On this page you will find information on data protection for registering with kulturpass.de and for using the services of kulturpass.de as a registered user, and for the use of the KulturPass app. This applies in addition to the general data protection information, which can be found here:General Privacy Policy
The additional Privacy Policy for Cultural Providers can be found here: Datenschutzhinweise für Kulturanbietende
Privacy Policy for registering with kulturpass.de, for using it as a registered user, and for using the KulturPass app
Version 11 September 2024
The German Federal Government Commissioner for Culture and the Media (BKM) takes the protection of your data very seriously. For this reason, we have taken measures to ensure that the legal requirements in relation to data protection are duly observed both by us and by our external service providers.
Personal data means all information which refers to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier.
1. Who is responsible for the processing of data?
The controller for data processing in connection with the use of the KulturPass app and the KulturPass website at kulturpass.de and kulturpass.app is the
German Federal Government Commissioner for Culture and the Media (“BKM”)
Köthener Straße 2
10963 Berlin
Germany
The administrative realisation is carried out on behalf of and according to the instructions of the BKM by
Stiftung Digitale Chancen (Digital Opportunities Foundation)
Chairwoman of the Board, Ms Jutta Croll
Chausseestraße 15
10115 Berlin
on the basis of a third-party data processing agreement.
2. How can I contact the data protection officer?
The data protection officer can be contacted as follows:
Beauftragte(r) der Bundesregierung für Kultur und Medien
Behördlicher Datenschutzbeauftragter
Graurheindorfer Stra e 198
53117 Bonn
Telephone: +49 (0)228 99 681 13655
Fax: +49 (0)228 99 681 513655
Email: datenschutzbeauftragter@bkm.bund.de
3. What personal data is collected and for what purposes?
3.1. Visiting the website
We automatically process the following information every time you visit our website, which is stored in a logfile:
- name of the accessed website/file
- date and time of accessing the website
- information about a success access
- IP address anonymized by truncation of your computer or other end device (e.g. tablet PC or smartphone)
- the browser type, browser version, browser language and the operating system used.
The logfiles will be deleted after no more than 14 days.
The legal basis for the processing is Article 6(1)(e) of the GDPR in conjunction with Section 3 BDSG [German Federal Data Protection Act]
3.2. Use of cookies
Cookies are used when the KulturPass app is used or the KulturPass website is visited. Cookies are small text files which are stored locally on the user’s end device (e.g. PC, smartphone, tablet). We only use cookies that are technically necessary to enable the use of the service (Section 25(2) No. 2 TTDSG [German Federal Act on Data Protection and Privacy in Telecommunications and Telemedia]. The following cookies are set:
Cookie name | Description | Type | Duration of storage |
ROUTE | Session cookie for navigation within the KulturPass service. It is used for reliable communication between a client and the backend system. | Session | For the duration of the session. |
Session ID (eID connector) | Session cookie that enables the use of eID. | Session | For the duration of the session |
Session ID (BankID connector) | Session cookie that enables identification via “Sparkasse” savings banks | Session | For the duration of the session |
AuthToken | Auth token that enables authentication processes within the system. | Persistent | 1 hour |
auth | Cookie for realising a session in the commercial area | Local storage | unlimited |
gig_canary | Cookie used to verify that the client is using the canary version of the WebSDK. Serves to securely roll out new updates to ensure the application runs smoothly. | Persistent | 1 year |
gig_canary_ver
| Contains the canary version of the WebSDK. Serves to securely roll out new updates to ensure the application runs smoothly. | Persistent | 1 year |
glt_4_<env> | Login token for login authentication to pass the login token value for API authorisation. | Session | For the duration of the session. |
gig_bootstrap_4_<env> | Required for the web application, to ensure that a supported SDK version is used. | Persistent | 1 year |
gltexp_<env> | Cookie for session management | Session | For the duration of the session |
anonymous-consents | For storing information on whether the user has granted consent. | Local storage | unlimited |
gmid | Contains a unique user ID for the browser tab or the mobile application session of the current user. This is important for several security functions of the identity platform. | Persistent | 12 months |
hasGmid | Cookie to ensure the usability of the WebSDK. Depending on the browser/cookie configuration, the information is either stored in the cookie or in local storage. | Persistent | 13 months |
ucid | Contains a computer identifier to determine the endpoint. | Persistent | 13 months |
Kp-cookie-banner-accepted | Stores the information about whether cookies were accepted. | Persistent | 12 months |
kp.ios.geolocation.allowed | Contains the information about whether consent for location sharing was given (iOS). | Persistent | unlimited |
|
|
|
|
The legal basis for the setting and reading of cookies is Article 6(1)(e) GDPR, Section 3 BDSG.
