Filmtimer GmbH (hereinafter "Ft")
Email address: email@example.com
Managing director / owner: Benjamin Schubert
Types of processed data:
- Basic data (e.g.names, addresses).
- Contact data (e.g. email, telephone numbers).
- Content data (e.g. text entries, photographs, videos).
- Usage data (e.g. visited web sites, contents of interest, access times).
- Meta-/communication data (e.g.., device information, IP addresses).
Categories of data subjects:
Visitors and users of the online offer (data subjects are hereinafter summarised as “users”)
Purpose of processing
- Provision of the online offer, its functions and contents.
- Replying to contact requests and communication with users.
- Security measures
- Reach assessment/marketing
”Personal data” are all data that refer to identified or identifiable natural persons (hereinafter “data subject”); a natural person that can be directly or indirectly identified by means of assignation to an identifier such as a name, an identification number, location data, to an online identification (e.g. cookie), or to one or several particulars that are expressions of the physiological, genetic, psychological, economic, cultural or social identity of this natural person.
“Processing” means any operation, or series of operations, that is carried out with or without the help of automated procedures in connection with person-specific data. The term is comprehensive and includes virtually any handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Any natural or legal person, authority, establishment or other institution that can, alone or in conjunction with others, decide upon the purposes and means of processing of person-specific data is referred to “data controller”.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
Relevant legal bases
Pursuant to Art. 32 GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as their access, input, disclosure, availability and separation. In addition, we have established procedures that ensure the enjoyment of data subject rights, data erasure, and reaction to data vulnerability. Furthermore, we take into account the protection of personal data in the development and/or selection of hardware, software and procedures, pursuant to the principle of data protection through technology design and privacy-friendly default settings (Art. 25 GDPR).
Collaboration with contract processors and third parties:
If we reveal data to other persons or companies (contract processors or third parties) in the course of processing, transmit, or otherwise grant them access to this data, this only occurs on the basis of legal permission (e.g. if transmission of data to third parties such as payment service providers is required for contract performance according to Art. 6 para. 1 lit. b) GDPR, you have given your consent, a legal obligation provides for it, or on the basis of our legitimate interests (e.g. when deploying agents, web hosts, etc.).
If we instruct third parties to process data on the basis of a so-called “order data processing agreement”, this happens on the basis of Art. 28 GDPR.
Transfer of data to third countries:
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA), or if we use third-party services, or disclose or transfer data to third parties, this only occurs if we are required to do so in order to fulfil (pre)contractual obligations, on the basis of your consent, on the basis of a statutory requirement or on the basis of our legitimate interests. Subject to legal or contractual concessions, we only process data or allow data to be processed in a third country under the specific conditions outlined in Art. 44 ff. GDPR. This means that data is processed on the basis of special guarantees, for example the data protection level must be determined in accordance with the levels officially recognised by the EU (e.g. in accordance with the Privacy Shield Frameworks stipulated in the USA), or must comply with officially recognised contractual obligations (standard contractual clauses).
Rights of data subjects:
You are entitled to request confirmation whether the relevant data are processed, as well as information about this data, and other information and copies of the data pursuant to Art. 15 GDPR.
Pursuant to Art. 16 GDPR, you are entitled to request the completion or correction of data concerning your person.
Pursuant to Art. 17 GDPR, you are entitled to demand the immediate erasure of relevant data, or, alternatively, pursuant to Art. 18 GDPR, to request a limitation of data processing.
Pursuant to Art. 20 GDPR, you are entitled to request data relating to your person that you have provided to us and to request transfer thereof to other responsible persons.
Pursuant to Art. 77 GDPR, you are furthermore entitled lo lodge an appeal with the relevant supervisory authorities.
Right of cancellation:
Pursuant to Art. 7 para. 3 GDPR, you are entitled to revoke given consent for the future.
Right to object:
Pursuant to Art. 21 GDPR, you can at any time object to future processing of your personal data. Users can specifically object to having their data processed for the purposes of direct marketing.
Cookies and right to object in case of direct marketing:
Small files that are saved on users’ computers are known as “cookies”. Various data can be saved within cookies. A cookie primarily serves the purpose of saving data concerning the user (or the computer on which the cookie is saved) during and possibly after his visit to the online offering. Cookies that are deleted after a user leaves an online offering and shuts his browser are known as temporary cookies, “session cookies” or “transient cookies”. Such a cookie may contain data such as the content of a shopping cart in an online shop, or a log-in status. Cookies that remain saved after shutting the browser are known as “permanent” or “persistent” cookies. Particulars such as the log-in status can thus be saved when users revisit them after several days. User interests that are used for reach assessment or marketing purposes can equally be saved in such a cookie. “Third-party cookies” are cookies that are offered by provider other than the data controller who operates the online offer (the data controller’s own cookies are known as “first-party cookies”)
If users do not wish for cookies to be saved on their computers, we ask them to activate the appropriate option in their browser’s system preferences. You can delete stored cookies using your browser’s system preferences at any time. The exclusion of cookies can lead to function limitations in this online offering.
