Controller of your personal data within the meaning of Art. 4 (7) of the European General Data Protection Regulation (“GDPR”) is:
Stiftung Berliner Philharmoniker
10785 Berlin Germany
General Manager: Andrea Zietzschmann
Phone: +49 (0)30 254 88-0
You can contact our data protection officer at:
Stiftung Berliner Philharmoniker
Data Protection Officer
10785 Berlin Germany
Phone: +49 (0)30 254 88-0
For the hosting and the design of the website we use a data processor (Art. 28 GDPR) with headquarters and servers in Germany. This is Berlin Phil Media GmbH.
2.1 Visiting our Website
When you visit our website, the browser on your device automatically sends information to the server on our website. This information is temporarily stored in a so-called log file. The following information is collected and stored until it is automatically deleted: IP address of the requesting computer; date and time of access; name and URL of the accessed file; website from which access is made (“referrer URL”); if applicable, the search engine you used; the browser used; and, if applicable, the operating system of your computer as well as the name of your access provider.
The mentioned data will be processed by us for the following purposes:
- ensuring a functioning connection of the website,
- ensuring comfortable use of our website,
- statistical evaluation using a pseudonym in order to optimize our website as well as the quality and range of our offers,
- evaluation of system security and stability, and
- for other administrative purposes.
The legal basis for data processing is Art. 6 (1) (b) GDPR, insofar as data processing is required for the provision of the website or billing purposes. Apart from this, the processing is based on Art. 6 (1) (f) GDPR. Our legitimate interests follow from the purposes listed above for data collection. The log files are deleted after the end of the respective browser session, at the latest after 30 days, unless their further storage is required for the above-mentioned purposes.
2.2 Ticket orders
In addition, we process personal data that we receive from you in the course of our business relationship. For example, we process personal data that you provide us with when ordering tickets (in writing, by fax, by e-mail, on our website or through other channels), other inquiries (in particular by email or via the contact form on our website) or when registering for our newsletter (see point 5 below). The legal basis is Art. 6 (1) (b) GDPR, for the newsletter Art. 6 (1) (a) GDPR.
For the execution and processing of (online) ticket orders we require the following data: Title, full name, e-mail address, address (billing address and, if applicable, different shipping address), bank details or credit card details. When registering for an online order, you must also choose a password to allow you future access to the customer area without having to re-enter your personal data.
We process personal data in accordance with the provisions of the GDPR and the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”):
3.1 For the performance of contracts and pre-contractual measures (Art. 6 (1) (b) GDPR)
The processing of personal data (Art. 4 (2) GDPR) takes place for the provision of the services offered on our website, for the processing of the purchase contracts for concert tickets, for billing, implementation of pre-contractual measures and for answering your inquiries (e.g. by email or via the contact form on our website) in connection with our business relationship.
Further details for the purpose of data processing can be found in the respective contractual documents and terms and conditions.
3.2 For legitimate interests (Art. 6 (1) (f) GDPR)
If necessary, we process your data beyond the actual fulfilment of the contract to protect the legitimate interests of us or third parties, for example in the following cases:
- Answering your questions (e.g. by email or via the contact form on our website) outside of a contract or of pre-contractual measures;
- advertising or market and opinion research, unless you have objected to the use of your data;
- taking photos and videos of our concerts, including the unmanageable number of people in the auditorium, and publishing them for advertising purposes;
- operation and optimization of the website;
- use of reCAPTCHA according to point 7 below;
- enforcement of legal claims and defence in legal disputes;
- ensuring our IT security and IT operations;
- prevention and investigation of criminal offences.
3.3 On the basis of your consent (Art. 6 (1) (a) GDPR)
If you have given us your consent to process personal data for specific purposes, this processing is lawful on the basis of your consent. You can withdraw your consent at any time. Please note that the withdrawal will only take effect for the future. The lawfulness of our processing based on your consent that took place before the withdrawal is not affected.
3.4 Due to legal requirements (Art. 6 (1) (c) GDPR)
In addition, we are subject to various legal obligations. The purposes of the processing include, inter alia, the fulfilment of retention periods under commercial and tax law.
On our website we use technically necessary cookies, web analysis cookies and tracking cookies for advertising purposes:
4.1 Technically necessary cookies
Most of the cookies we use are technically necessary to enable you to use our website and the services offered on it (“session cookies”). Our legitimate interest in data processing lies in this purposes; the legal basis is Art. 6 (1) (f) GDPR. The data will not be combined with other personal data and will not be used for advertising purposes. Session cookies are deleted after the end of the respective browser session, at the latest after seven days.