3.3 Use of the KulturPass without registration
You can view the KulturPass website and download the KulturPass app and use them for information purposes without registering yourself or logging in.
3.3.1 Location sharing
When you first open the KulturPass app or first visit the KulturPass website, you are asked whether you would like to allow KulturPass to access your location to enable cultural offerings in your vicinity to be displayed. If you agree to receive push notifications (see Section 3.3.2 below) and/or, as a registered user, to receive service-related information by email (see Section 3.4.3 below), we may also use the location information to draw your attention to offers or promotions in your area by email or push notification.
You can freely choose whether to do so and location sharing can be deactivated at any time in your device settings. When you activate location sharing, your location information is transmitted to the provider of your device operating system, which then sends this information to the KulturPass app. Please note the privacy policy and terms of use of that provider.
Alternatively, you can activate and deactivate location sharing in your smartphone settings. Instructions on how to do so can be found here:
- Information on location services for iOS devices
- Information on location settings for Android devices
You can also manage the settings in your web browser accordingly. If you prefer not to share your location, you can also limit the search for offerings within KulturPass by entering a postcode.
The legal basis under data protection law is Article 6(1)(a) GDPR, Article 49(1)(a) GDPR.
3.3.2 Push notifications
You will also be asked whether you consent to receiving so-called push notifications. This enables us to send you messages relating to the KulturPass and KulturPass offers which will be displayed directly on your smartphone. We send push notifications to inform you about, for example, status changes to reservations, cancellations, refunds, reminders to collect products, your budget, reaching the age for budget allocation, etc. or technical information on the KulturPass, updates, changes to the terms of use, etc. From time to time, we also send out information about special KulturPass promotions, competitions, special cultural offerings or events etc. and invitations to take part in surveys/feedback (designed to improve the content and/or technical aspects of the KulturPass service). If you have agreed to share your location or have entered a postcode, we can also take your location into account in order to inform you about special offers in your area, for example.
Of course, giving consent is voluntary and you can revoke it at any time by deactivating push notifications in the settings of your smartphone. You can also reactivate them there if you wish.
To enable the push functionality, we use an interface (Firebase Cloud Messaging, FCM) provided by Google (Google Ireland Limited). Google’s privacy policy for Firebase can be found here: https://firebase.google.com/support/privacy. When push notifications are activated, your IP address and your device ID will be transmitted to Google, which makes it very likely that they are also transmitted to Google LLC, which is based in the USA. The notifications themselves are sent directly via the FCM for Android devices and via Apple, Inc. servers (Apple Push Notification Services) for iOS devices.
Please note: According to the CJEU, the USA does not guarantee an adequate level of data protection, i.e. the same level of data protection as the EU member states guarantee under EU law. The data protection rights afforded under EU law may only be guaranteed to a limited extent in the USA or, in some cases, not at all. In particular, we must point out that US authorities can access data processed by a US company without you being informed of such access and without you being able to assert and enforce rights to the same extent and effectiveness as is possible within the EU. However, Google LLC has certified that it adheres to the EU-US Data Privacy Framework (DPF); according to a decision of the European Commission, companies that are certified under the DPF offer an adequate level of data protection for the receipt and processing of personal data.
The legal basis under data protection law is Article 6(1)(a) GDPR, Article 49(1)(a) GDPR.
3.4 Registering with KulturPass
3.4.1 Description
In order to be able to use KulturPass to reserve cultural offerings, prior registration is required. To register, you must agree to the Terms of Use, confirm that you have read the Privacy Policy, consent to the data processing associated with setting up your account (by clicking “Agree”) and enter some data in the screen that follows, namely
Your email address
A password
Your name (optional)
Your date of birth (optional)
The registration process requires you to provide your email address. Please also note the separate section of this policy regarding emails that we send to this email address (Section 3.4.3 below). Entering your name and date of birth is optional. Giving your name enables us to address you by name in the KulturPass service and in emails. If you provide your date of birth, we can inform you, and/or remind you, by email or, if you have allowed push notifications, by means of a notification, of the fact that you have reached the required age to receive your budget.
