On this page, you can find information on data protection for Cultural Providers (hereinafter “Providers”) who register with KulturPass.

This Privacy Policy for Cultural Providers applies in addition to the general privacy policy that can be found
here.

The supplementary privacy policy for registered users and for the KulturPass app can be found here

 

Privacy Policy

for Cultural Providers

Version: 11 October 2023

The Beauftragte der Bundesregierung für Kultur und Medien [German Federal Government Commissioner for Culture and the Media] (“BKM”) takes the protection of your data very seriously. For this reason, we have taken measures to ensure that the legal requirements in relation to data protection are duly observed both by us and by our external service providers.

Personal data means all information which refers to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier.

 

1. Controller for the data processing

The controller in respect of data collection, processing and use in connection with the use of the website at kulturpass.de and kulturpass.app is the

Beauftragte der Bundesregierung für Kultur und Medien (BKM)

Köthener Straße 2

10963 Berlin

 

The administrative realisation is carried out on behalf of and according to the instructions of the BKM by

Stiftung Digitale Chancen

Chairwoman of the Board: Ms Jutta Croll

Chausseestraße 15

10115 Berlin

 

on the basis of a third-party data processing agreement.

 

2. Data Protection Officer

 

The Data Protection Officer is:

 

Beauftragte(r) der Bundesregierung für Kultur und Medien

Behördlicher Datenschutzbeauftragter

Graurheindorfer Straße 198

53117 Bonn

 

Telephone: +49 (0)228 99 681 13655

Fax: +49 (0)228 99 681 513655

Email: datenschutzbeauftragter@bkm.bund.de

 

3. Data processing when the website is visited

Every time someone visits our website, we automatically process the following information, that is stored temporarily in a logfile:

 

  • Name of the web page visited/file retrieved
  • Date and time the page is viewed
  • Report of successful retrieval
  • The IP address, anonymised through means of abbreviation, of the computer or other end device used to visit the page (e.g. tablet PC or smartphone)
  • browser type, browser version, browser language and the operating system used.  

 

Logfiles are deleted after 14 days. The legal basis for the processing is Article 6(1), first subparagraph, point (e) GDPR in conjunction with Section 3 BDSG [German Federal Data Protection Act].

 

4. Use of cookies

Cookies are used when people browse the website. Cookies are small text files which are stored locally on the user’s end device (e.g. PC, smartphone, tablet).

The following cookies are set in the Provider area:

Cookie Name

Description

Type

Duration of Storage

 

 

 

 

Session ID

ELSTER Connector cookie to enable “sticky sessions”.

Session

For the duration of the session

JSESSIONID

Cookie (ELSTER/NEZO) used for identification for the duration of a session

Session

For the duration of the session

REQUEST-CACHE

Allows users to be redirected to the page in the Mirakl system that they originally requested before logging into the system.

Session

For the duration of the session

XSRF-TOKEN

Cookie of the Mirakl system to prevent hacker attacks by forging requests through “infiltration from outside”.

Session

For the duration of the session

Authorization

Cookie of the Mirakl system for storing the authentication data of the current user.

Session

For the duration of the session

oauth2_authorization_request

Authentication cookie for the Mirakl system used to avoid security vulnerabilities during the authentication process.

Session

Löschung nach Authentifizierung

shop.namedlist.search

Cookie for storing necessary status information for the im-plementation of filter/search processes in the application (Mirakl)

Session

For the duration of the session

Walkme

Step-by-step instructions may be provided for users in the shop. The cookie prevents the instructions being displayed again after the user has already gone through them.

Persistent

13 months

auth0_compat

Cookie of the authentication system used to prevent bot attacks on passwords and on the infrastructure

Persistent

72 hours

did

Cookie of the authentication system used to prevent bot attacks on passwords and on the infrastructure

Persistent

12 months

did_compat

Cookie of the authentication system used to prevent bot attacks on passwords and on the infrastructure

Persistent

12 months

auth0

Cookie of the authentication system used to prevent bot attacks on passwords and on the infrastructure

Persistent

72 hours

 

The legal basis for the setting and retrieving of cookies is Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG.

 

5. Registration as a Cultural Provider and proof of company identity via Elster

 

5.1.

In order to be able to post cultural offerings in the KulturPass project as a Cultural Provid-er, you have to register your company. For this purpose, you must first provide your email address and set a password.

The recording of your email address and your password as the person responsible for reg-istration will only take place with your consent. The granting of consent is voluntary; there is neither a statutory nor a contractual obligation to register and thus no obligation to pro-vide personal data. However, it is not possible to register a company for the KulturPass project without the prior granting of consent by the person making the registration, which means that you cannot post any offerings in the KulturPass.

