On this page you will find information on data protection for using and registering with the KulturPass WebApp at https://storefront.prod.kulturpass.de/ and for using the services at storefront.prod.kulturpass.de/ as a registered user, and for the use of the KulturPass app. This applies in addition to the general data protection information, which can be found here: General Data Protection
for signing up at KulturPass WebApp, for the use of KulturPass WebApp as registered user and for the KulturPass app
The German Federal Government Commissioner for Culture and the Media (BKM) takes the protection of your data very seriously. For this reason, we have taken measures to ensure that the legal requirements in relation to data protection are duly observed both by us and by our external service providers.
Personal data means all information which refers to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier.
1. Who is responsible for the processing of data?
The controller for data processing in connection with the use of the KulturPass app and the KulturPass website at kulturpass.de and kulturpass.app is the
German Federal Government Commissioner for Culture and the Media (“BKM”)
Köthener Straße 2
The administrative realisation is carried out on behalf of and according to the instructions of the BKM by
Stiftung Digitale Chancen (Digital Opportunities Foundation)
Chairwoman of the Board, Ms Jutta Croll
on the basis of a third-party data processing agreement.
2. How can I contact the data protection officer?
The data protection officer can be contacted as follows:
Beauftragte(r) der Bundesregierung für Kultur und Medien
Graurheindorfer Straße 198
Telephone: +49 (0)228 99 681 13655
Fax: +49 (0)228 99 681 513655
3. What personal data is collected and for what purposes?
3.1 Visiting the website
We automatically process the following information every time you visit our website, which is stored in a logfile:
- name of the accessed website/file
- date and time of accessing the website
- information about a success access
- IP address anonymized by truncation of your computer or other end device (e.g. tablet PC or smartphone)
- the browser type, browser version, browser language and the operating system used.
The logfiles will be deleted after no more than 14 days.
The legal basis for the processing is Article 6(1)(e) of the GDPR in conjunction with Section 3 BDSG [German Federal Data Protection Act]
Session-Cookie zur Navigation innerhalb des KulturPass-Angebotes. Es dient der zuverlässigen Kommunikation zwischen einem Client und dem Backendsystem.
Für die Dauer der Session.
Session-Cookie zur Realisierung von Sessions in dem Commerce-System.
Für die Dauer der Session.
Session-Cookie zur Ermöglichung der Nutzung von eID.
Für die Dauer der Session
Auth-Token zur Authentifizierung gegenüber dem System.
Cookie zur Realisierung einer Session im Commerce-Bereich
Unbegrenzt im Localstorage
Cookie zur Überprüfung, ob der Client die Canary-Version des WebSDK verwendet. Dient dem sicheres Ausrollen von neuen Updates, um einen reibungslosen Betrieb der Anwendung sicherzustellen.
Für die Dauer der Session
Enthält die Canary-Version des WebSDK. Dient dem sicheren Ausrollen von neuen Updates, um einen reibungslosen Betrieb der Anwendung sicherzustellen.
Für die Dauer der Session.
Anmelde-Token für die Authentifizierung beim Login, um den Anmelde-Tokenwert für die API-Berechtigung zu übergeben.
Für die Dauer der Session.
Wird für die Webanwendung benötigt, um sicherzustellen, dass eine unterstützte SDK-Version verwendet wird.
Für die Dauer der Session.
anonymous-consents (local storage)
Speicherung der Information, ob der Nutzer eine Einwilligung erteilt hat.
Für die Dauer der Session.
Enthält eine eindeutige ID des Benutzers für die Browserregisterkarte oder die Instanz der mobilen Anwendung des aktuellen Nutzers. Diese ist wichtig für eine Reihe von Sicherheitsfunktionen der Identitätsplattform.
Cookie zur Sicherstellung der Nutzbarkeit des WebSDK. Je nach Browser/Cookie-Konfiguration wird entweder die Information im Cookie oder im LocalStorage gespeichert.
