Data Protection Notice

Below, we would like to explain to you which data we collect about you and what we do with these data. We also inform you about your privacy rights and explain to whom you can turn with questions about data protection.

About us

Data controller (responsible for data processing):

Deutsche Oper am Rhein
Theatergemeinschaft Düsseldorf-Duisburg gGmbH

Heinrich-Heine-Allee 16a
40213 Düsseldorf

Tel. +49 211 89 25 210
ticket@operamrhein.de
Managing directors: Prof. Christoph Meyer, general director; Alexandra Stampler-Brown, executive director

Concerning questions about this Data Protection Notice, processing of your data, your rights or other data protection topics, our data protection officer (DPO) would be pleased to help you.

Contact details of our data protection officer:

Deutsche Oper am Rhein
Data Protection Officer
Theatergemeinschaft Düsseldorf-Duisburg gGmbH

Heinrich-Heine-Allee 16a
40213 Düsseldorf
datenschutz@operamrhein.de

Scope of Application

This data protection notice refers to:

- visitors of our website operamrhein.de,

- visitors of our web shops webshop.operamrhein.de and theaterduisburg.eventim-inhouse.de,

- our customers and visitors to our stage performances,

- purchasers of (group) tickets and subscriptions.

Our website offers links which lead to the websites of other operators for which this Data Protection Notice does not apply.

Do I have provide my data?

When you visit our websites, user data are automatically stored. Some of the collected data are necessary for the use of a website. In addition, we also process your data in order to safeguard our legitimate interests according to a balance of interests. This will enable us to continuously improve the services we offer to you. On the following pages, you will learn about the background of our interests as well as whether and how you can object to the use of your data or disable the use of the data.

In order to use one of our offers or to send a request, you will be asked to provide your personal data. You can decide for yourself whether to take advantage of these offers and to provide your data. We also offer services for which we process your data only if you have given us your consent. The granting of consent is always voluntary. Consent that has been granted may be revoked at any time.

Please note that if you provide information about other persons, you must have obtained their prior approval and informed them of the purposes for which the information is being disclosed, as set forth in this Data Protection Notice.

We also ask you to share this information with the people you include in the use of our services, such as family members or authorised persons.

Definition of Essential Terms

Personal Data

In the following information, „personal data“ is a very frequent term, but what does it actually mean?

The term “personal data” is defined legally in Article 4 (1) GDPR as follows:

personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing

The term “processing” is defined legally in Article 4 (2) GDPR as follows:

processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processing Website Visitor Data

This section explains which data will be processed when you visit one of our websites.

  1. Processing Purposes and Legal Bases

We distinguish between various types of processing personal data which are described below. The processed data and cookies are listed in tables.

Service Provision

In order to visit and use our websites, the specified data must be collected. We process these data to fulfill the contract-like relationship of trust so you can use our service, i.e. our website (Art. 6 (I) b) GDPR).

Data Security

Every access to our website is stored in a log file. We process these data for the purpose of data security. Processing your data for that purpose is based on our legitimate interest in guaranteeing data security (Art. 6 (I) f) GDPR).

Optimisation of Our Websites

We constantly optimise our websites in order to offer you the best user of shopping experience. For this purpose we place cookies on your device and process the specified data about your use of our website. Thus you will receive a distinct user ID which identifies your following visits. We use your data for evaluation of the usability, functionality and appeal of our website. For that purpose, your data will be aggregated to statistics without personal information. With that you support our trouble-shooting, optimisation of user experience and development of our websites. We will not match visitor data with your name or other personal information that you provide to us (if any). Processing your data for the described purposes is based on our legitimate interests in troubleshooting, optimization and development of our webshop/site (Art. 6 (I) f) GDPR). Please refer to the chapter ‘Information About Cookies’ for more information on objection against such processing.

Inquiries

We process your data that you give to us when you have a question or another concern. This may include data that you send to us via email or submit via contact form. We process your data within the context of a contract-like relationship of trust or for the initiation or performance of a contract (Art. 6 (I) b) GDPR).

Informationen About Cookies

Cookies which are necessary for the service provision are set on our websites. The processing is based on our our legitimate interest (Art. 6 (I) f) GDPR) in providing a working website, optimization and development of our website and in troubleshooting.