You can withdraw your consent at any time with effect for the future. To do this, you can contact us by email at datenschutz@kulturpass.de or delete your data yourself in the ac-count settings. Please note, however, that the specification of a main responsible person as well as a fully authorised user is required in order to be able to post an offering in the KulturPass project. You can set up a new primary coordinator yourself in the account set-tings. Any withdrawing of consent does not affect the legitimacy of the processing carried out on the basis of such consent prior to such withdrawal.

Please note that even if you withdraw your declaration of consent we are entitled and sometimes even obliged by law to continue to process the data collected prior to such withdrawal. The data processing for such purposes is then no longer based on your con-sent but on one or more statutory permissions. In particular, we may also retain reserva-tion and transaction-related data, which may contain personal data, after a withdrawal of consent, if and to the extent this is necessary for the establishment, performance or ter-mination of a contractual agreement concluded with you or we are otherwise entitled or legally obliged to store this data (in particular statutory retention obligations).

The legal basis for the processing of the data of the primary contact, in order to set up and maintain a user account, is Article 6(1), first subparagraph, point (a) GDPR and Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG. Insofar as the company data provided itself contains personal data, the data processing is carried out additionally on the basis of Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG and Article 6(1), first sub-paragraph, point (b) GDPR. The processing of the data could, however, also be or become allowed or required on other legal bases, such as Article 6(1), first subparagraph, point (c) GDPR (legal obligations e.g. retention periods under commercial or tax law), Article 6(1), first subparagraph, point (b) GDPR (performance of a contract or taking steps prior to en-tering into a contract) or Section 24(1) no. 1 BDSG (assertion of/defence of civil law claims).

 

5.2

5.2. In order to be able to post offerings, your company must be clearly identified. This identifi-cation is carried out during the registration process using your Elster company certificate, which must be uploaded via the Elster website or the Elster app (ElsterSecure). The certifi-cate is not sent to us, but directly to Elster. The Bavarian State Tax Office (Munich office), Sophienstrasse 6, 80333 Munich (www.ELSTER.de)is responsible for the Elster website and ElsterSecure. You can find Elster’s privacy policy at https://www.ELSTER.de/eportal/helpGlobal?themaGlobal=datenschutz_public.

Once you have entered your Elster password on the Elster website or in the ElsterSecure app, we store and process the following data sent by Elster to us: first name and surname of the person submitting the application, name and address of the company, type of com-pany register, register court and register number, pseudonym.

The legal basis for the processing of this data is Article 6(1), first subparagraph, point (e) GDPR, Section 34 BDSG and additionally Article 6(1), first subparagraph, point (b) GDPR.

 

6. Use of the login area as registered user and user management

 

6.1

The login area for Cultural Providers gives access to view and process reservations made by the KulturPass app users or the KulturPass website users. Furthermore, the login area is used to carry out the settlement of accounts with the BKM for services rendered.

We hereby make you aware that all user activities, i.e. reservation and transaction-related activities, including the times of use, are logged in order to enable traceability of these ac-tivities. The last 500 activities within a profile are stored.

 

6.2

You can add additional users for your company in the user management area, by entering the corresponding email addresses, while also assigning various user authorisations. Please note that you must ensure that the owners of the email addresses you have en-tered agree to their email addresses being supplied. After an email address is entered in the user management area, the owner of the email address receives an email with a re-quest to give consent to data processing by clicking on the link in that email. On the linked page, the new user is asked to set a password.

The granting of consent is voluntary and can be withdrawn at any time with effect for the future. If a user wishes to withdraw their consent, he/she can contact datenschutz@kulturpass.deby email. Alternatively, you can also ask a user with shop administration rights to delete the user profile.

Please note that even if you withdraw your declaration of consent or your user profile is deleted, we are entitled and sometimes even obliged by law to continue to process the da-ta collected prior to such withdrawal. The data processing for such purposes is then no longer based on your consent but on one or more statutory permissions. In particular, we may also retain reservation and transaction-related data af-ter a withdrawal of consent or deletion of your user profile, if and to the extent this is nec-essary for the establishment, performance or termination of a contractual agreement con-cluded with you or we are otherwise entitled or legally obliged to store this data (in partic-ular statutory retention obligations).

 

6.3

To the extent personal data of the Cultural Provider is processed as a result of their use of the login area, this is based on Article 6(1), first subparagraph, point (b) GDPR and addi-tionally on Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG. The legal basis for the processing of a user’s data is Article 6(1), first subparagraph, point (a) GDPR and, in addition, Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG. The processing of the data could, however, also be or become allowed or required on other legal bases, such as Article 6(1), first subparagraph, point (c) GDPR (legal obligations e.g. retention pe-riods under commercial or tax law) or Section 24(1) no. 1 BDSG (assertion of/defence of civil law claims).