Enthält eine Computerkennung zur Identifizierung des
The legal basis for the setting and reading of cookies is Article 6(1)(e) GDPR, Section 3 BDSG.
3.3 Use of the KulturPass without registration
Alternatively, you can activate and deactivate location sharing in your smartphone settings. Instructions on how to do so can be found here
- Information on location sharing on iOS devices
- Information on location sharing on Android devices
You can also manage the settings in your web browser accordingly. If you prefer not to share your location, you can also limit the search for offerings within KulturPass by entering a postcode.
3.4 Registering with KulturPass
- Your email address
- a password
- Your name (optional)
- Your date of birth (optional)
Providing your email address is essential for the registration process. Entering your name and date of birth is optional. Giving your name enables us to address you by name in the KulturPass service and in emails. If you provide your date of birth, we can inform you as soon as you have reached the required age to receive your budget.
Please note: When you provide proof of identity (see Section 3.5), we will also read your date of birth from your identity document. If the date of birth on your identity document differs from the date of birth you stated during the registration process, the stated date of birth will be replaced with the date of birth retrieved from your document and this information can then no longer be changed.
In the next step, you have the option of saving your interests and preferences as well as a postcode to your profile, which we will use to show you cultural offerings that match your interests as closely as possible. This information is provided voluntarily and you can change it at any time in your profile.
Following the registration process (after clicking on “Register”), we will send you an email containing a link that you have to click on to confirm that the email address you have provided is correct. You can then log in using your email address and password in the KulturPass app or on the KulturPass website. If you forget your password, you can reset it via the “Forgot password” function.
3.4.2 Consent, withdrawal, further legal basis
Opening a user account and the associated and subsequent data processing requires your prior consent. The granting of consent is voluntary; there is neither a statutory nor a contractual obligation to register and thus transfer personal data. However, it is not possible to open an account without granting prior consent with the consequence that you will not be able to receive the budget or make any reservations via the KulturPass app.
Consent can be withdrawn at any time with effect for the future. To this end, you can send an email to firstname.lastname@example.org or delete your profile via the settings. We will consider the deletion of your account to be a withdrawal of your consent. In the case of withdrawal by way of email to us, the user account will be deleted by us after you have entered your passwort upon our request. Any withdrawing of consent does not affect the legitimacy of the processing carried out on the basis of the consent prior to such withdrawal.
Please note that even if you withdraw your declaration of consent we are entitled and sometimes even obliged by law to continue to process the data collected prior to such withdrawal. The data processing for such purposes is then no longer based on your consent but on one or more statutory permissions. It should be noted in particular that if you have availed yourself of cultural offerings via KulturPass, we may keep and process the transaction-related data (this is information that arises in connection with the reservation being made and the offering being taken up and contains personal data) even after the withdrawal of consent, if and to the extent this is necessary for the establishment, performance or termination of a contractual agreement concluded with you or we are otherwise entitled or legally obliged to store this data (in particular statutory retention obligations). Moreover, if you have provided proof of identity (see Section 3.5), we store data from your identity document even after your account is deleted, for the purpose of preventing multiple registrations, multiple allocations of the budget and misuse (for the period of storage, see Section 4).
The legal basis for the data processing to set up and maintain a user account is Article 6(1)(a) GDPR and, in addition, Article 6(1)(e) GDPR, Section 3 BDSG. Any further processing of the data after the conclusion of the contract, to make and process reservations and for the billing of the cultural service used is based on Article 6(1)(b) GDPR as well as Article 6(1)(e) GDPR, Section 3 BDSG. Processing for the purpose of compliance with statutory retention periods is carried out on the basis of Article 6(1)(c) GDPR. The legal basis for the processing of data to detect and prevent multiple registrations, multiple allocations and misuse is Article 6(1)(e) GDPR, Section 3 BDSG. If further storage and other processing is carried out for the assertion of/defence against civil law claims, this is based on Section 24(1) No. 1 BDSG.
