This data protection declaration is designed to inform you about the type, scope and purpose of personal data (hereinafter referred to as "pers. data") within our online services and the associated websites, functions and content as well as external online presences, such as our social media profiles (hereinafter jointly referred to as "online services"). With regard to the terms used, such as "processing" or "data controller", we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
This data protection statement is applicable for the online platforms operated by Medien.Bayern GmbH, August-Everding-Straße 25, 81671 Munich, Germany (“we”, “us” or “Medien.Bayern”), available at www.medientage.de , www.lokalrundfunktage.de , www.mobilemediaday.de , www.transformingmedia.de, www.mediennetzwerk-bayern.de, www.xplr-media.de and www.medialab-bayern.de (“website”) and the corresponding app, also operated by Medien.Bayern GmbH (“app”).
Medien.Bayern GmbHAugust-Everding-Straße 2581671 MunichGermany
Managing directors: Stefan Sutor, Lina Timm
Link to legal information: Imprint
Data protection officer’s email contact: firstname.lastname@example.org
Types of pers. data that you may provide us with:
When you visit our website, the following kinds of pers. data are recorded:
Purpose of processing
Definitions of terms used
"Personal data" is information relating to an identified or identifiable natural person (hereinafter "data subject"); a natural person is considered identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics (Art. 4 para. 1 GDPR).
“Processing” means any operation or set of operations performed on pers. data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller” is the natural or legal person, public authority, institution or other body which, alone or jointly with others, determines the purposes and means of the processing of pers. data (Art. 4 para. 7, first half of sentence, GDPR).
Applicable legal bases
In accordance with Art. 13 GDPR we inform you about the legal basis of our data processing. If the legal basis is not mentioned in the data protection declaration, the following applies:
We ask that you stay well informed concerning the contents of our data protection declaration. We will adapt the data protection declaration as soon as any changes in our data processing operations make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
Cooperation with data processors and third parties
Insofar as we make pers. data available to other persons and companies (data processors or third parties), transfer it to them or otherwise give them access to pers. data, this only takes place on the basis of legal permission (e.g. if a transmission of pers. data to third parties, such as payment service providers, is necessary in accordance with Art. 6 Para. 1 lit. b GDPR for the fulfilment of the contract), if you have consented, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
Insofar as we commission third parties with the processing of pers. data on the basis of an "order processing contract", this is done on the basis of Art. 28 GDPR.
Transfer to third countries
Insofar as we process pers. data in a third country (i.e. outside the European Union EU or the EEA) or if this happens in the context of our use of services provided by third parties or our disclosure or transfer of pers. data to third parties, this only occurs if our (pre)contractual obligations are met, on the basis of your consent, a legal obligation or on the basis of our legitimate interests.
Subject to legal or contractual permissions, we process the pers. data or have it processed in a third country only if the special requirements of Art. 44 et seq. GDPR are met. This means, for example, that the processing takes place on the basis of special guarantees, such as the officially recognised determination of a data protection level corresponding to that given in the EU (e.g. for the USA through the "Privacy Shield") or compliance with officially recognised special contractual obligations ("standard contractual clauses").
Rights of data subjects
You have the right to request confirmation as to whether pers. data concerning you will be processed and to obtain information about this pers. data as well as further information and a copy of the pers. data according to Art. 15 GDPR.
Pursuant to Art. 16 GDPR, you have the right to request the completion of the pers. data or the rectification of any inaccurate pers. data that concerns you.
Pursuant to Art. 17 GDPR, you have the right to demand that the pers. data concerning you is erased immediately, or alternatively, in accordance with Art. 18 GDPR, the right to demand a restriction of processing of pers. data.
In accordance with Art. 20 GDPR, you have the right to receive the pers. data concerning you that you have provided to us and the right to demand that it be transferred to another data controller.
Pursuant to Art. 77 GDPR, you also have the right to lodge a complaint with the responsible supervisory authority. Complaints are to be addressed to the media data officer at the Bayerische Landeszentrale für neue Medien [Bavarian regulatory authority for new media] (Art. 20 para. 3 BayMG [Bavarian law on media]). Until such person is officially appointed, Mr Andreas Gummer shall assume this role (email@example.com).
Right of withdrawal
Pursuant to Art. 7 para 3 GDPR you have the right to withdraw any consent given with effect for the future.
Right to object
In accordance with Art. 21 GDPR, you may object to the future processing of pers. data concerning you at any time. The objection can be made in particular against the processing of data for purposes of direct marketing.
Cookies and right to object in the case of direct marketing
“Cookies” are small files that are stored on the user's computer. Various information can be stored within the cookies. A cookie is primarily used to store information about a user (or about the device on which the cookie is stored) during or after the user's visit to online services.
