30

Privacy

Responsible Party

Internationales Filmfest Braunschweig e.V. (hereinafter referred to as "Verein")
Neue Straße 8 
38100 Braunschweig
Tel.: +49 (0)531 / 702 202 0
Fax: +49 (0)531 / 702 202-99

privacy(at)filmfest-braunschweig.de

Trade Register: Amtsgericht Braunschweig
Register Number: VR 3342 

Youth Protection Officer: Fabian Schauren jugendschutz(at)kommunale-kinos.de
Privacy Officer: privacy(at)filmfest-braunschweig.de

Board of Directors

Edgar Merkel (1. Chairman of the Board) 
Thorsten Rinke (2.  Chairman of the Board)
Marc-Aurel Jensen (Treasurer)
Corinna Melcher (Secretary)
Florence Houdin (committee member)
Beate Neigenfind (committee member)

Responsible for the content according to § 55 Abs. 2 RStV: Internationales filmfest Braunschweig e.V.

as of June 11, 2018

Data Protection Declaration

If the English translation of the German Data Protection Declaration contradicts the German Declaration the German declaration will overrule the English translation.

General information regarding data processing, legal grounds and data security

This data protection declaration informs you which personal data is collected when visiting our websites as part of our online offer including the websites www.filmfest-braunschweig.de, my.filmfest-braunschweig.de  and datakal.filmfest-braunschweig.de, the BIFF App as well as the social media associated with it and how the data is used. You have the right to receive information free of charge on application about the personal data we have stored about you  at any time. Our online offer herinafter will be referred to as "online services". The operators of our online services take the protection of your personal data very seriously. We will treat your personal data confidentially and in accordance with statutory data protection regulations as well as this data protection declaration. 

The personal data of the users, which is processed as part of the online services, includes user data (e.g. names and addresses of customers), contractual data (e.g. accreditations, payment information), usage data (e.g. the visited websites of our online offer, interest in our programme) and content data (e.g. information entered in the contact form).

The term “users” covers all categories of the data processing of affected persons. This includes our business partners, customers, interested parties and other visitors to our online offer.

We would like to point out that data transmission on the internet (e.g. as part of communication via email) can have security gaps. Full protection of the data against access by third parties is not possible.

Our Websites use SSL and TLS certificates for secure data transmission of your personal data. A secure encripted connection starts with the sufix "https://" and demonstrates a lock symbol at the beginning of the browser address field.

Distribution of data to third parties and third party providers

Distribution of data to third parties only takes place as part of legal requirements. We shall only pass on the data of the users to third parties, if this is required for contractual purposes e.g. on the basis of Art. 6 (1) b of the GDPR or on the basis of legitimate interests in accordance with Art. 6 (1) f of the GDPR for the commercial and effective operation of our business activities.

If we use subcontractors in order to provide our services, we shall take suitable legal measures and corresponding technical and organisational measures in order to ensure the protection of the personal data in accordance with relevant statutory regulations.

If as part of this data protection declaration we use content, tools or other means from other providers (hereinafter referred to jointly as “third party providers”) and their named headquarters are situated in a third country, it is to be assumed that a data transfer will take place in the countries of the headquarters of the third party provider. Third countries are to be understood as countries, in which the GDPR is not a directly applicable law, which fundamentally means countries outside the EU or the European Economic Area. The transfer of data in third countries takes place if there is an appropriate level of data protection, consent of the users or another form of legal permission.

Collection of access data and log files

If you use the Verein's online services, your internet browser automatically sends data to our webserver. The following data is automatically collected and stored:

IP address
Date and time of the retrieval
difference in hours to Greenwich Mean Time (GMT)
Status code of the transmission (technical Info)
access status/ Http status
Size and name of the retrieved file
Referrer URL
Browser type/version and operating system used

The log file information is stored for security reasons (e.g. for the clarification of acts of abuse or fraud) for the duration of a maximum of thirty days. Data where further retention of which is required for evidence purposes, is to be excluded from deletion until full clarification of the respective incident.

A merging of this data with other data sources shall not be undertaken. In anonymised form the data shall also be evaluated by us for statistical purposes.

Cookies

Cookies are information transferred from our webserver or the webservers of third parties to the web browser of the users and stored there for later access. Cookies can be small files or other types of information storage.