4.2 Web analysis cookies (Google Analytics)
For this web analysis we use the service Google Analytics, which is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
On our behalf, Google uses this information as a processor within the meaning of Art. 28 GDPR to evaluate your use of the website, to compile reports on website activities and to provide the website operator with further services associated with website use and Internet use. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.
4.3 Tracking cookies for advertising purposes
If you have given your consent on our website, we also use tracking cookies for the purpose of targeted and interest-related online advertising (“advertising cookies”). These cookies collect and store information about your use of our website in pseudonymous form. The legal basis for data processing is Art. 6 (1) (a) GDPR. You give your consent to this tracking on our website by clicking on “OK” in our cookie banner; no advertising cookies are set or other tracking technologies (e.g. tracking pixels) are activated before this happens. You can withdraw your consent at any time in the footer of our website. The lawfulness of the processing carried out on the basis of your consent until withdrawal remains unaffected. We do not combine the information with other personal data that you voluntarily provide to us when you use the services on our website. We use the information to place advertisements on our website and on the websites of third parties (insofar as these are part of our advertising network) that correspond to your interests. You also benefit from this because you will be confronted with less advertising that is not tailored to your interests. We also use the information to measure and optimize the success of our advertising campaigns.
The tracking cookies are deleted if and when you revoke your consent, at the latest after expiry of the storage period specified by the third party provider.
If you have given your consent on our website, we use the following tracking cookies (and tracking pixels) for advertising purposes:
If you have expressly consented according to Art. 6 (1) (a) GDPR, we use your email address to inform you in our email newsletter about us, in particular, our current program and highlights. Your consent is recorded. To receive the newsletter, it is sufficient to provide an email address. You can unsubscribe at any time, for example via the link at the end of each e-mail. Alternatively, you may send your request to unsubscribe by email at any time. In this case your email address will be deleted from our email distribution list and added to our blacklist. The withdrawal of your consent will only take effect for the future. The lawfulness of any processing based on your consent carried out before the revocation are not affected by this.
Please note that we evaluate the behavior of the recipients of our emails using pseudonymous usage statistics. For this purpose, the emails contain so-called web beacons or tracking pixels and links, which are each linked with an individual ID. Thus we record the time of opening and forwarding the email as well as the clicking of the links contained therein, the IP address (to determine the country of retrieval) and the email program used. This data is not linked to your email address or other personal data, so that a direct personal relationship is excluded for us. The evaluation is based on aggregated usage statistics (delivery rate, opening rate, click rate, number of redirects, number of clicks on the links contained in the email, email programs used, openings and clicks by time of day and date, country of retrieval). Only in the event of cancellations or failed deliveries will we additionally receive information about the name and email address. This is (also) in your interest, so that we can immediately delete you from our email distribution list or correct the delivery problem. The pseudonymous evaluation of usage behaviour serves to check the success of our email marketing and to constantly improve it. For these purposes, we have a legitimate interest in data processing. The legal basis is Art. 6 (1) (f) GDPR. You can object to the evaluation at any time pursuant to Art. 21 (2) GDPR by unsubscribing from the newsletter (e.g. via the link at the end of each email); an isolated objection only against the evaluation is (currently) not possible for technical reasons. We store your pseudonymous usage data until you object to the evaluation.
Dispatch and evaluation by Campaign Monitor
5.2 Existing customers
If you have already purchased goods or services from us, we inform you from time to time by email or letter about similar goods and services from Berliner Philharmoniker if you have not objected to this.
The legal basis for such data processing is Article 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in direct advertising (Recital 47 GDPR).
You can object to the use of your e-mail address and postal address for advertising purposes at any time without additional costs, for example via the link at the end of each e-mail or by email.
We use social media plugins from the following providers on our website:
- Facebook Inc, 1601 S California Ave, Palo Alto, California 94304, USA (“Facebook”) and
- Twitter Inc, 1355 Market St., Suite 900, San Francisco, California 94103, USA (“Twitter”).