3.5 Identification for the purposes of receiving your budget and making reservations
In order to receive your budget and be able to use the KulturPass app or the KulturPass website to reserve cultural offerings, you must furnish proof of identity in the form of an identity document. This is required because we have to verify that you are eligible to receive the budget. You are not legally or contractually obliged to provide proof of identity in the KulturPass app. Please note, however, that the allocation of your budget and the ability to make reservations is contingent upon successful identification.
The identification process and the associated data processing is carried out for the following purposes:
- to identify you beyond doubt;
- to verify whether you are eligible to receive the budget and to make reservations (residence and age);
- to properly process and document the collected data concerning a reservation and the availing of the reserved service and to enable the payment process to be carried out;
- to detect and prevent multiple registrations, multiple allocations and misuse.
You can complete the identification process immediately after registration or at a later date via the settings. The process is carried out using a personal identity card with online ID function (eID), an electronic residence permit (eAT) or an eID card, directly with your smartphone. In addition to any of the identity documents mentioned above, all you need is an NFC-enabled smartphone and the personal PIN for your identity document. For identification via the KulturPass website, you need the AusweisApp2, which is made available in the app stores on behalf of the German Federal Office for Information Security. Links to free versions of AusweisApp2 can be accessed here:
We are authorised to read out data by way of electronic proof of identity on the basis of an authorisation certificate issued by the German Federal Office of Administration. The last day of validity of the authorisation certificate is displayed before you enter your ID PIN. The competent supervisory authority for us is identified in Section 8.7 below.
You will be guided through the identification process and asked to give your consent to the retrieval of data from an identity document, to hold your identity document up to your smartphone and enter your personal ID PIN. KulturPass establishes a connection to Bundesdruckerei’s servers via an interface provided by Bundesdruckerei (Bundesdruckerei Gruppe GmbH, Kommandantenstraße 18, 10969 Berlin, www.bundesdruckerei.de) and transmits the data required for identification to them. The following data from your identity document is retrieved and transmitted to us: surname, first name(s), date and place of birth, the ID card pseudonym stored in relation to your document and the information as to whether you have a registered residence in Germany.
3.5.2 Consent, withdrawal, further legal basis
We only retrieve data from your identity document if you have granted us consent to do so. The completion of the identification process and thus the granting of consent is voluntary; there is neither a statutory nor a contractual obligation to complete that process. Without identification, however, the allocation of the budget and the making of reservations are not possible.
You grant your consent by pressing the “Agree” button at the beginning of the identification process. You can withdraw your consent by cancelling the identification process before entering your PIN. Once you have entered the PIN, you can no longer withdraw your consent insofar as it relates to the retrieval of the data from the document because it has already been retrieved. You can, however, withdraw your consent with effect for the future, to the extent it refers to the further processing of the data that has been retrieved. To do this, you can send an email to email@example.com or delete your account. We will consider the deletion of your account to be a withdrawal of your consent. Any withdrawing of consent does not affect the legitimacy of the processing carried out on the basis of the consent prior to such withdrawal. Once the withdrawal takes effect, you will no longer be able to make any reservations.
Please note that even if you withdraw your declaration of consent we are entitled or even obliged by law to continue to process the data sent to us prior to such withdrawal. The data processing for such purposes is then no longer based on your consent but on one or more statutory permissions. It should be noted in particular that if you have availed yourself of cultural offerings via KulturPass, we may keep and process the transaction-related data (this is information that arises in connection with the reservation being made and the offering being taken up and contains personal data) even after the withdrawal of consent, if and to the extent this is necessary for the establishment, performance or termination of a contractual agreement concluded with you or we are otherwise entitled or legally obliged to store this data (in particular statutory retention obligations). Moreover, we store the data retrieved from your identity document even after your account is deleted, for the purpose of preventing multiple registrations, multiple allocations of the budget and misuse (for the period of storage, see Section 4).