Specification

Purpose

Lifecycle

Objection

BIGipServer~ASP~webshop.operamrhein.de

Identification of the session (service provision)

Until closing the browser (end of session)

Not applicaple

JSESSIONID, MATOMO_SESSID

Tracks the session (service provision)

Until closing the browser (end of session)

Not applicaple

_pk_ses

Identification of the session (service provision)

30 minutes

Not applicaple

_pk_id

Optimisation of website

25 months

_pk_ref

Optimisation of website

6 months

piwik_ignore, mtm_consent_removed

Saves the objection

30 years

Not applicaple


Note: Clicking on the opt-out-link will set an opt-out-cookie. Please do not delete this cookie, since it indicates your withdrawal or objection. If you use several browsers or devices for visiting our websites, please click on these links in each browser.

  1. Processed Data

Data

Service Provision

Data Security

Optimisation of Websites

Inquiries

IP address

x

x

x

 

name of the accessed file

x

x

 

 

transferred data volume

x

x

 

 

accessed website

x

x

x

 

referrer URL (the previously visited website)

 

 

x

 

user agent sent by your browser

x

x

x

 

session cookie

x

x

 

 

date and time of access

x

x

x

 

visitor ID w/out personal reference

x

x

x

 

operating system

x

x

x

 

browser type

x

x

 

 

shopping cart contents

x

x

 

 

statistical cookies (Matomo)

x

 

x

x

 

user location: country, region, city, approximate latitude and longitude (geolocation)

 

 

x

 

type, brand and version of device

 

 

x

 

Duration of visit

 

 

x

 

amount of actions during a visit (page views, downloads, outlinks and internal searches)

 

 

x

 

downloads

 

 

x

 

internal search terms

 

 

x

 

Page generation time

 

 

x

 

Outlinks

 

 

x

 

provider

 

 

x

 

total amount of visits

 

 

x

 

form of address

 

 

 

x

first and last name

 

 

 

x

e-mail address

 

 

 

x

phone number

 

 

 

x

date and time of inquiry

 

 

 

x

Sources of Data

We do not collect your personal data from third parties.

Processing Customer Data

This section explains which data will be processed for what purpose and based on which legal basis.

I. Purchases

We process your data for handling your purchases of tickets, programme booklets, subscriptions, gift cards, excursions and souvenirs, as well as for reservations. Furthermore your data are also processed for handling cancellations or returns.

If you buy gift cards, you can choose between print and virtual gift card. We administer virtual gift cards in our ticket system and afterwards, you will receive the chosen cards by mail or may collect them yourself in the box office in Duisburg or opera shop in Düsseldorf.

If you purchase a subscription, you will be issued a subscription ID card. The ID card holds all information about the designated stage performances for the whole season. Moreover, you will receive the monthly programme by mail.

You can submit your contact data (phone number or e-mail) on a voluntary basis if you want us to serve you with important information about stage performances. This includes cancellations, postponements, programme modifications etc. Your address is required, if the purchased products will be delivered to you.

The legal basis for the processing your data for the purposes described above is the performance of the contract (art. 6 (I) b) GDPR).

If you purchase tickets at the box office on the evening of the performance, we will collect no personal data, because you receive your tickets immediately and can visit the performance subsequently.

II. Group Tickets

When you purchase tickets for a whole group (e.g. school group) and you are the contact person for that process, we process your data for communication purposes in order to initiate, perform and complete the contractual relationship (purchase contract) with your institution. We either collect your data from you or we receive them from your institution.

The legal basis for the processing your data for the purposes described above is our legitimate interest in performing the contract with your institution (art. 6 (I) f) GDPR).

III. Payment

We perform your payment data for processing payments.

When paying via PayPal, your data will be forwarded to PayPal (Europe) S.à r.l. et Cie,S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereafter referred to as "PayPal"). When paying via credit card your data will be forwarded to the respective credit card provider.

The legal basis for the processing your data for the purposes described above is the performance of the contract (art. 6 (I) b) GDPR).

IV. Your Customer Account

We process personal data in order to create a customer account in our customer master data, and for processing your purchase or administration of your customer data and purchases in the webshop.

The legal basis for the processing your data for the purposes described above is the performance of the contract (art. 6 (I) b) GDPR).

V. Communication or Inquiries

Processing your data for communication purposes is necessary to serve you with important information about the booked stage performance. This includes cancellations, postponements, programme modifications etc. Subscribers will be informed about potential reopenings.

You may contact us in several ways. We will then process your personal data within the context of the commercial relationship for the purpose of communication, including handling your inquiry. This also includes e.g. praises, criticism or questions about lost properties.