Please note: When you provide proof of identity (see Section 3.5 below), we will also read your date of birth from your identity document. If the date of birth on your identity document differs from the date of birth you stated during the registration process, the stated date of birth will be replaced with the date of birth retrieved from your document and this information can then no longer be changed.
In the next step, you have the option of saving your interests and preferences as well as a postcode to your profile, which we will use to show you cultural offerings that match your interests as closely as possible. This information is provided voluntarily and you can change it at any time in your profile.
Following the registration process (after clicking on “Register”), we will send you an email containing a link that you have to click on to confirm that the email address you have provided is correct. You can then log in using your email address and password in the KulturPass app or on the KulturPass website. If you forget your password, you can reset it via the “Forgot password” function.
If you are interested in a certain cultural offering, you can save it to your account as a favourite and delete it again as you wish. If you agree to receive push notifications (see Section 3.3.2 below) and/or, as a registered user, to receive service-related information by email (see Section 3.4.3 below), we may also use the information as to which favourites you have chosen, to draw your attention, by email or push notification, to offerings or promotions which will likely interest you, judging by your choice of favourites. From time to time, we may organise in which a user is selected at random and then use your email address to notify you if you win.
3.4.2 Consent, withdrawal, further legal basis
Opening a user account and the associated and subsequent data processing requires your prior consent. The granting of consent is voluntary; there is neither a statutory nor a contractual obligation to register and thus transfer personal data. However, it is not possible to open an account without granting prior consent with the consequence that you will not be able to receive the budget or make any reservations via the KulturPass app.
You can withdraw your consent at any time with effect for the future by deleting your profile via the settings. We will consider the deletion of your account to be a withdrawal of your consent. In the case of withdrawal of consent by email to us, we will delete the user account once you have entered your password upon our request. Any withdrawing of consent does not affect the legitimacy of the processing carried out on the basis of the consent prior to such withdrawal.
Please note that even if you withdraw your declaration of consent we are entitled and sometimes even obliged by law to continue to process the data collected prior to such withdrawal. The data processing for such purposes is then no longer based on your consent but on one or more statutory permissions. It should be noted in particular that if you have availed yourself of cultural offerings via KulturPass, we may keep and process the transaction-related data (this is information that arises in connection with the reservation being made and the offering being taken up and contains personal data) even after the withdrawal of consent, if and to the extent this is necessary for the establishment, performance or termination of a contractual agreement concluded with you or we are otherwise entitled or legally obliged to store this data (in particular statutory retention obligations). Moreover, if you have provided proof of identity (see Section 3.5 below), we store data from your identity document even after your account is deleted, for the purpose of preventing multiple registrations, multiple allocations of the budget and misuse (for the period of storage, see Section 4 below).
The legal basis for the data processing to set up and maintain a user account is Article 6(1)(a) GDPR and, in addition, Article 6(1)(e) GDPR, Section 3 BDSG. The latter is also the basis for any information or reminders by email with regard to the possibility of identification; push notifications are based on your consent (Article 6(1)(a) GDPR). Any further processing of the data after the conclusion of the contract, to make and process reservations and for the billing of the cultural service used is based on Article 6(1)(b) GDPR as well as Article 6(1)(e) GDPR, Section 3 BDSG. Processing for the purpose of compliance with statutory retention periods is carried out on the basis of Article 6(1)(c) GDPR. The processing of data to detect and prevent multiple registrations, multiple allocations and misuse is carried out on the basis of Article 6(1)(e) GDPR, Section 3 BDSG. If further storage and other processing is carried out for the assertion of/defence against civil law claims, this is based on Section 24(1) No. 1 BDSG.
3.4.3 KulturPass emails
Emails sent by us may contain graphics and images that are not stored directly as a file in the email but are subsequently downloaded from our servers. The retrieval of the IP address that occurs in this context is technically necessary for the display of these emails and is carried out on the basis of Article 6(1)(e) GDPR, Section 3 BDSG. No pixel tracking is used.