Temporary cookies, also called "session cookies" or "transient cookies", are cookies that are deleted after a user leaves online services and closes the browser. These cookies can store the contents of a shopping cart in an online shop, for example.
"Permanent" or "persistent" cookies are cookies that remain stored even after the browser is closed. The interests of the user can be stored in these cookies, which can be used for measurement of coverage or marketing purposes.
“Third party cookies” are cookies offered by providers other than the data controller who operates the online services (in cases where only cookies from the data controller are used, these are referred to as "first party cookies").
If users do not wish cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. However, deleting cookies may lead to functional restrictions in these online services.
Erasure of personal data
In accordance with Art. 17 and 18 GDPR, the pers. data processed by us will be deleted or its processing restricted. Unless expressly stated in the context of this data protection declaration, the pers. data stored by us will be deleted as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. Insofar as pers. data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the pers. data will be blocked and not processed for other purposes. This applies, for example, to pers. data that must be stored for commercial or tax reasons.
According to legal requirements in Germany, data is stored for 10 years according to section 147 para. 1 AO [The Fiscal Code of Germany], 257 para. 1 para. 1 und 4, para. 4 HGB [German Commercial Code] (books, records, situation reports, records, trade books, documents that are of relevance for taxation, etc.) and for 6 years according to section 257 para. 1 para. 2 and 3, para. 4 HGB (trade letters).
Additionally, we process- Contract data (e.g. subject matter of contract, customer category)- Payment data (e.g. bank details, payment history)
relating to our customers, interested parties and business partners for the purpose of providing contractual services, other services and customer care.
The hosting services that we use allow us to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services which we use for the purpose of operating these online services.
Collection of access data and log files
On the basis of our legitimate interests in the sense described in Art. 6 para. 1 lit. f. GDPR, we and/or our hosting providers collect data about each instance of access to the server on which this service is located (server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for security reasons (e.g. for the clarification concerning abuse or fraud actions) for the maximum duration of 7 days and deleted afterwards. In the case of data whose further storage is required for purposes of proof, this data is excluded from erasure until the respective incident has been conclusively clarified.
Administration, financial accounting, office organisation, contact management
We process pers. data in the context of administrative tasks as well as organisation of our business, financial accounting and compliance with legal obligations, such as archiving. Here we process the same pers. data that we process within the context of the provision of our contractual services. Processing is based on Art. 6 para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners and visitors to the website are affected by processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks which serve the maintenance of our business activities, performance of our duties and provision of our services. The erasure of pers. data relating to contractual services and contractual communication corresponds to the information specified in these processing activities.
In this role, we make known or transfer pers. data to financial accounting services or consultants, e.g. tax consultants and auditors, and payment service providers.
We also store information about suppliers, event organisers and other business partners on the basis of our business interests, e.g. for the purpose of establishing contact at a later date. This data, which is mainly company-related, is stored permanently.
Economic analyses and market research
In order to operate our business economically and to be able to recognise market trends and customer and user wishes, we analyse the data available to us pertaining to business transactions, contracts, enquiries, etc. We process inventory data, communication data, contract data, payment data, usage data and metadata on the basis of Art. 6 para. 1 lit. f. GDPR, whereby the data subjects include customers, interested parties, business partners, visitors and users of the online services.
The analyses are carried out for the purpose of economic evaluations, marketing and market research. We can take into account the profiles of registered users with information about their purchase transactions, for example. The analyses created are exclusively used internally and are not passed on to third parties apart from in the form of analyses with anonymised, summarised values.
The macroeconomic analyses and general trend definitions are generated anonymously wherever possible.
When contacting us (e.g. via contact form, email, telephone or via social media), the user's details will be processed for the purpose of handling and settling the contact enquiry in accordance with Art. 6 para. 1 lit. b GDPR. User data can be stored in a customer relationship management system ("CRM system") or a comparable enquiry organisation.
We delete the enquiries if they are no longer necessary. We check the necessity of enquiries every two years; furthermore, statutory archiving obligations apply.
With the following information we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedures and your right to object. By subscribing to our newsletter, you declare your agreement with the receipt and the procedures described.
Content of the newsletter: We send out newsletters, emails and other electronic notifications containing advertising information (hereinafter "newsletter") only with the consent of the recipient or on the basis of a legal provision. If the contents of the newsletter are specifically described within the scope of subscription, they are decisive for the consent of the user. In addition, our newsletters contain information about our services and us.
Double opt-in and logging: subscription to our newsletter takes place in a double opt-in procedure. This means that you will receive an email after your registration in which you will be asked to confirm your registration. This confirmation is necessary so that nobody can register with an email address not belonging to him/her. The registrations for the newsletter are logged in order to be able to prove that the registration process is carried out according to the legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Likewise, any changes made to your pers. data stored with the sending service provider are logged.