The legal basis for the processing your data for the purposes described above is the initiation or performance of the contract (art. 6 (I) b) GDPR).

VI. Requesting Publications

You may request publications (e.g. seasonal programme, monthly programmes, information material) to be sent to you by mail or e-mail. Your data are required for shipping or sending e-mails.

The legal basis for the processing your data for the purposes described above is the performance of the contract (art. 6 (I) b) GDPR).

VII. Information and Advertising

We process your personal data for the purpose of advertising our own events, activities or offers and for shipment of information material. We create customer profiles in order to inform you about contents which correspond to your interests. Information will be sent by mail or e-mail.

Processing your data for shipment and creating profiles is based on our legitimate interests in advertising our events and offers (art. 6 (I) f) GDPR). Processing your data for sending e-mails is based on a legal permission (art. 6 (I) c) GDPR in conjunction with § 7 (III) UWG (Garman Law Against Unfair Competition or Gesetz gegen den unlauteren Wettbewerb)).

VIII. Newsletter

We process your personal data for sending you our e-mail newsletter. This is based on your consent (art. 6 (I) a) GDPR). We also process your data for selecting proper recipients of our offers. This is based on our legitimate interests in a systematic dispatch of our offers (art. 6 (I) f) GDPR).

IX. Customer Surveys

We carry out customer surveys with the aim of identifying our company‘s opportunity for improvement and opportunity for supporting our customers. We process your data to invite you to our surveys.

Processing your data for that purpose is based on our legitimate interest in demand analyses and in the identification of our opportunity for supporting our customers (art. 6 (I) f) GDPR).

X. Prize Draws

We sometimes hold prize draws. Processing your data for your participation in our prize draw is based on the performance of the contract (Art. 6 (I) b) GDPR).

XI. Complaints

We process your data for handling your complaint. The legal basis for processing your data for the purpose of handling complaints is the performance of the contract (art. 6 (I) b) GDPR).

XII. Product Recalls

If there is a product recall from a manufacturer, we process your data in order to notify you and respective public authorities (if necessary). The legal basis for processing your data in the context of product recalls is the compliance with legal requirements (Product Safety Act in conjunction with art. 6 (I) c) GDPR).

Overview of Processed Data

Data

I. Purchases

II. Group Tickets

III. Payment

IV. Your Customer Account

first name, last name

x

x

x

x

form of address

x

x

 

x

email address

x

x

x

x

phone number

x

x

x

x

address

x

x

x

x

customer ID

x

x

x

x

shipment date

x

x

 

 

purchase details: date, contents, amount, order number, order type, order status

x

x

x

 

other details e.g. desired seat

x

x

 

x

invoice details (date, number, contents, net/gross amount etc.)

x

x

 

 

reservation, reserve until

x

x

 

 

seat number

x

x

 

 

performance details (title, date, time)

x

x

 

 

type of gift card

x

x

 

 

fee, seat category

x

x

 

 

type of subscription, term, end of contract

x

 

 

 

transfer of subscription

x

 

 

 

stage performances designated or chosen for the subscription

x

 

 

 

different invoice recipient

x

x

 

 

payment method

x

x

x

 

payment details depending on payment method (bank account, SEPA mandate, credit card data)

x

x

x

X (IBAN, SEPA mandate, NO credit card data)

sum

x

x

x

x

cart

x

x

 

x

reduced fee, reason for reduced fee

x

x

 

x

use of family card, honorary office card, City-Power-Card

x

 

 

x

 

Data

V. Communication or Inquiries

VI. Request of Publications

VII. Information and Advertising

VIII. Newsletter

first and last name

x

x

x

x

form of address

x

x

x

x

e-mail address

x

x

x

x

phone number

x

x

 

 

address

x

x

x

 

customer ID

x

x

x

x

shipment date

 

x

 

 

requested publications

 

x

 

 

purchase details: date, contents, amount, order number, order type, order status

x

 

x

x

reservation, reserved until

x

 

 

 

seat number

x

 

 

 

performance details (title, date, time)

x

 

x

x

fee, seat category

 

 

x

x

your concern (praise, criticism, lost property etc.), correspondence and date

x

 

 

 

reduced fee, reason for reduced fee

 

 

x

x

use of family card, honorary office card, City-Power-Card

 

 

x

x

type of gift card

x

 

 

 

type of subscription, term, end of contract

x

 

x

x

type of school

 

x

x

x

type of dispatch, campaign

 

 

x

x

customer group (private person/school/group)

 

 

x

x

newsletter subscription yes/no

 

 

x

x

advertisement consent yes/no

 

 

x

x

 

Data

IX. Customer Surveys

X. Prize Draws

XI. Complaints

XII. Product Recalls

first and last name

x

x

x

x

form of address

x

x

x

x

e-mail address

 

x (for notification and shipment of the prize)

x

x

phone number

 

 

x

x

address

x

x (for shipment of the prize)

x

x

customer ID

 

 

x

x

shipment date

 

 

x

x

purchase details: date, contents, amount, order number, order type, order status

 

 

x

x

invoice details (date, number, contents, net/gross amount etc.)