We send emails for various purposes:
Application-related information: We send emails with usage-related information. This includes, for example, emails in connection with your registration or identification as well as in relation to important information about the KulturPass project or the KulturPass apps, such as changes to the Terms of Use, updates or changes to the KulturPass service. This also includes notifications regarding status changes to reservations, cancellations, refunds, reminders to collect products, regarding your budget, reaching the age for budget allocation, any notifications of competition wins, etc. The sending of such emails is carried out on the basis of Article 6(1)(b) GDPR and Article 6(1)(e) GDPR, Section 3 BDSG.
Service-related and offering-related information: From time to time, we also send out information about the KulturPass or KulturPass offerings that are not directly application-related. This includes information about special KulturPass promotions, competitions, special cultural offerings or events and invitations to take part in surveys/feedback (designed to improve the content and/or technical aspects of the KulturPass service) etc. If you have agreed to share your location or have entered a postcode, we can also take your location into account in order to inform you about special offers in your area, for example. If you have saved favourites, we may use the information about which favourites you have chosen, to draw your attention, by email or push notification, to offerings or promotions which will likely interest you, judging by your choice of favourites.
The sending of such service or offering-related information is carried out on the basis of your prior consent (Article 6(1)(a) GDPR). The granting of consent is voluntary; there is neither a statutory nor a contractual obligation to do so. You can withdraw your consent at any time with effect for the future by unsubscribing from the mailing list using the link that can be found at the end of any email of this type.
Support enquiries and other enquiries: Where we answer support enquiries or similar enquiries by email, the data processing is carried out on the basis of Article 6(1)(e) GDPR, Section 3 BDSG or, where the enquiries concern the usage agreement concluded with or to be concluded with us, Article 6(1)(b) GDPR.
3.5 Identification for the purposes of receiving your budget and making reservations
3.5.1 Description and purposes of data processing
In order to receive your budget and be able to use the KulturPass app or the KulturPass website to reserve cultural offerings, you must furnish proof of identity. This is required because we have to verify that you are eligible to receive the budget. You are not legally or contractually obliged to provide proof of identity in the KulturPass app. Please note, however, that the allocation of your budget and the ability to make reservations is contingent upon successful identification.
You can complete the identification process immediately after registration or at a later date in the settings section. We currently offer identification via eID or via participating “Sparkasse” savings banks, provided you have an activated online “Sparkasse” account.
The identification process and the associated data processing is carried out for the following purposes:
to identify you beyond doubt;
to verify whether you are eligible to receive the budget and to make reservations (residence and age);
to properly process and document the collected data concerning a reservation and the availing of the reserved service and to enable the payment process to be carried out;
to detect and prevent multiple registrations, multiple allocations and misuse.
When you reserve cultural offerings, we also process your age, in anonymised form, together with other characteristics pertaining to individual reservations (e.g. the type of cultural offering reserved) or (if provided) the postcode or place of use specified, for statistical analysis purposes to help further optimise the KulturPass service and provide statistical information on the use of the KulturPass service. Any such use is in strictly anonymised form; we do not create any statistics or other user profiles about you.
3.5.2 Identification via eID
You can provide proof of identify using a personal identity card with online ID function (eID), an electronic residence permit (eAT) or an eID card, directly with your smartphone. In addition to any of the identity documents mentioned above, all you need is an NFC-enabled smartphone and the personal PIN for your identity document. For identification via the KulturPass website, you need the AusweisApp2, which is made available in the app stores on behalf of the German Federal Office for Information Security. Links to free versions of the AusweisApp2 can be found here: https://www.ausweisapp.bund.de/open-source-software
We are authorised to read out data by way of electronic proof of identity on the basis of an authorisation certificate issued by the German Federal Office of Administration. The last day of validity of the authorisation certificate is displayed before you enter your ID PIN. The competent supervisory authority for us is identified in Section 11.7 below.
You will be guided through the identification process and asked to give your consent to the retrieval of data from an identity document, to hold your identity document up to your smartphone and enter your personal ID PIN. KulturPass establishes a connection to Bundesdruckerei’s servers via an interface provided by Bundesdruckerei (Bundesdruckerei Gruppe GmbH, Kommandantenstraße 18, 10969 Berlin, www.bundesdruckerei.de) and transmits the data required for identification to them. The following data from your identity document is retrieved and transmitted to us: surname, first name(s), date and place of birth, the ID card pseudonym stored in relation to your document, confirmation of your age, the date of expiry of the ID document and the information as to whether you have a registered residence in Germany.