The legal basis for retrieving the data from the identity document is your consent (Article 6(1)(a) GDPR) as well as Article 6(1)(e) GDPR and Section 3 BDSG in conjunction with Section 18, Section 19(5) and (6) German Personal Identity Card Act (PAuswG), Section 12, Section 14 (German Act on a Card with Electronic Identification Function (eIDKG), Section 78(5) German Residence Act (AufenthG). The legal basis for the following data processing in connection with the allocation and use of the budget through the availment of reserved cultural offerings and the utilisation of the KulturPass service for this purpose is Article 6(1)(e) GDPR and Section 3 BDSG, as well as Article 6(1)(b) GDPR. The processing of data to detect and prevent multiple registrations, multiple allocations and misuse is carried out on the basis of Article 6(1)(e) GDPR, Section 3 BDSG. The further processing of data after the conclusion of the contract, for the purpose of compliance with the retention periods under commercial or tax law is carried out on the basis of Article 6(1)(c) GDPR. If further storage and other processing is carried out for the assertion of/defence against civil law claims, this is based on Section 24(1) No. 1 BDSG.
3.6 Making reservations and availing of cultural offerings
When you reserve a cultural offering, a code is generated, either in the form of a QR code or an alphanumeric code. You can then redeem this code to use an amount from your budget with the respective cultural provider. Please note that you cannot conclude any purchase agreements or other contractual agreements with the culture providers via the KulturPass app and the KulturPass website itself. The agreement is concluded outside the KulturPass service – depending on the cultural offering, either on site at the cultural provider’s venue or online in the cultural provider’s online service – directly between you and the respective provider. The BKM is not a party to the contract.
The reservation and the information related to it, such as the codes, the reservation date, the reserved offering, etc., will be saved by us to your account. We only transmit to the cultural providers whose offerings you reserve and whose name and address you can see on the respective reservation page, information about the reservation and the reserved offering (e.g. order number, type and price, if applicable information about additional payments, date and time of the reservation, etc.). Your name or other data retrieved from your identity document will not be transmitted to the culture providers by us. Similarly, we do not transmit your email address. Please note, however, that under certain circumstances – depending on the offering you would like to make use of – you may have to provide the cultural provider with certain personal data in order to be able to make use of the offering and the cultural provider may ask you to present an identity document when delivering the offering. We play no part in that collection of data. We call the data that arises as part of the reservation and the availment of the reserved offering “transaction-related data”.
After the offering has been availed of, the cultural provider will confirm that the service has been availed of and when by sending us the information related to the transaction ID (order number), so that we can properly document the transaction and organise the payment for the service between us and the cultural provider and record the amount used from the budget. This is then saved by us as transaction-related data to your user account.
The legal basis for the transaction-related data processing described above is Article 6(1)(e) GDPR, Section 3 BDSG and Article 6(1)(b) GDPR. The further processing of data after availment of the cultural provider’s offering, for the purpose of compliance with the retention periods under commercial or tax law is carried out on the basis of Article 6(1)(c) GDPR.If further storage and other processing is carried out for the assertion of/defence against civil law claims, this is based on Section 24(1) No. 1 BDSG.
In individual cases, the cultural providers from which you have reserved your cultural offering are able to contact you via email about any reservation-related or transaction-related questions/issues. Cultural providers are contractually prohibited from contacting you via the KulturPass system for any other purpose. Any contact is facilitated directly through the KulturPass system; we do not disclose your email address to the cultural providers.
4. How long will my data be retained?
As a general rule, personal data will be deleted as soon as it no longer needs to be processed for the purpose for which it was collected. You may delete your account yourself at any time. It will be automatically deleted at the latest when you turn 21.
In all other respects, the following applies:
- If you have registered but not identified yourself and therefore have not received a budget, your personal data will be deleted as soon as your account has been deleted.
- If you have received a budget but not yet used it, your personal data will be deleted at the latest one year after expiry of the period in which you are entitled to make use of the budget (= 24 months after allocation of the budget).