We use the so-called two-click solution. This means that when you visit our website, generally no personal data is passed on to the providers of the plugins. We offer you the possibility to communicate directly with the provider of the plugin via the button. You can recognize the provider of the plugin by the name of the respective plugin and the logo. Only if you click on the button and thereby activate it, will the plugin provider be informed that you have accessed the corresponding website of our online offer. In the case of Facebook, the IP address is anonymized immediately after collection, according to the provider. By activating the plugin, personal data is transferred from you to the respective plugin provider and stored there (for US providers in the USA). The transfer of your information to a third country outside the EU is covered by a Commission adequacy decision (C/2016/4176 of 12 July 2016 - http://data.europa.eu/eli/dec_impl/2016/1250/oj) within the meaning of Article 45 GDPR, because Facebook and Twitter have self-certified their adherence to the principles of the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework).
If you click on a button, the plugin provider stores the data collected about you as user profiles and uses it for purposes of advertising, market research and/or demand-oriented design of its website. You have the right to object to the creation of these user profiles. To exercise this right, you must contact the respective plugin provider.
The data transfer is independent of whether you have an account with the plugin provider and are logged in there. If you are logged in with the plugin provider, your data collected with us will be directly assigned to your existing account with the plugin provider. If you click on the button and, for example, link the page, the plugin provider will also save this information in your user account and communicate it to your contacts publicly. We recommend that you log out regularly after using a social network, especially before activating the button, as you can thus avoid being assigned to your profile with the plugin provider.
The legal basis for the use of the plugins is Art. 6 (1) (f) GDPR. The plugins serve to promote our website and our goods and services through selected social media channels. This advertising purpose is our legitimate interest in data processing, which you yourself trigger by a conscious action (clicking on the button).
For more information about the purpose and scope of data collection and processing by the plugin provider and your rights and settings to protect your privacy, please visit
- http://www.facebook.com/help/186325668085084 (Facebook), and
- https://twitter.com/privacy (Twitter).
Our website also contains simple links to our profiles on Facebook, Twitter, YouTube (an offer from YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA) and Instagram (an offer from Instagram LLC, 1601 Willow Rd, Menlo Park, CA 94025, USA). If you click on these links, you will leave our website. The data processing on the websites of the social media providers is subject to the privacy policies available there.
On our websites we use the service reCAPTCHA of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) to prevent the misuse of our websites by bots.
For this purpose, reCAPTCHA analyses the usage behavior on our web pages (e.g. when using our streaming services or forms) to determine whether the respective processes are triggered by a human or an automated program. To do this, reCAPTCHA automatically collects and analyses various information (e.g. IP address, duration of the visit to our website, mouse movements of the user). The data will be forwarded to a Google server in the USA. The transfer of your information to a third country outside the EU is covered by a Commission adequacy decision (C/2016/4176 of 12 July 2016 – http://data.europa.eu/eli/dec_impl/2016/1250/oj) within the meaning of Art. 45 GDPR, because Google has undertaken to comply with the principles of the EU-US Privacy Shield.
On our website we use a visible reCAPTCHA. When certain processes are triggered (e.g. sending a form, playing a video), a user may have to take action and confirm that he is not a robot.
Data processing starts automatically as soon as a user accesses the website. The analysis by reCAPTCHA takes place in the background.
The legal basis for data processing is Art. 6 (1) (f) GDPR. Our legitimate interest is to detect and prevent the misuse of our websites by automated programs.
This website uses plugins from the website www.youtube.com, which is operated by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). YouTube is a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").
With the help of the plugins we can integrate videos stored on www.youtube.com into our online offer so that they can be played directly on our website. The plugins are all integrated in the “extended data protection mode”, i.e. no data about you as a user will be transferred to YouTube if you do not play the videos. Only when you play the videos will YouTube know that you have accessed the corresponding subpage of our website. Further data is also transmitted to YouTube's servers in the USA. This is regardless of whether you have a YouTube account or are logged in to YouTube. When you are logged in to YouTube and play a video, your information will be directly associated with your account. If you do not wish to be associated with your profile on YouTube, you must log out before visiting our website. YouTube stores your data as user profiles and uses it for the purposes of advertising, market research and/or demand-oriented design of its website. Such evaluation takes place in particular to provide demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, which you must claim from YouTube. We have no influence on this data transfer and processing through YouTube.