Consent and withdrawal of consent
We only retrieve data from your identity document if you have granted us consent to do so. The completion of the identification process and thus the granting of consent is voluntary; there is neither a statutory nor a contractual obligation to complete that process. Without identification, however, the allocation of the budget and the making of reservations are not possible.
You grant your consent by pressing the “Agree” button at the beginning of the identification process. You can withdraw your consent by cancelling the identification process before entering your PIN. Once you have entered the PIN, you can no longer withdraw your consent insofar as it relates to the retrieval of the data from the document because it has already been retrieved. You can, however, withdraw your consent with effect for the future, to the extent it refers to the further processing of the data that has been retrieved. To do this, you can simply delete your account. We will consider the deletion of your account to be a withdrawal of your consent. Any withdrawing of consent does not affect the legitimacy of the processing carried out on the basis of the consent prior to such withdrawal. Once the withdrawal takes effect, you will no longer be able to make any reservations.
Please note that even if you withdraw your declaration of consent we are entitled or even obliged by law to continue to process the data sent to us prior to such withdrawal. The data processing for such purposes is then no longer based on your consent but on one or more statutory permissions. It should be noted in particular that if you have availed yourself of cultural offerings via KulturPass, we may keep and process the transaction-related data (this is information that arises in connection with the reservation being made and the offering being taken up and contains personal data) even after the withdrawal of consent, if and to the extent this is necessary for the establishment, performance or termination of a contractual agreement concluded with you or we are otherwise entitled or legally obliged to store this data (in particular statutory retention obligations). Moreover, we store the data retrieved from your identity document even after your account is deleted, for the purpose of preventing multiple registrations, multiple allocations of the budget and misuse (for the period of storage, see Section 4).
3.5.3 Identification via “Sparkasse” savings banks
If you are a “Sparkasse” savings bank customer with an activated online “Sparkasse” account, you can provide proof of identity via your “Sparkasse” savings bank, if it has opted to participate in the KulturPass project. In the KulturPass app, you can search for your “Sparkasse” savings bank and find out whether the “Sparkasse” option is open to you.
If this is the case, and you choose to use this option, you will be forwarded, within the KulturPass app, to a “Sparkasse” savings bank login page and then guided step-by-step through the process.
You will have to log in on that page using your “Sparkasse” login name and your “Sparkasse” PIN and authorise identification based on your preferred TAN procedure (PushTAN or chipTAN). Once you have provided authorisation, your “Sparkasse” savings bank will send the following details to us: Your first name, surname, date and place of birth, country of residence and the bank code of your “Sparkasse”.
Under data protection law, the responsibility for data protection in relation to the processing of data within the “Sparkasse” online environment lies with your “Sparkasse”. Please also note the privacy policy of your “Sparkasse” savings bank, which you can view in the “Sparkasse” online environment before authorising the identification process.
Once the data has been transmitted to us by the “Sparkasse”, further data processing is carried out by us. Under data protection law, responsibility for data protection in relation to this processing lies with us.
3.5.4 Legal basis for data processing
eID: The legal basis for retrieving the data from the identity document in the eID process is your consent (Article 6(1)(a) GDPR) as well as Article 6(1)(e) GDPR and Section 3 BDSG in conjunction with Section 18, Section 19(5) and (6) German Personal Identity Card Act (PAuswG), Section 12, Section 14 (German Act on a Card with Electronic Identification Function (eIDKG), Section 78(5) German Residence Act (AufenthG).
Identification via “Sparkasse” The legal basis for our processing of the data transmitted by the “Sparkasse” savings banks in connection with the identification process is Article 6(1)(b) GDPR, Article 6(1)(e) GDPR and Section 3 BDSG. The legal basis on which the “Sparkasse” savings bank transmits the personal data to us can be found in the “Sparkasse” online environment.