 

 

x

x

seat number

 

 

x

 

performance details (title, date, time)

 

 

x

 

fee, seat category

 

 

x

 

Issue

 

 

x

x

Sources of Data

In general, we collect your data directly from you. We may receive your data from the purchaser if you receive tickets as a gift or accompany another person.

Other Processing Purposes

In addition, the above-mentioned data are used for the following purposes in the context of a balance of interests (Art. 6 (I) (f) GDPR). The interests are described below:

1. Should a security incident occur in our company that affects your data, we are obliged to report the case to our data protection supervisory authority (Article 33 GDPR). Since our legitimate interest is to comply with this statutory reporting obligation as quickly as possible, it may happen that in the context of the investigation of the corresponding security incident data about you are processed. Reports of these security incidents to data protection supervisory authorities do not contain any of your personal data.

2. As it is in our interest to ensure the security of our systems, we regularly conduct security and efficiency tests that allow us to process your above-mentioned data.

3. Since it is our interest to solve legal disputes, we process your data in that specific case. It is also in our interest, in the event of litigation, to keep evidence until all relevant statutory limitation periods pursuant according to sections 195ff. of the German Civil Code, have expired. For this purpose, we retain the relevant data about you in accordance with these limitation periods. The retention periods cannot be globally predicted, since they depend on the particular matter in dispute and the respective statutory limitation period, which can be up to 30 years. The regular limitation period is three years.

4. In addition, it is in our interest to investigate suspected cases and to hand over relevant information to law enforcement authorities in case of a specific criminal suspicion.

5. For meeting our tax-law obligations, we engage tax counsellors. Furthermore, we engage financial auditors for meeting our duty of auditing the financial statements according to § 316 (1) Commercial Code (or German “Handelsgesetzbuch”, short HGB). Finally, as it is our legitimate interest to cooperate with auditors from tax authorities in order to prove the correct invoicing and financial statements. Documents which are regarded for these purposes may contain your personal data.

6. Errors can occur to anyone and in any organisational process. In order to optimise our processes and minimising our error rate, we process the data which are available to our company for identifying sources of error. The processing takes place in order to protect our legitimate interests in the improvement of our processes.

7. If you get in touch with one of our employees before, during or after performances of Deutsche Oper am Rhein and submit your personal data for a response, we process such data for dealing with your concern, since it is our interest to solve your concerns satisfyingly or to meet legal obligations (if such obligations arise from the issue).

8. It is our legitimate interests to allow assessments in the context of budgetary law by our holders and external funding sources. These parties assess the orderly use of resources. Assessed documents such as invoices and receipts may contain your personal data.

9. We perform (internal) audits and other control activities (e.g. data protection officer’s monitoring activities), because it is our legitimate interest to comply with legal provisions, to obtain transparency about our business processes, to constantly optimise these processes and to prevent and identify harmful acts against our business. In doing so, documents or data sets with your personal data may be processed.

10. We process your data for purposes of managing our company, for identification and persecution of financial risks, for concentrating our sales activities and for fulfilment of (contractual) obligations regarding our customers. For that purpose, the processed data will be used for the creation of reports and for evaluation. The processing takes place for protecting our legitimate interests in company and sales management as well as for fulfilment of our obligations regarding our customers.

11. We process your data for testing IT systems and software products and for migrations. The processing is necessary for satisfying our legitimate interest in evaluating if new products are correct and if migrations are complete.

12. We maintain a black list, which lists former customers or prospects whom we no longer wish to begin business relations with. For example, repeated payment failures as well as contract-abusive, deceitful or business-damaging behaviour count to the reasons. The processing occurs in line with the freedom of contract for the protection of our legitimate interest in protecting our company against financial damages or defamation.

13. Finally, we process your data for meeting legal requirements concerning infection prevention or health protection, e.g. for being able to retrace chains of contact.