The transfer of your information to a third country outside the EU is covered by an adequacy decision of the Commission within the meaning of Art. 45 GDPR, because Google as well as its US subsidiaries (including YouTube) has self-certified its adherence to the principles of the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework). For more information about the purpose and scope of YouTube’s data collection and processing, please visit https://www.google.com/intl/gb/policies/privacy. There, you will also receive further information on your rights and setting options to protect your privacy.
Within our organization, those departments or individuals get access to your data that need it in order to fulfil our contractual and legal obligations.
Processors (Art. 28 GDPR) may also receive data for the aforementioned purposes. These are companies in the categories of IT services, logistics, printing and shipping services, ticketing, telecommunications, debt collection, newsletters, sales and marketing. In particular, we use a processor based in Germany for hosting and designing the website.
We share your personal data with third parties if this is necessary to fulfil an existing contractual relationship between you and Berliner Philharmoniker or to implement pre-contractual measures (Art. 6 (1) (b) GDPR) or for the purposes of legitimate interests (Art. 6 (1) (f) GDPR).
We only share such information as is required by the respective service provider to perform the task assigned to him. The service provider undertakes to treat the data confidentially in accordance with this data protection declaration and the relevant data protection laws and not to pass it on to third parties. In addition, your personal data will be disclosed or transmitted if required to do so by law (Art. 6 (1) (c) GDPR) or if you have given your consent (Art. 6 (1) (f) GDPR).
Under these conditions, recipients of personal data may be, for example:
- Subcontractors we use to provide the services offered via the website (e.g. mail order companies for ticket sales).
- Banks for the collection of fees.
- Public authorities and institutions in the event of a legal obligation or official order.
If necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and processing of a contract.
In addition, we are subject to various storage and documentation obligations arising, inter alia, from the German Commercial Code (Handelsgesetzbuch – “HGB”) and the German Fiscal Code (Abgabenordnung – “AO”). The retention and documentation periods specified there are, e.g., 6 years for correspondence in connection with the conclusion of a contract and 10 years for accounting documents (Sec. 238, 257 (1) and (4) HGB, Sec. 147 (1) and (3) AO). Such storage and documentation obligations apply in particular if you conclude a contract with us (e.g. purchase of a concert ticket, registration in the customer portal as part of an online ticket purchase).
Finally, the storage period also depends on the statutory limitation periods, which, for example, according to Sec. 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – “BGB”), are generally three years long, but can, in certain cases, also be up to thirty years.
After expiry of the storage and documentation obligations and the relevant limitation periods, we delete the data.
Log files and cookies are deleted after expiry of the above-mentioned storage periods.
You have the right of access (Article 15 GDPR), the right to rectification (Article 16 GDPR), the right to erasure (Article 17 GDPR), the right to limitation of processing (Article 18 GDPR) and the right to data portability (Article 20 GDPR). The restrictions according to §§ 34 and 35 BDSG apply to the right to information and the right of cancellation. You also have the right to object to data processing by us (Article 21 DS-GMO). If our processing of your personal data is based on consent (Article 6 Para. 1 S. 1 lit. a GDPR), you can revoke this at any time; the legality of data processing based on the consent until revocation remains unaffected by this.
To assert these rights and for further questions on the subject of personal data, please contact our data protection officer (email) or our postal address (see paragraph 1 above) at any time.
Regardless of this, you have the right to file a complaint with a supervisory authority – in particular in the EU Member State where you are staying, working or allegedly infringed – if you believe that the processing of personal data concerning you violates the GDPR or other applicable data protection laws (Article 77 GDPR, § 19 BDSG).
In the context of our business relationship you only have to provide the personal data which is necessary for the establishment, execution and termination of a business relationship or which we are legally obliged to collect. Without this data we will usually have to refuse the conclusion of the contract or the execution of the order or we will no longer be able to execute an existing contract and may have to terminate it.
Mandatory information is marked as such on our website.
We do not use fully automated decision making according to Art. 22 GDPR for the establishment and implementation of a business relationship. Should we use these procedures in individual cases, we will inform you separately, where required by law.
We take a variety of security measures to adequately protect personal data to an appropriate extent.
All customer information is stored on secure servers that are protected from access from other networks by a software firewall. Only those employees who need information to process a specific request or order have access to the data. The employees are trained in the safe handling of data.
Insofar as we collect personal data on our pages, the transmission is encrypted using the industry standard Secure Socket Layer (“SSL”) technology. This applies to all particularly sensitive data such as credit card numbers and account information.
Last updated: 24 May 2018