 

6.4

6.4. To prevent bot attacks on passwords and the infrastructure, the authentication system Auth0 is used, which is provided by Okta, Inc., 100 First Street, 6th Floor, San Francisco, CA 94105, USA, with whom standard contractual clauses have been agreed. In order to identi-fy and prevent attacks, the requesting IP address is sent to the service provider and checked there for irregularities / possible acts of abuse. This processing of data is carried out on the basis of Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG.

 

7. Contact form and processing of enquiries (helpdesk), Friendly Captcha

If you have any questions, suggestions, requests or problems, you can contact us via the con-tact form on the website or by email. When you use the contact form, we will ask for your name and email address. The personal data provided by you will be processed by us in order to deal with your enquiry.

To this end, we use a ticket system, provided by Zammad GmbH, Marienstraße 18, 10117 Ber-lin, Germany, on the basis of a third-party processing agreement, to record and process enquir-ies received via the contact form or email. Tickets are generated for each individual enquiry and the subsequent communication is stored under that ticket for the purposes of dealing with the enquiry. This allows us to respond to and deal with enquiries as quickly and efficiently as possible. The personal data collected in connection with the use of the contact form will be deleted when its storage is no longer necessary or, to the ex-tent legal obligations to retain records exist, its processing is limited, unless further processing is required or allowed by law.

The processing of personal data when you contact us is undertaken primarily on the basis of Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG. The processing of the provided data could, however, also, depending on the content of your message, be or become allowed or required on other legal bases, such as Article 6(1), first subparagraph, point (c) GDPR, Article 6(1), first subparagraph, point (b) GDPR (performance of a contract or taking steps prior to en-tering into a contract) or Section 24(1) no. 1 BDSG (assertion of/defence of civil law claims).

To prevent misuse of the contact form by so-called bots, we use the data protection-friendly tool Friendly Captcha, which is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany. To ensure that the form is used by a human instead of a bot, the tool sends a task (“puzzle”) to the end device that is then solved automatically by the device in the background. The IP address is anonymised via a one-way hashing process and deleted after-wards. The following data is also processed:

  • the request header data (browser, operating system, origin/referrer)
  • the puzzle itself, which contains information about the account and the website key to which the puzzle relates, and the submitted solution
  • the version of the embedded Friendly Captcha Widget
  • a time stamp
  • Number of requests for a hash value (counter)

This data processing is necessary in order to provide a contact form and to eliminate abuse by bots as far as possible. The processing of personal data is carried out on the basis of Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG.

 

8. Registering for webinars

We offer webinars from time to time for which you can register. The webinars are held using the video conferencing system BigBlueButton, that is hosted for us on servers of werk21 GmbH, Krausnickstraße 3, 10115 Berlin on the basis of a third-party processing contract.

Participation in webinars requires prior registration, including the provision of an email address to which we will send a link to the webinar after registration is complete. This data processing as well as the further processing of your personal data to enable participation in the webinar is based on Article 6(1), first subparagraph, point (b) GDPR and additionally on Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG. Your email address will be deleted immediately, on the day after the webinar for which you have registered has taken place. 

 

9. Sending of KulturPass emails to Cultural Providers

We send emails to Cultural Providers for various purposes. Where we answer support enquir-ies or similar enquiries by email, the data processing is carried out on the basis of Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG as well as Article 6(1), first subparagraph, point (b) GDPR.

From time to time, we also send information about the KulturPass project specifically for regis-tered Cultural Providers to the email address provided during registration or stored in the Pro-vider profile. This includes, in particular, information on updates or changes to the KulturPass platform, promotional events and activities around the KulturPass project or on KulturPass webinars. The data processing in this regard is based on Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG. You can object to this use of your email address. To do so, you can unsubscribe from the mailing list at any time – a link to unsubscribe can be found at the end of every email of this type – or contact us by email. There are no costs for submitting the objection (aside from the costs of sending the email, according to your communications provider’s standard rates).

The sending of emails with important content directly related to the contract, such as a notifica-tion as to updated Provider Terms or an amended Privacy Policy, is based on Article 6(1), first subparagraph, point (b) GDPR.

KulturPass emails may contain graphics and images that are not stored directly as a file in the email but are subsequently downloaded from our servers. The retrieval of the IP address re-quired for this is technically necessary for the display of these emails and is carried out on the basis of Article 6(1), first subparagraph, point (e) GDPR, Section 3 BDSG. No pixel tracking is used.