A general objection against the use of online marketing related cookies can be lodged for a multitude of services, especially in case of tracking, via the US site http://www.aboutads.info/choices/or the EU site http://www.youronlinechoices.com/.
Erasure of data:
According to legal requirements in Germany, the retention period is 10 years pursuant to Art. 147 para. 1 of the German Fiscal Code (Abgabeordnung, AO), and Art. 257 para. 1 nos. 1 and 4, para. 4 of the German Commercial Code (Handelsgesetzbuch, HGB) (trading books, inventories, opening balances, annual accounts, commercial letters, accounting records, etc.), as well as 6 years pursuant to Art. 257 para. 1 nos. 2 and 3, para. 4 of the German Commercial Code (business letters).
According to legal requirements in Austria the retention period is 7 years pursuant to § 132 para. 1 of the Austrian Fiscal Code (Bundesabgabeordnung, BAO) (accounting documents, receipts/invoices, accounts, records, business papers, statement of income and expenses, etc.), 22 years in connection with real estate, and 10 years in the case of documents relating to electronically supplied services, telecommunications, broadcasting and television services provided to non-EU companies in EU Member States for which the Mini-One-Stop-Shop (MOSS) is used.
In addition, we process
- Contract data (e.g. subject matter of the contract, duration, customer category).
- Payment data (e.g. bank details, payment history)
from our customers, interested parties and business partners, for the purpose of contract performance, services and customer care, marketing, advertising and market research,
Hosting services used by us serve the provision of the following services: Infrastructure and platform services, computing capacity, data storage, databank services, security services, as well as technical maintenance that we deploy for the operation of this online offering.
In doing so, we, or our hosting service provider, process basic data, contact data, content data, contract data, usage data, meta data and communication data of customers, interested parties and visitors to this online offering. The legal basis for this is our legitimate interest in the efficient and secure provision of this online offering pursuant to Art. 6 para. 1 lit. f) GDPR in conjunction with Art. 28 GDPR (conclusion of order data processing agreement).
Collection of log-in data and log files:
On the basis of Art. 6 para. 1 lit. f) GDPR, we, or our hosting service provider, collect data regarding every access to the server that contains this service (so-called server log files). Access data include the name of the website visited, the file accessed, the date and time of the visit, the volume of data transferred, notification of a successful visit, the browser type and version, the user’s operating system, the referring URL (previously visited site), the IP address and the querying provider.
For security reasons (e.g. for the investigation of improper or fraudulent use), log file information is stored for a duration of no more than 7 days, then deleted. Data which must be stored for purposes of documentation is excluded from deletion until the event in question is fully clarified.
External payment service providers:
We use external payment service providers through whose platforms we and our users can complete payment transactions. These are direct debit via Paymill (https://www.paymill.com/de/datenschutz), Visa (https://www.visa.de/datenschutz), Mastercard (https://www.mastercard.de/de-de/datenschutz.html).
As part of the fulfilment of contracts, we employ payment service providers on the basis of Art. 6 para. 1 lit. b) GDPR. Incidentally, we use external payment service providers on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. b) GDPR in order to offer our users effective and secure payment options.
For payment transactions, the privacy policies and terms and conditions of the respective payment providers shall be valid, which can be consulted within the respective websites or transaction applications. We also refer you to these for further information and assertion of your rights of revocation, information and other rights of data subjects.
Administration, financial accounting, office organisation, contact administration:
We process data within the framework of administrative tasks, and organisation of our operations, financial accounting and compliance with statutory requirements, such as archiving. In so doing, we process the same data as in the course of provision of our contractual services. The basis for processing are Art. 6 para. 1 lit. c) GDPR, Art. 6 para. 1 lit. f) GDPR. Customers, interested parties, business partners and site visitors are affected by processing. The purpose of, and our interest in processing is in the administration, financial accounting, office organisation and archiving of data, thus tasks that serve the maintenance of our business activities, performance of our functions and performance of our services. Deletion of data with a view to contractual services and contractual communication correspond to the statements made in these contractual activities.
We thereby disclose or transfer data to fiscal authorities, consultants, such as tax advisors or auditors, as well as fees offices and payment service providers.
Furthermore, on the basis of our business interests, we store information regarding suppliers, organisers and other business partners, e.g. for later contact. Such predominantly company-related data is usually stored permanently.
Users can create a user account. As part of the registration process, the required mandatory information is communicated to users and processed for purposes of providing the user account. The legal basis for this is Art. 6 para. 1 lit. b) GDPR. The processed data include in particular the log-in information (name, password and an email address). The data entered as part of registration will only be used for the purposes of facilitating use of the user account and its purpose.
Users may be informed by email about information relevant to their user account, such as technical changes. If users have terminated their user account, their data will be erased with respect to the user account, subject to a statutory retention requirement. It is the responsibility of the users to secure their data upon termination before the end of the contract. We are entitled to irretrievably erase all user data stored during the term of the contract.
As part of the use of our registration and subscription functions as well as the use of the user account, the IP address and the time of the respective user action will be stored. The legal basis for this storage is our legitimate interests, as well as the protection of the user against misuse and other unauthorised use. These data are not transferred to third parties, unless it is necessary for the prosecution of our claims or there is a legal obligation pursuant to Art. 6 para. 1 lit. c) GDPR. IP addresses will be anonymised or erased after 7 days at the latest.