The legal basis for the following data processing in connection with the allocation and use of the budget through the availment of reserved cultural offerings and the utilisation of the KulturPass service for this purpose is Article 6(1)(e) GDPR and Section 3 BDSG, as well as Article 6(1)(b) GDPR. The processing of data to detect and prevent multiple registrations, multiple allocations and misuse is also carried out on the basis of Article 6(1)(e) GDPR, Section 3 BDSG. The further processing of data after the conclusion of the contract, for the purpose of compliance with the retention periods under commercial or tax law is carried out on the basis of Article 6(1)(c) GDPR. If further storage and other processing is carried out for the assertion of/defence against civil law claims, this is based on Section 24(1) No. 1 BDSG. The processing of data for statistical purposes associated with anonymisation is carried out on the basis of Article 6(1)(e) GDPR and Section 3 BDSG.
3.6 Making reservations and availing of cultural offerings
When you reserve a cultural offering, a code is generated, either in the form of a QR code or an alphanumeric code. You can then redeem this code to use an amount from your budget with the respective cultural provider. Please note that you cannot conclude any purchase agreements or other contractual agreements with the culture providers via the KulturPass app and the KulturPass website itself. The agreement is concluded outside the KulturPass service – depending on the cultural offering, either on site at the cultural provider’s venue or online in the cultural provider’s online service – directly between you and the respective provider. The BKM is not a party to the contract.
The reservation and the information related to it, such as the codes, the reservation date, the reserved offering, etc., will be saved by us to your account. We only transmit to the cultural providers whose offerings you reserve and whose name and address you can see on the respective reservation page, information about the reservation and the reserved offering (e.g. order number, type and price, if applicable information about additional payments, date and time of the reservation, etc.). Your name or other data retrieved from your identity document will not be transmitted to the culture providers by us. Similarly, we do not transmit your email address. Please note, however, that under certain circumstances – depending on the offering you would like to make use of – you may have to provide the cultural provider with certain personal data in order to be able to make use of the offering and the cultural provider may ask you to present an identity document when delivering the offering. We play no part in that collection of data. We call the data that arises as part of the reservation and the availment of the reserved offering “transaction-related data”.
After the offering has been availed of, the cultural provider will confirm that the service has been availed of and when by sending us the information related to the transaction ID (order number), so that we can properly document the transaction and organise the payment for the service between us and the cultural provider and record the amount used from the budget. This is then saved by us as transaction-related data to your user account.
The legal basis for the transaction-related data processing described above is Article 6(1)(e) GDPR, Section 3 BDSG and Article 6(1)(b) GDPR. The further processing of data after availment of the cultural provider’s offering, for the purpose of compliance with the retention periods under commercial or tax law is carried out on the basis of Article 6(1)(c) GDPR. If further storage and other processing is carried out for the assertion of/defence against civil law claims, this is based on Section 24(1) No. 1 BDSG.
In individual cases, the cultural providers from which you have reserved your cultural offering are able to contact you via email about any reservation-related or transaction-related questions/issues. Cultural providers are contractually prohibited from contacting you via the KulturPass system for any other purpose. Any contact is facilitated directly through the KulturPass system; we do not disclose your email address to the cultural providers.
We also use the information about your reservation in anonymised form together with other characteristics such as your age or (if provided) the postcode or place of use specified, for statistical analysis purposes to help further optimise the KulturPass service and provide information in statistical form on the use of the KulturPass service. Any such use is in strictly anonymised form. The processing of data for statistical purposes associated with anonymisation is carried out on the basis of Article 6(1)(e) GDPR and Section 3 BDSG. If you have agreed to receive application-related information by email (see Section 3.4.3 above), we may also use the reservation information to inform you about offerings that match your previous reservations. The same applies to corresponding push notifications if you have consented to them (see Section 3.3.2 above). This is also carried out on the basis of Article 6(1)(e) GDPR, Section 3 BDSG.
4. How long will my data be retained?
As a general rule, personal data will be deleted as soon as it no longer needs to be processed for the purpose for which it was collected. You may delete your account yourself at any time. It will be automatically deleted at the latest when you turn 21.
In all other respects, the following applies:
If you have registered but not identified yourself and therefore have not received a budget, your personal data will be deleted as soon as your account has been deleted.
If you have received a budget but not yet used it, your personal data will be deleted at the latest one year after expiry of the period in which you are entitled to make use of the budget (= 24 months after allocation of the budget).