Subscription data: to subscribe to the newsletter, it is sufficient to enter your email address. Optionally, you may enter a name for the purpose of addressing you personally in the newsletter.
The dispatch of the newsletter and the success measurement associated with it is based on the consent of the recipients pursuant to Art. 6 para. 1 lit. a Art. 7 GDPR in conjunction with section 7 para. 2 para. 3 UWG [German Act Against Unfair Competition] or on legal permission pursuant to section 7 para. 3 UWG.
The registration procedure is recorded on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Our interest is directed towards the use of a user-friendly and secure newsletter system that serves our business interests as well as the expectations of the users and also allows us to provide evidence of consent.
Cancellation/withdrawal - You can cancel the receipt of our newsletter at any time, i.e. withdraw your consent. You will find a link to cancel the newsletter at the end of each newsletter. We may store the email addresses of customers who have cancelled their subscription for up to three years on the basis of our legitimate interests before deleting them, in order to be able to provide evidence of a previously given consent. The processing of this pers. data is limited to the purpose of a possible defence against claims. An individual request for erasure is possible at any time, provided that the former existence of consent is confirmed at the same time.
Newsletter - measurement of success
The newsletters contain a so-called "web-beacon", i.e. a file the size of a pixel, which is retrieved from our server when the newsletter is opened or, if we use a dispatch service provider, from its server. Within the scope of this retrieval, technical information such as information about the browser and your system, as well as your IP address and time of retrieval are collected first.
This information is used for the technical improvement of the services on the basis of technical data or target groups and their reading behaviour on the basis of their retrieval points (which can be determined with the help of the IP address) or access times. Statistical surveys also include determining whether newsletters have been opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. It is, however, neither our endeavour nor, if used, that of the dispatch service provider to observe individual users. Instead, the evaluations serve to help us recognise the reading habits of our users and to adapt our contents to suit them or to send different contents according to the interests of our users.
Google is certified under the Privacy Shield agreement and thus offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate the use of our online services by users, to compile reports on the activities within these online services and to provide us with other results associated with the use of these online services and of the internet. Pseudonymised user profiles can be created from the processed data.
We use Google Analytics only with activated IP anonymisation. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.
The IP address transmitted by the user's browser is not merged with other Google data. Users may refuse the storage of cookies by selecting the appropriate settings on their browser, they may also refuse the collection of data by cookies relating to their use of the online services and its being transferred to Google as well as the processing of this data by Google by downloading and installing the browser plug-in available from the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
Further information on the use of data by Google, settings and objection options can be found in Google's data protection declaration (https://policies.google.com/technologies/ads) and in the settings for the display of advertising by Google (https://adssettings.google.com/authenticated).
The personal data of the users will be deleted or anonymised after 14 months.
Google marketing/remarketing services
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services in the sense described in Art. 6 para. 1 lit. f. GDPR), we make use of the marketing and remarketing services ("Google Marketing Services") provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google").
Google's marketing services allow us to display advertisements for our website in a more targeted manner to show users only those ads that potentially match their interests. For example, if a user sees ads for products that he or she has shown interest in on other websites, this is referred to as "remarketing“. For these purposes, when you visit our and other websites on which Google marketing services are active, Google directly activates a code and (re)marketing tags (invisible graphics or code, also known as "web beacons") are incorporated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). Cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com and googleadservices.com. In this file, it is noted which websites the user visits, which contents he or she is interested in and which offers he or she has clicked, as well as technical information about the browser and operating system, referring websites, visiting time and other information about the use of the online services. The IP address of the user is also recorded, whereby we inform you that within the scope of Google Analytics the IP address within member states of the European Union or in other contracting states of the European Economic Area is shortened and only in exceptional cases completely transferred to a Google server in the USA and shortened there. The IP address is not linked to pers. data of the user stored within other Google offers. Google may also link the above information to such information from other sources. If the user subsequently visits other websites, ads tailored to the user's interests may be displayed.
User data is processed in a pseudonymised form within the context of Google marketing services. This means that Google does not store and process, for example, the name or email address of the user, but processes the data to be used for cookies within pseudonymised user profiles. This means that, from Google's point of view, the ads are not administered and displayed for a specifically identified person, but for the owner of the cookie, regardless of who this cookie owner is. This does not apply if a user has expressly permitted Google to process data without pseudonymisation. The information Google Marketing Services collects about users is transmitted to Google and stored on Google's servers in the United States.