- If you have received and made use of a budget, we will store the transaction-related data, including personal data, for a period of one year, calculated from the end of your entitlement to use the budget (= 24 months after allocation); subsequent archiving will be pseudonymised for a period of six years.
5. Contact form and processing of enquiries (Helpdesk), Friendly Captcha
You can contact us with questions, suggestions, requests or problems via a contact form on the website or by e-mail. When using the contact form, we ask you to provide your name and e-mail address. The personal data you provide will be processed by us to handle your request.
We use a ticket system provided by Zammad GmbH, Marienstraße 18, 10117 Berlin on the basis of a controller-processor agreement to store and process enquiries. Tickets are created for individual enquiries, and the subsequent communication is stored for the purpose of handling the enquiries. This allows us to answer and process the enquiries as quickly and efficiently as possible. The personal data will be deleted when storage is no longer necessary or, if there are legal obligations to retain data, their processing will be restricted unless we are entitled or even obliged by law to further process the data.
The processing of personal data when you contact us is carried out primarily on the basis of Article 6(2) GDPR, Section 3 BDSG. However, depending on the content of your message, the processing may also be or become permitted or required on the basis of other legal grounds, such as e.g. Article 6(1)(c) GDPR, Article 6 (1) (b) GDPR (fulfilment of a contract or implementation of pre-contractual measures) or Section 24(1)(1) BDSG (assertion of/defence against claims under civil law).
To prevent misuse of the contact form by so-called bots, we use the data protection-friendly tool Friendly Captcha, which is offered by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany. To ensure that the form is used by a human instead of a bot, the tool sends a task ("puzzle") to the device, which is solved by it in the background. The IP address is anonymized via a one-way hashing process and deleted hereafter. Furthermore, the following data are processed:
- the request header data (browser, operating system, origin/referer)
- the puzzle itself, which contains information about the account and the website key to which the puzzle refers, and the transmitted results
- the version of the Friendly Captcha widget.
- a timestamp
- the number of requests for a hash value (counter)
This data processing is necessary to offer a contact form and to exclude misuse by bots as best as possible. The processing of personal data is based on Article 6(1)(e) GDPR, Section 3 BDSG.
6. Signing up for webinars
From time to time we offer webinars for which you can register. The webinars are held using the BigBlueButton video conferencing system, which is hosted for us on servers of werk21 GmbH, Krausnickstraße 3, 10115 Berlin, Germany, on the basis of a controller-processor agreement.
Participation in the webinars requires prior registration by providing your e-mail address, to which we will send the link to the webinar after registration. This data processing, as well as the further processing of your personal data to enable you to participate in the webinar, is based on Artice 6(1)(b) GDPR and additionally on Article 6(1)(e) GDPR, Section 3 BDSG. Your email address will be deleted immediately the day after the webinar you registered for took place.
You have the option to give your consent to send you email invitations to similar future webinars of this type. The granting of this consent is voluntary and you can withdraw your consent with effect for the future anytime. For this purpose, there will be a link at the end of each invitation e-mail, which you can use to unsubscribe from the mailing list. The legal basis for data processing in connection with the sending of emails with announcements of future webinars is Art. 6 (1)(a) GDPR.
7. KulturPass e-mails
E-mails may contain graphics and images that are not stored directly in the e-mails but are reloaded from our servers. The retrieval of the IP address required for this is technically necessary for the display of these e-mails and takes place on the basis of Article 6(1)(e) GDPR, Section 3 BDSG. Tracking via so-called tracking pixels does not take place.
8. Who will my personal data be transmitted to?
8.1 Stiftung Digitale Chancen
The technical realisation of the KulturPass project of the BKM and the administrative implementation is carried out in cooperation with
Stiftung Digitale Chancen
Chairwoman of the Board, Ms Jutta Croll
(hereinafter: “Stiftung”). The Stiftung collects and processes personal data strictly in accordance with the intended purpose, on behalf of and according to the instructions of the BKM, on the basis of a contractual agreement for third-party processing and arranges the reservations and billing with the cultural providers on behalf of the BKM.