 

10. Duration of storage

The personal data will be deleted as soon as it no longer needs to be processed for the purpose for which it was collected, or at the latest upon expiry of the statutory retention periods.

 

11. Recipients and categories of recipients of personal data

 

11.1 Stiftung Digitale Chancen

The technical realisation of the KulturPass project of the BKM and the administrative im-plementation is carried out in cooperation with

Stiftung Digitale Chancen

Chairwoman of the Board, Ms Jutta Croll

Chausseestraße 15

10115 Berlin

 

(the “Stiftung”). The Stiftung collects and processes personal data strictly in accordance with the intended purpose, on behalf of and according to the instructions of the BKM, on the basis of a contractual agreement for third-party processing and arranges the reserva-tions and settlement of accounts with the Cultural Providers on behalf of the BKM.  

 

11.2. Technical service providers

We use technical service providers for the technical realisation and maintenance of the KulturPass project who might have access to personal data within the scope of their work. This applies, in particular, in the case of web/server hosting providers, system administra-tors and other IT service providers. These service providers, with whom third-party data processing agreements are concluded, are chosen with great care and subject to obliga-tions to meet all qualifications under data protection law. The service providers process the data exclusively according to our instructions and are contractually obliged to comply with all data protection law re-quirements. These service providers include, in particular, the company SAP (www.sap.de), which performs the technical realisation of the KulturPass project. The data protection and privacy policies of SAP can be found here

www.sap.com/germany/about/trust-center/data-privacy.html

.

 

12. Data processing location

The personal data collected in connection with the use of the KulturPass is hosted on servers within the EU/EEA. In support/maintenance cases, technical service providers of the BKM, with whom agreements on third-party data processing have been concluded, are entitled to engage subcontractors outside the EU/EEA, in compliance with the data protection law requirements for such a transfer of data. If these recipients are based in third countries, for which the Euro-pean Commission has not expressly confirmed the existence of an adequate level of data pro-tection, standard data protection clauses exist with the recipients in accordance with Article 46(2), point (c) GDPR.

 

13. Rights of the Data Subject

 

13.1

You can withdraw a declaration of consent under data protection law that you have given, at any time with effect for the future. Details on how to do this can be found above in the specific descriptions of the declarations of consent.

 

13.2

You have the right to request confirmation from us as to whether we are processing personal data relating to you, unless that right is excluded by law (in particular Section 34 BDSG). If you are entitled to this right, you also have a right to information regarding this personal data to the extent stipulated under the law (Article 15 GDPR in con-junction with Section 34 BDSG). You also have the right to request information about whether the personal data concerning you is transferred to a third country or to an in-ternational organisation. In this context, you can request to be informed about the ap-propriate safeguards set out in Article 46 GDPR in connection with the transfer.  

 

13.3

You also have the right to request that inaccurate personal data concerning you be rectified and where applicable – taking into account the purposes of the processing – incomplete personal data be completed, including by means of providing a supplemen-tary statement (Article 16 GDPR).

 

13.4

Moreover, in the cases described in Article 17(1), points (a) to (f) GDPR, you have a right to request that personal data be erased, provided no exception under Article 17(3) GDPR applies, as well as a right to restriction of processing in the cases described in Article 18(1) GDPR.

There is also a right to have data portability ensured in the cases laid out in Article 20(1) GDPR.

 

13.5

You can contact our data protection officer (see Section 2) at any time and consult him/her on any data protection law issues relating to the use of our services.

 

13.6

You have the right to lodge a complaint with the competent supervisory authority, if you are of the opinion that the processing of personal data relating to you infringes the GDPR. The competent supervisory authority is the

 

German Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Graurheindorfer Str. 153

53117 Bonn

Telephone: +49 (0)228 997799-0

Email: poststelle@bfdi.bund.de

 

13.7 Right to object

To the extent the processing of data is based on Article 6(1), first subparagraph, point (e) GDPR, you have the right to lodge an objection at any time, for reasons related to your particular situation, to the processing of personal data concerning you. We will then no longer process the respective personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the estab-lishment, exercise, or defence of legal claims.

 

14 Final notes

 

14.1 Automated decision-making and profiling

No automated decision-making or profiling takes place.

 

14.2 No obligation to provide personal data

There is no statutory or contractual obligation to provide us with personal data for you to be able to visit to our website.

This Privacy Policy may be modified at any time in the future in line with changing circumstances, in particular to conform to any changes to legal requirements, the practice of public authorities or case law. You can find the current version in the “Privacy” section of our website.