We use “session cookies“ that are only stored for the duration of the current visit to our website (e.g. in order to store your login status or the shopping cart function and therefore enable the use of our online offer). In a Session Cookie a unique, randomly generated identification number is stored, known as a Session ID. Furthermore, a Cookie contains the information about its origin and the storage period. These cookies are not able to store any other data. Session cookies are deleted when you have ended the use of our online offer and, for example, logged out or closed the browser.

If the users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the browser settings. Stored cookies can be deleted in the browser settings. Blocking cookies can lead to functional limitations of the online offer.

BIFF App

The BIFF App is open to use without registration. The retieval of information within the app occurs without the elicitation and administration of personal data when the users are not logged in. This means as well that  personal data is not stored on our webservers, personal data is not evaluated or tracked nor is persdonal data transferred to third parties.

However, if users log into the app personal data such as the email adress, telephone number, address, name is stored. This data is only processed if you have given us your consent or we are legally allowed to do so in order to offer you our online services such as online ticketing.

In order to display all information within the BIFF app the app accesses the Vereins's Content-Management-System (CMS). This includes the display of films, venues and all attached information. The logs are stored on our webservers. This happens completely anonymised,

Events such as screenings are saved within the personal calender of the user's devise. This information is not transmitted, saved or tracked at our webservers.

Third parties can be involved when links are inlcuded within the app. This may apply for social media, venues and videos. The app does not transfer personal data to these third parties.

Currently the app does not use push notifications.

Establishing contact

When establishing contact with us (via social media or email) the user information is processed in order to deal with the contact request and its handling in accordance with Art. 6 (1) b of the GDPR.
 
Your information from the enquiry form, including the contact details provided by you, shall be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We will not pass on this data without your consent.

Comments, Ratings and contributions

If users leave comments, ratings or other contributions, their IP address will be stored for 30 days on the basis of our legitimate interests pursuant to Art. 6 (1) f of the GDPR.

This takes place for our security, if someone leaves unlawful content (insults, forbidden political propaganda, etc.) in comments and contributions. In this case we can be prosecuted for the comment or contribution and are therefore interested in the identity of the author.

Registration online services

We process user data (e.g. names and addresses as well as user communication details), contractual data (e.g. services which have been used, names of contact persons, payment information) for the purpose of the fulfilment of our contractual obligations and services in accordance with Art. 6 (1) b of the GDPR.

Users also have the option of setting up a user account e.g. in the MyBIFF area of our website or in our Online Ticket System. In particular, it is necessary for the registration and login in our MyBIFF area and for our events which require registration, the submission of films, accreditation and the Online Ticketshop. As part of the registration the required mandatory information of users is communicated. User accounts are not public and cannot be indexed by search engines.

We require personal data for the following purposes:

Implementation of film and project submission
Implementation of accreditation, including the creation of an accreditation ID
Creation and publication of Film Guest Lists
Registration for events with a limited number of participants
Use of the possibility of Online Ticket sales
Collection of statistical data

If you are registered with us, you can access content and services, which we only offer to registered users.  In order to contact us in this regard, please use the contact details provided at the end of this data protection declaration.

For film or project submission/registration you should also, if applicable, provide the personal data of third parties. You should ensure in advance that you have the consent of the affected persons to pass on this data to us.

The user data shall be treated confidentially by us and stored on secure servers. Personal data, which you enter via forms outside the MyBIFF area, shall be processed by us in email form. It is therefore stored on our mail server. If apply as a volunteer we use the services of Formlets.com. The use of the services offered by Google or SurveyMonkey within our online services is possible

Privacy declarations:
Formlets  www.formlets.com/privacy/
Google    www.policies.google.com/privacy?hl=de&gl=de
SurveyMonkey www.surveymonkey.de/mp/legal/privacy-policy/?ut_source=footer

As part of the registration and repeated logins and the use of our online services, we store the IP address and the time of the respective user action. The storage takes place on the basis of our legitimate interests, as well as those of users, to protect against abuse and other unauthorised use. Distribution of this data to third parties does not take place as a matter of principle, unless it is required to pursue our claims or a legal obligation for this exists in accordance with Art. 6 (1) c of the GDPR.

Unless otherwise agreed, the consent for the storage of the data applies until the expiry of the validity of this guideline. Users of our website shall be automatically once again asked to give their consent in the event of changes to this guideline.

If users have terminated their user account, their account data shall be deleted, subject to its retention being required for reasons related to commercial or tax law in accordance with Art. 6 (1) c of the GDPR. It is the responsibility of the users to back-up their data in the event of termination taking place before the end of the agreement. We are entitled to irretrievably delete all data of the user stored during the term of the agreement.