One of the Google marketing services we use is the online advertising program "Google AdWords". In the case of Google AdWords, each AdWords customer receives a different "conversion cookie". Cookies can therefore not be tracked via the websites of AdWords customers. The information collected through the cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers learn the total number of users who clicked on their ad and were directed to a page tagged with a conversion tracking tag. However, they do not receive any information that personally identifies users.
We may also use the "Google Tag Manager" to integrate and manage the Google Analytics and marketing services into our website.
If you wish to opt out of interest-based advertising by Google marketing services, you can use the setting and opt-out options provided by Google: http://www.google.com/ads/preferences.
Facebook pixel, custom audiences and Facebook conversion
Based on our legitimate interests in the analysis, optimisation and economic operation of our online services, the "Facebook pixel" of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are resident in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), is used within our online service.
Facebook is certified under the Privacy Shield agreement and thus offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
With the help of the Facebook pixel, Facebook is able to determine the visitors of our online services as a target group for the presentation of ads ("Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to Facebook users who have shown an interest in our online services or who have certain characteristics (e.g. interests in certain topics or products that are determined on the basis of the websites visited) that we transmit to Facebook ("custom audiences"). Using Facebook pixels, we also want to ensure that our Facebook ads match the potential interest of users and are not annoying. Using Facebook pixels, we can also track the effectiveness of Facebook ads for statistical and market research purposes by seeing if users were referred to our website after clicking on a Facebook ad (known as "conversion").
Facebook processes the data in accordance with the Facebook Data Usage Policy. Accordingly, general information on the presentation of Facebook ads is contained in Facebook's Data Usage Policy: https://www.facebook.com/policy.php. Specific information and details about Facebook pixels and how they work can be found in the Facebook help section: https://www.facebook.com/business/help/651294705016616.
You may opt out of Facebook pixel collection and use of your information to display Facebook ads. To control what types of ads you see within Facebook, you can go to the page set up by Facebook and follow the instructions on the settings for usage-based ads: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.
Online presences in social media
We maintain online presences within social networks and platforms in order to communicate with customers, interested parties and users active there and to inform them about our services. When visiting the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.
Unless otherwise stated in our data protection declaration, we process the pers. data of users if they communicate with us within the social networks and platforms, e.g. write contributions on our online presences or send us messages.
Integration of third-party services and content
Within the scope of our online services, we act on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services in the sense described in Art. 6 para. 1 lit. f. GDPR) and, in this context, use content or service offers from third parties in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content").
This always presupposes that the third-party providers of this content perceive the IP address of the user, since they would not be able to send the content to their browser without the IP address. The IP address is therefore required for the presentation of this content. We make every effort to use only those contents whose respective providers only use the IP address to deliver the contents. Third-party providers may also use pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymised information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring web pages, visiting times and other information about the use of our online services, and may be linked to such information from other sources.
Using Facebook social plug-ins
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services in the sense described in Art. 6 para. 1 lit. f. GDPR), we make use of social plug-ins ("plug-ins") of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plug-ins can display interaction elements or content (e.g. videos, graphics or text contributions) and can be recognised by one of the Facebook logos (white "f" on a blue tile, the term "like" or a "thumbs up" sign) or are marked with the addition "Facebook Social Plug-in". The list and appearance of the Facebook Social Plug-ins can be viewed here: https://developers.facebook.com/docs/plugins/.
When a user uses a function of these online services that contains such a plug-in, his or her device establishes a direct connection with the Facebook servers. The content of the plug-in is transmitted directly from Facebook to the user's device and integrated into the online services by the user’s device. User profiles can be created from the processed data. We therefore have no influence on the extent of the data that Facebook collects with the help of this plug-in and therefore we inform the user according to our state of knowledge.
By integrating the plug-ins, Facebook receives the information that a user has entered the corresponding page of the online service. If the user is logged into Facebook, Facebook can assign the visit to his Facebook account. When users interact with the plug-ins, for example by clicking the “Like” button or commenting, the corresponding information is transferred directly from your device to Facebook and stored there. If a user is not a member of Facebook, it is still possible for Facebook to find out his or her IP address and store it. According to Facebook, only anonymous IP addresses are stored in Germany.
The purpose and scope of the data collection and the further processing and use of the data by Facebook as well as the relevant rights and settings options to protect the privacy of users can be found in Facebook's data protection information: https://www.facebook.com/about/privacy/.
If a user is a member of Facebook and does not want Facebook to collect data about him or her via our online services and link it with his or her member data stored on Facebook, he or she must log out of Facebook before using our online services and delete his or her cookies. Further settings and objections to the use of pers. data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US American page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are adopted for all devices, such as desktop computers or mobile devices.
XPLR: MEDIA in Bavaria
Part of Medien.Bayern GmbH
A subsidiary of