8.2 Technical service providers
We use technical service providers for the technical realisation and maintenance of the KulturPass project who might have access to personal data within the scope of their work. This applies, in particular, in the case of web/server hosting providers, system administrators and other IT service providers. These service providers, with whom third-party data processing agreements are concluded, are chosen with great care and subject to obligations to meet all qualifications under data protection law. The service providers process the data exclusively according to our instructions and are contractually obliged to comply with all data protection law requirements. These service providers include, in particular, the company SAP (www.sap.de), which performs the technical realisation of the KulturPass project. The data protection and privacy policies of SAP can be found here:
9. Data processing location
The personal data collected in connection with the use of the KulturPass is hosted on servers within the EU/EEA. In support/maintenance cases, technical service providers of BKM, with whom agreements on third-party data processing have been concluded, are entitled to engage subcontractors outside the EU/EEA, in compliance with the data protection law requirements for such a transfer of data. If these recipients are located in third countries in relation to which the European Commission has not expressly decided on the existence of an adequate level of data protection, standard data protection clauses are in place with the recipients pursuant to Art. 46 para. 2 lit. c) GDPR.
10. Who is responsible for the processing of data by the cultural providers?
Any processing of your personal data by cultural providers of whose offerings you avail yourself by using your budget is carried out under the sole responsibility of the respective cultural provider. If, for example, you enter any information about your person on the website of a cultural provider, the data processing is carried out under the sole responsibility of the respective cultural provider as the data controller, even if you use the code received from us. We are not responsible for the data processing carried out by the cultural provider and do not transfer any data which could allow you to be identified by the cultural provider.
11. What rights do I have?
You can withdraw a declaration of consent under data protection law that you have given, at any time with effect for the future. Details on how to do this can be found above in the specific descriptions of the declarations of consent.
You have the right to request confirmation from us as to whether we are processing personal data relating to you, unless that right is excluded by law (in particular Section 34 BDSG). If you are entitled to this right, you also have a right to information regarding this personal data to the extent stipulated under the law (Article 15 GDPR in conjunction with Section 34 BDSG). You also have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you can request to be informed about the appropriate safeguards set out in Article 46 GDPR in connection with the transfer.
You also have the right to request that inaccurate personal data concerning you be rectifiedand where applicable – taking into account the purposes of the processing – incomplete personal data be completed, including by means of providing a supplementary statement (Article 16 GDPR).
Moreover, in the cases described in Article 17(1) (a) to (f) GDPR, you have a right to request that personal data be erased, provided no exception under Article 17(3) GDPR applies, as well as a right to restriction of processing in the cases described in Article 18(1) GDPR.
In the cases set out in Article 20(1), there is also a right to data portability and the right to transmit data to another controller without hindrance.
You can contact our data protection officer (see Section 2) at any time and consult him/her on any data protection law issues relating to the use of our services.
You have the right to lodge a complaint with the supervisory authority, if you are of the opinion that the processing of personal data relating to you infringes the GDPR. The competent supervisory authority is the:
German Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153
Telephone: +49 (0)228 997799-0
Right to object
Where we process your personal data on the basis of Article 6(1)(e) GDPR (processing for the performance of a task in the public interest), you have the right to object. You can object to this data processing on grounds relating to your particular situation. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
12. Does any automated decision-making/profiling take place?
No. There is no automated decision-making and no profiling.
13. Am I obliged to provide personal data?
You have no obligation to use the KulturPass service, to register yourself or provide proof of identity. There is neither a legal nor a contractual obligation to provide us with personal data in connection with the KulturPass project. However, if you would like to receive and use a budget within the scope of the KulturPass project, this requires registration, including the providing of personal data and proof of identity. It is not possible to make use of the budget without sending personal data.