Newsletter

With the following information we inform you about the content of our newsletters and the subscription, delivery and the statistical analysis process as well as your rights of objection. By subscribing to one or more of our newsletters, you declare that you agree to its receipt and the described process.

Content of the newsletter: We send newsletters, emails and other electronic notifications with promotional information (hereinafter referred to as “newsletter”) only with the consent of the recipient or legal permission. If as part of a subscription to the newsletter the content is specifically described, this is the content that the user consents to receive. Alongside our Festival Newsletter, the Industry Newsletter Education Newsletter with information about our offers for teachers and their classes, there is also our daily Newsletter during the festival week.

Double opt-in and keeping records: The subscription to our newsletter takes place in what is known as a double opt-in process. This means you will receive an email after subscribing, in which you are asked to confirm your subscription. This confirmation is required to prevent people from subscribing with someone else’s email address. The subscriptions to the newsletter are recorded, in order to be able to provide evidence of the subscription process in accordance with legal requirements. This includes the storage of the time of the subscription and confirmation, as well as the IP address. In the same way the changes to your data stored with the email marketing service provider will be recorded.

Subscription data: In order to subscribe to the newsletter, it is sufficient for you to provide your email address. We also give you the option of providing your first name and surname. This information is solely for the newsletter personalisation.

The use of the email marketing service provider, implementation of the statistical collections and analyses as well as the recording of the subscription process, take place based on our legitimate interests in accordance with Art. 6 (1) f of the GDPR. Our interest is focussed on the use of a user-friendly and a secure newsletter system, which serves our commercial interests, as well as meeting user expectations.

Cancellation/revocation: You can cancel your newsletter subscription at any time, which means that you revoke your consent. You can find a link to the cancellation of the newsletter at the end of each newsletter. And you can revoke your subscription any time by wriiting to presse@filmfest-braunschweig.de

External Online Payment Services

In order to provide our online services such as ticketing, accreditation and film submissions we implement the payment gateways of the following third parties.

In order to furfill our contractual obligations in our online services we are allowed to use external online payment services according Art. 6 Abs. 1 lit. b. GDPR. In addition to that the permission to use external online payment services is granted according to  Art. 6 Abs. 1 lit. b. GDPR to ensure save payments and secure processes.

Stored information may inlcude Name, address, banking details, passwords, TANs. These information are required to ensure the transactionsa nd are stored at the payment provider's servers. We do not store any personal information related to banking or credit cards. The payment providers may use the information to inform us whether the payment was successfull as well as to check creditworthiness. Please check the privacy statements and the general rules of conduct of our external payment services for further information:

Paypal https://www.paypal.com/de/webapps/mpp/ua/privacy-full
SOFORT Überweisung/Klarna https://www.klarna.com/de/datenschutz/
Arvato Bertelsmann https://www.arvato.com/de/ueber-arvato/datenschutz.html
Concardis https://www.concardis.com/datenschutzerklaerung

Online presence on Social Media networks and platforms 

We are maintaining several online presences within social networks and platforms in order to communicate with our active customers, users and intersted parties within theses networks and platforms and to inform them within these networks and platforms about our services.

We would like to point out that it is possible that data provided within these networks and platforms may be saved, stored and/or processed outside the European Union. Throughthis users of these networks and platforms may face risks because the enforcement of the user's personal rights may be impeded. In regards on the US providers that are part of the privacy shield framework we would like to point out that these providers obliged themselves to abide the European GDPR standard.

Furthermore, we would like to point out that the provided data may be used for market research as well as commercial reasons. The users interest and behaviour within these networks and platforms may be used to create user profile. User profiles are utilzed to provide personalized target marketing within and outside of these networks and platforms. This is usually done by saving cookies on the user's devices that store intersts and behaviour. However, personal data is also stored and collected irrespective of the deviced used by simply being logged on the platform or network with the personal user name.

We process personal data within these networks and platforms to offer better services such as better suited films for our audience during the festival. This is based on our interest to analyse and optimize our online service in regards of Art. 6 Para. 1 lit.f GDPR. When the user agreed to the social media provider's privacy declaration and statement regarding data collection, storage and processing Art. 6 Para. 1 lit. a, Para. 7 GDPR applies.

To receive detailed information on data processing, opt out procedures, information requests and enforcement of personal rights we would like to redirect these request to the providers listed below as only these have the full information on the collected data.

Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland)
Privacy: www.facebook.com/about/privacy/, Opt-Out: www.facebook.com/settings and www.youronlinechoices.com, Privacy Shield: www.privacyshield.gov/participant.

Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
Privacy:  policies.google.com/privacy, Opt-Out: adssettings.google.com/authenticated, Privacy Shield: www.privacyshield.gov/participant.

Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
Privacy/ Opt-Out: instagram.com/about/legal/privacy/.

Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)
Privacy: twitter.com/de/privacy, Opt-Out: twitter.com/personalization, Privacy Shield: www.privacyshield.gov/participant.

Flickr (Flickr, 475 Sansome St, San Francisco, CA 94111, USA)
Privacy/ Opt-Out: policies.oath.com/ie/de/oath/privacy/products/flickr/index.html

Integration of Google Maps

Some of our websites use maps from the service “Google Maps” of the third party provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, in order to present geographical information visually (e.g. an overview of the festival locations). When using Google Maps, data about the use of the map functions by visitors is also collected, processed and used by Google. You can find further information about the data processing by Google from the Google data protection notice. You can also change your personal data protection settings in the data protection centre. Data protection declaration: https://www.google.com/policies/privacy/; Opt-out: https://www.google.com/settings/ads/ 

Embedded YouTube videos

On some of our websites we embed YouTube videos. The operator of the corresponding plug-in is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit a website with the YouTube plug-in, a connection to the YouTube servers is established. In the process YouTube is notified about which sites you visit. If you are logged into your YouTube account, YouTube can personally identify your surfing behaviour. You can prevent this by logging out of your YouTube account in advance.
 
If a YouTube video is launched, the provider uses cookies which collect information about user behaviour. Anyone who has deactivated the storage of cookies for the Google Ad Program, will not have to anticipate any of these types of cookies when watching YouTube videos. However, YouTube also stores non-personal usage information in other cookies. If you would like to prevent this, you must block the storage of cookies in your browser. You can find further information about the use of user data in the data protection declaration of YouTube at: https://www.google.de/intl/de/policies/privacy/

Embedded Vimeo videos

On some of our websites we embed Vimeo videos. Vimeo is operated by Vimeo, LLC with headquarters in 555 West 18th Street, New York, New York 10011, USA. When you visit a website with a Vimeo plug-in, a connection to the Vimeo server is established and the plug-in is displayed. Through this the Vimeo server receives information, which of our websites you have visited. If you are logged in as a member of Vimeo, Vimeo links this information to your personal user account. When using the plug-in, for example by clicking the start button of a video, this information is also linked to your user account. You can prevent this information being linked, by signing out of your Vimeo user account before using our website and deleting the corresponding Vimeo cookies. You can find more information about the data processing and data protection of Vimeo at: https://vimeo.com/privacy.

Adobe Typekit Fonts

Due to our legitimate interest (meaning the interest to analyse, optimize and the operating of our online service in regards of Art. 6 Para. 1 lit.f GDPR) we use external fonts provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland. Abobe is certified under the privacy shield framework and offers throughthis a quaranty to abide the European GDPR (https://www.privacyshield.gov/participant?id=a2zt0000000TNo9AAG&status=Active).

User rights

Users have, at any time, the right to receive information on request and free of charge about personal data we store about them. In addition, the users have the right to correct incorrect data, restrict data processing and delete their personal data. Users can also revoke consent, always with implications for the future.

If you would like information about your personal data, data correction or deletion, please contact our data protection officer at

Internationales Filmfest Braunschweig e.V. 
Neue Straße 8 
38100 Braunschweig
Tel.: +49 (0)531 / 702 202 0
Fax: +49 (0)531 / 702 202-99
privacy(at)filmfest-braunschweig.de

Right of objection

Users can object to the future processing of their personal data in accordance with legal requirements at any time. The objection can take place in particular against the processing for purposes of direct advertising.

Changes to the data protection declaration 

We reserve the right to change the data protection declaration, in order to adapt it to altered legal situations, or in the event of changes to the service as well as data processing. However, this only applies with regard to declarations about data processing. If user consent is required or integral parts of the data protection declaration contain provisions of the contractual relationship with the users, the changes take place only with user consent.
 
The users are asked to regularly make themselves aware of the contents of this data protection declaration.



Sources: Fishfarm Solutions, Datenschutzerklärungs-Generator
der activeMind AG; Rechtsanwalt Dr. Thomas Schwenke