If you have received and made use of a budget, we will store the transaction-related data, including personal data, for a period of one year, calculated from the end of your entitlement to use the budget (= 24 months after allocation); subsequent archiving will be pseudonymised for a period of six years.
5. Contact form and processing of enquiries (helpdesk), Friendly Captcha
If you have any questions, suggestions, requests or problems, you can contact us via the contact form on the website or by email. When you use the contact form, we will ask for your name and email address. The personal data provided by you will be processed by us in order to deal with your enquiry.
To this end, we use a ticket system, provided by Zammad GmbH, Marienstraße 18, 10117 Berlin, Germany, on the basis of a third-party processing agreement, to record and process enquiries received via the contact form or email. Tickets are generated for each individual enquiry and the subsequent communication is stored under that ticket for the purposes of dealing with the enquiry. This allows us to respond to and deal with enquiries as quickly and efficiently as possible. The personal data collected in connection with the use of the contact form will be deleted when its storage is no longer necessary or, to the extent legal obligations to retain records exist, its processing is limited, unless further processing is required or allowed by law.
The processing of personal data when you contact us is carried out primarily on the basis of Article 6(1)(e) GDPR, Section 3 BDSG. The processing of the provided data could, however, also, depending on the content of your message, be or become allowed or required on other legal bases, such as Article 6(1)(c) GDPR, Article 6(1)(b) GDPR (performance of a contract or taking steps prior to entering into a contract) or Section 24(1) no. 1 BDSG (assertion of/defence against civil law claims).
To prevent misuse of the contact form by so-called bots, we use the data protection-friendly tool Friendly Captcha, which is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany. To ensure that the form is used by a human instead of a bot, the tool sends a task (“puzzle”) to the end device, that is then solved automatically by the device in the background. The IP address is anonymised via a one-way hashing process and deleted afterwards. The following data is also processed:
the request header data (browser, operating system, origin/referrer)
the puzzle itself, which contains information about the account and the website key to which the puzzle relates, and the submitted solution
the version of the embedded Friendly Captcha Widget
a time stamp
number of requests for a hash value (counter)
This data processing is necessary in order to provide a contact form and to eliminate abuse by bots as far as possible. The processing of personal data is carried out on the basis of Article 6(1)(e) GDPR, Section 3 BDSG.
6. Registering for webinars
We offer webinars from time to time for which you can register. The webinars are held using the web conferencing system BigBlueButton, that is hosted for us on servers of werk21 GmbH, Krausnickstraße 3, 10115 Berlin on the basis of a third-party processing contract.
Participation in webinars requires prior registration, including the provision of an email address to which we will send a link to the webinar after registration is complete. This data processing as well as the further processing of your personal data to enable participation in the webinar is based on Article 6(1)(b) GDPR and additionally on Article 6(1)(e) GDPR, Section 3 BDSG. Your email address will be deleted immediately on the day after the webinar for which you have registered, unless it is also stored within your KulturPass account (in this case, Section 4 above applies).
7. Conducting surveys and collecting feedback
From time to time, we may invite you to take part in surveys and provide feedback. Such surveys/feedback opportunities help to improve the content and/or technical aspects of the Kulturpass project. Participation is always voluntary and anonymous, i.e. we will not save your answers to your account and will not be able to otherwise link answers to your person. The legal basis is Article 6(1)(e) GDPR, Section 3 BDSG.
Only in certain situations do we invite you to take part in non-anonymous surveys. In such cases, we will expressly mention the fact that they are carried out in a non-anonymous manner. In such cases, participation is on the basis of express consent (legal basis: Article 6(1)(a) GDPR. This consent is voluntary and can be withdrawn at any time with effect for the future.
8. Who will my personal data be transmitted to?
8.1 Stiftung Digitale Chancen
The technical realisation of the KulturPass project of the BKM and the administrative implementation is carried out in cooperation with
Stiftung Digitale Chancen
Chairwoman of the Board, Ms Jutta Croll
Chausseestraße 15
10115 Berlin
(hereinafter: “Stiftung”). The Stiftung collects and processes personal data strictly in accordance with the intended purpose, on behalf of and according to the instructions of the BKM, on the basis of a contractual agreement for third-party processing and arranges the reservations and billing with the cultural providers on behalf of the BKM.