Deletion or Retention Periods

The data used to optimise our website will be deleted three years after collection.

Data from inquiries will be deleted after six months.

Data concerning purchases will be deleted ten years after completing the annual financial statement of the year in which the purchase was made.

If the purchase is not completed, the shopping cart contents will be deleted after 15 minutes of inactivity.

Data processed for purposes of information and advertisement will be deleted five years after your last purchase.

If you unsubscribe from our newsletter and have no customer account, we delete your e-mail address after that.

You can have us delete your customer account any time. It suffices to send a message to us, in particular using the contact details presented above. We will delete your customer account if you have not logged in to it for a period of five years.

The data processed for the purpose of data security will be deleted as soon as they are no longer needed for completing this purpose.

For the preservation of evidence, we retain data in accordance with the statutory limitation periods according to sections 195 and following of the German Civil Code. The storage duration of your data may exceed the duration stated above. The statutory limitation periods can be up to 30 years. The normal limitation period is 3 years.

Information about automated individual decision-making

There are no automated individual decisions.

Who Receives Your Data?

The following list shows which organisations (“data recipients”) receive your data in which cases. You can read about the specific data in the corresponding sections of this data protection notice. Transfer of your data may sometimes occur due to contractual or legal requirements. In other cases, we use selected vicarious agents and service providers who work for us as com-missioned data processors (in accordance with Art. 28 GDPR) and may obtain access to your data in the required scope. Commissioned data processors are subject to numerous contractual obligations and may, in particular, process your personal data only on our instructions and solely for the fulfilment of the orders received from us.

-Auditors
-Banks, payment service providers
-Auditors from our holders and external funding sources
-Data protection officer
-Service providers for customer surveys
-Service providers for distribution of our newsletter
-Service providers for mass file destruction
-Service providers for optimisation of our web shop and websites
-Service providers for printing, letter shops
-Recipient’s e-mail provider
-Tax authorities
-Courts, lawyers, contractual partners, consultants, business partners, law enforcement authorities, opposing lawyers, state or federal criminal police (for legal disputes or actual suspicious cases)
-IT service providers
-Suppliers
-Tax counsellors
-Service providers for telecommunication
-Financial auditors
-Customs authorities

Data Recipients in Non-EU Countries

You can purchase our tickets, programme booklets, subscriptions and souvenirs from countries beyond the EU (= so-called third countries) as well. When doing so, your data will be transferred to this country. The transfer of your data is necessary to perform the contract with you (art. 49 (I) b) GDPR). It is transferred for processing your purchase and the shipment and in order to communicate with you. We point out to the fact that the data protection level in third countries without an adequacy decision of the EU commission can deviate from that of the European Union. According to the EU commission, there is an adequate level of data protection in the following third countries: Andorra, Argentina, the Faroes, Guernsey, Isle of Man, Israel, Japan, Jersey, Canada (limited), New Zealand, Switzerland, Uruguay (cited 6/17/2020).

Our IT service providers have affiliates or subcontractors outside the EU who can access your data. Furthermore we make use of Mailgun Technologies, Inc., a service provider for dispatch of our newsletter, who is located in the USA and who has affiliates or subcontractors outside the EU with access to your data, too. The EU Commission determines which non-EU / EEA countries (third countries) have an adequate level of data protection. The transfer uses the EU standard contract according to Com-mission Decision 2010/87/EU, the model of which can be found on the websites of the European Commissioner for Justice and in the Official Journal of the EU.

Your Rights

You have the legal right to:

- Access to your personal that we process (Art. 15 GDPR)
- Rectification and completion of your data (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Withdrawal of your consent (Art. 7 GDPR) with effect for the future. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
- You have the right to demonstration of your own point of view and refutation of an automated decision (Art. 22 GDPR).
- Access to your personal that we process (Art. 15 GDPR)
- Rectification and completion of your data (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Withdrawal of your consent (Art. 7 GDPR) with effect for the future. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
- You have the right to demonstration of your own point of view and refutation of an automated decision (Art. 22 GDPR).

- You also have the right to object to the processing of your data which is based on our legitimate interests or the legitimate interests of a third party at any time, on grounds relating to your particular situation (Art. 21 GDPR). This also applies to profiling based on these provisions within the meaning of Art. 4 (4) GDPR.

- Objection to direct marketing – You have the right to object to the processing of your data for the purpose of direct marketing at any time without giving reasons.


To exercise these rights, you can contact us via the contact details mentioned above.

You also have the legal right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).