthorised access to data centres