8.2 Technical service providers
We use technical service providers for the technical realisation and maintenance of the KulturPass project who might have access to personal data within the scope of their work. This applies, in particular, in the case of web/server hosting providers, system administrators and other IT service providers. These service providers, with whom third-party data processing agreements are concluded, are chosen with great care and subject to obligations to meet all qualifications under data protection law. The service providers process the data exclusively according to our instructions and are contractually obliged to comply with all data protection law requirements. These service providers include, in particular, the company SAP (www.sap.de), which performs the technical realisation of the KulturPass project. The data protection and privacy policies of SAP can be found here: https://www.sap.com/germany/about/trust-center/data-privacy.html.
9. Data processing location
The personal data collected in connection with the use of the KulturPass is hosted on servers within the EU/EEA. In support/maintenance cases, technical service providers of BKM, with whom agreements on third-party data processing have been concluded, are entitled to engage subcontractors outside the EU/EEA, in compliance with the data protection law requirements for such a transfer of data. If these recipients are based in third countries, for which the European Commission has not expressly confirmed the existence of an adequate level of data protection, standard data protection clauses exist with the recipients in accordance with Article 46(2)(c) GDPR.
10. Who is responsible for the processing of data by the cultural providers?
Any processing of your personal data by cultural providers of whose offerings you avail yourself by using your budget is carried out under the sole responsibility of the respective cultural provider. If, for example, you enter any information about your person on the website of a cultural provider, the data processing is carried out under the sole responsibility of the respective cultural provider as the data controller, even if you use the code received from us. We are not responsible for the data processing carried out by the cultural provider and do not transfer any data which could allow you to be identified by the cultural provider.
11. What rights do I have?
11.1
You can withdraw a declaration of consent under data protection law that you have given, at any time with effect for the future. Details on how to do this can be found above in the specific descriptions of the declarations of consent.
11.2
You have the right to request confirmation from us as to whether we are processing personal data relating to you, unless that right is excluded by law (in particular Section 34 BDSG). If you are entitled to this right, you also have a right to information regarding this personal data to the extent stipulated under the law (Article 15 GDPR in conjunction with Section 34 BDSG). You also have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you can request to be informed about the appropriate safeguards set out in Article 46 GDPR in connection with the transfer.
11.3
You also have the right to request that inaccurate personal data concerning you be rectifiedand where applicable – taking into account the purposes of the processing – incomplete personal data be completed, including by means of providing a supplementary statement (Article 16 GDPR).
11.4
Moreover, in the cases described in points (a) to (f) of Article 17(1) GDPR, you have a right to request that personal data be erased, provided no exception under Article 17(3) GDPR applies, as well as a right to restriction of processing in the cases described in Article 18(1) GDPR.
11.5
In the cases set out in Article 20(1), there is also a right to data portability and the right to transmit data to another controller without hindrance.
11.6
You can contact our data protection officer (see Section 2) at any time and consult him/her on any data protection law issues relating to the use of our services.
11.7
You have the right to lodge a complaint with the supervisory authority, if you are of the opinion that the processing of personal data relating to you infringes the GDPR. The competent supervisory authority is the:
German Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153
53117 Bonn
Telephone: +49 (0)228 997799-0
Email: poststelle@bfdi.bund.de
11.8 Right to object
Where we process your personal data on the basis of Article 6(1)(e) GDPR (processing for the performance of a task in the public interest), you have the right to object. You can object to this data processing on grounds relating to your particular situation. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
12. Does any automated decision-making/profiling take place?
No. There is no automated decision-making and no profiling.
13. Am I obliged to provide personal data?
You have no obligation to use the KulturPass service, to register yourself or provide proof of identity. There is neither a legal nor a contractual obligation to provide us with personal data in connection with the KulturPass project. However, if you would like to receive and use a budget within the scope of the KulturPass project, this requires registration, including the providing of personal data and proof of identity. It is not possible to make use of the budget without sending personal data.
This Privacy Policy may be modified at any time in the future in line with changing circumstances, in particular to conform to any changes to legal requirements, the practice of public authorities or case law. You can always find the current version in the “Privacy” section of our website or in the settings of the KulturPass app.