When contact is made with us (e.g. via contact form, email, telephone or social media), user data is processed for the processing and implementation of the enquiry pursuant to Art. 6 para. 1 lit. b) GDPR. User information can be stored in a customer relationship management system (“CRM system”) or similar enquiry organisation.
We delete the information once it is no longer required. We review necessity every two years; in addition, legal archiving obligations apply.
The following information is intended to provide information on the content of our newsletter, the registration process, the distribution process, the statistical evaluation process and your right to object. When you subscribe to our newsletter, you acknowledge that you have agreed to receive the newsletter and that you agree with the processes that have been described.
Content of the newsletter: We send the newsletter, emails and other electronic messages with advertising information (hereinafter referred to as ‘newsletter’) only with the recipient’s consent or if we have been granted legal permission to do so. The content which is precisely defined within the registration process applies when obtaining the user’s consent. Our newsletter also contains information about our services and our company.
Double opt-in and data logging: A double opt-in process is used when users register to receive our newsletter. This means that you will receive an email after registering which asks you to confirm your registration. This confirmation is necessary so that it is not possible for people to log in with external email addresses. New registrations to the newsletter are logged in order to verify that the registration process complies with the legal requirements. This involves storing the IP address and time that the new user registers and confirms the registration. Changes to any of your data that is stored by the email marketing service are also logged.
Registration details: You only need to provide your email address when you register to receive the newsletter. Optionally, we ask you to provide a name for the purposes of addressing the newsletter to you personally.
The dispatch of the newsletter and the related tracking is based on the consent of the recipient pursuant to Art. 6 para. 1 lit. a) and Art. 7 GDPR in conjunction with Art. 7 para. 2 no. 3 of the German Unfair Competition Act (Gesetz gegen unlauteren Wettbewerb, UWG), and on the basis of statutory permission pursuant to Art. 7 para. 3 UWG.
The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our prime goal is to deploy a user-friendly and secure newsletter system that both serves our commercial interests and meets our users’ expectations, and furthermore enables us to prove consent.
Cancelation/revocation - You can cancel your subscription to our newsletter i.e. revoke your consent, at any time. You will find an unsubscribe link at the end of each newsletter. We may save the submitted email addresses for up to three years based on our legitimate interests before we delete them in order to prove prior consent. The processing of this data is limited to the purpose of the potential defence against claims. You may make an individual cancellation request at any time, provided that you simultaneously confirm your prior consent.
The newsletters contain what is known as a web beacon, which is a pixel-sized file called up by our server, or the by server of the email marketing provider insofar as we employ such a service, when the newsletter is opened. Technical information such as information on your browser, your operating system and IP address are collected at the time the file is called up.
This information is used to facilitate technical improvements in our services by means of gathering technical data, information on target groups and their reading behaviour by analysing access times and the locations from which readers call up the files (determined by means of IP addresses). Further statistical analysis includes determining whether the newsletter has been opened, when it was opened and which links have been clicked. information can be matched to individual newsletter recipients due to technical reasons. However, neither we nor the email marketing service, insofar as we employ such a service, intends to monitor individual users. The main purpose of this analysis is to identify the reading habits of our users and to tailor our content to their requirements or to publish content that matches the interests of our readers.
On our behalf, Google will use this information to evaluate use of our online offering by users, to collate reports on activities within this online offering and to provide us with further services related to the use of this online offering and internet use. Pseudonymous user profiles of users can thereby be generated from processed data.
We only use Google Analytics with activated IP anonymisation. This means that your IP address will be abbreviated by Google within the member states of the European Union or in other countries that have signed the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and abbreviated there.
The IP address transmitted by your browser will not be merged with any other Google data. Users can prevent the storage of cookies by changing the settings in their browser software accordingly. You can also prevent the collection of data about your visit by setting an opt-out cookie. If you wish to prevent the collection of any of your data when visiting this website in future, please click on this link.
The personal data of users will be erased or anonymised after 14 months.
Online presence in social media:
Inclusion of services and content from third parties:
On the basis of our legitimate interests (i.e. interest in analysis, optimisation and efficient operation of our online offering in terms of Art. 6 para. 1 lit. f) GDPR), we use third -party content or service offerings in order to include their contents and services, such as videos or fonts (hereinafter “contents”).
This always takes for granted that third-party providers of such content detect users’ IP address, because they cannot send contents to their browser without the IP address. This means the IP address is needed to display the content in question. We make every attempt to use only the type of content where the supplier only uses the IP address to deliver the content. Third-party providers can furthermore use so-called pixel tags (invisible graphics, also known as “web beacons” for statistical or marketing purposes. Through these “pixel tags”, information such as visitor traffic on the pages of this website can be processed. Pseudonymous information can furthermore be stored in cookies on the users’ device and may contain technical information on the browser and operating system, referring websites, visiting time, as well as additional information regarding the use of our online offering, and merged with such information form other sources.
Compiled using Datenschutz-Generator.de by RA Dr. Thomas Schwenke