Data Protection

With this Privacy Policy, we, as the data controller, inform you, in accordance with the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), about the nature, scope, and purpose of personal data processing in connection with our online services.

I. Definitions

'Personal data' means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

'Recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

II. General Information

1. Data Controller

ProWST Projektgesellschaft Württembergische Staatstheater Stuttgart GmbH
Königsbau Passagen, Friedrichstrasse 45
70174 Stuttgart
Germany
Phone: 0711-826508-0
Email: kontakt@prowst.de

2. Contact Details of the Data Protection Officer

OBSECOM GmbH
Königstr. 40
70173 Stuttgart
Germany
Phone: +49 711 46 05 025-40
Fax: +49 711 46 05 025-49
Email: prowst@obsecom.eu
Website: https://www.obsecom.eu

3. Legal Bases

We process personal data based on at least one of the following legal bases:

  • Consent of the data subject to the processing of their personal data for one or more specific purposes (Art. 6(1) lit. a GDPR);
  • Performance of a contract with the data subject or for the implementation of pre-contractual measures taken at the request of the data subject (Art. 6(1) lit. b GDPR);
  • Compliance with a legal obligation to which we are subject (Art. 6(1) lit. c GDPR);
  • Protection of the vital interests of the data subject or of another natural person (Art. 6(1) lit. d GDPR);
  • Legitimate interests pursued by us or by a third party (Art. 6(1) lit. f GDPR)

In this Privacy Policy, we subsequently refer to the respective legal basis for individual processing operations.

4. Disclosure of Data to Recipients

We disclose personal data to recipients (processors or other third parties) only to the extent necessary and only under one of the following conditions:

  • The data subject has consented to the disclosure;
  • The disclosure serves to fulfill contractual obligations or pre-contractual measures initiated by the data subject;
  • We are legally obligated to disclose the data;
  • The disclosure is based on our legitimate interests or those of a third party.

5. Third Countries

The transfer of personal data to a country or an international organization outside the European Union (EU) or the European Economic Area (EEA) is, subject to legal or contractual permissions, only carried out in accordance with the requirements of Art. 44 et seq. GDPR. This means that an adequacy decision by the EU Commission pursuant to Art. 45 GDPR exists for the country concerned, or appropriate safeguards for data protection pursuant to Art. 46 GDPR, or binding corporate rules pursuant to Art. 47 GDPR are in place. In individual cases, data transfer may be permissible based on an exception in Art. 49 GDPR.

We may have integrated external services on our website whose providers are based in the USA. If these services are active, personal information will be collected in connection with the provision of the respective service and potentially transferred to servers in the USA and stored there. The European Court of Justice considers the USA to be a country with an inadequate level of data protection. When data is transferred to the USA, there is generally a risk that US authorities may access and use this data for control and surveillance purposes without notification and without available legal remedies.

6. Data Subject Rights

As a data subject, you have the following rights:

  • Pursuant to Art. 15 GDPR, you can request information about your personal data processed by us; furthermore, you can request information regarding the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage period or the criteria for determining the storage period, the origin of your data if it was not collected from you, the existence of automated decision-making including profiling and, if applicable, meaningful information about its details such as logic, scope, and effects, the existence of a right to rectification or erasure of data concerning you, the right to restriction of processing or objection to such processing, and the existence of a right to lodge a complaint with a supervisory authority; finally, you have a right to be informed whether personal data has been transferred to a third country or an international organization and – if so – about the appropriate safeguards relating to the transfer.
  • Pursuant to Art. 16 GDPR, you can request the immediate rectification of inaccurate or the completion of your personal data stored by us;
  • Pursuant to Art. 17 GDPR, you can request the erasure of your personal data stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims;
  • Pursuant to Art. 18 GDPR, you can request the restriction of processing of your personal data insofar as the accuracy of the data is contested by you, the processing is unlawful but you oppose its erasure and we no longer need the data, you require the data, which we no longer need, for the establishment, exercise, or defense of legal claims, or you have objected to the processing pursuant to Art. 21 GDPR, but it has not yet been determined whether our legitimate grounds for data processing override your interests;
  • Pursuant to Art. 20 GDPR, you can request the provision of your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format, or request its transmission to another controller;
  • Pursuant to Art. 21 GDPR, you can object to the processing of your personal data insofar as there are grounds arising from your particular situation or the objection is directed against direct marketing and the legal basis for the processing of personal data is legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR;
  • Pursuant to Art. 7 para. 3 GDPR, you can withdraw your once-granted consent at any time with us. This means that we may no longer continue the data processing that was based on this consent for the future;
  • Pursuant to Art. 77 GDPR, you can lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. A list with contact details of the data protection officers in the federal states can be found at the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.

If you wish to assert the aforementioned data subject rights, you can contact us or our data protection officer at any time using the contact details provided above.

7. Erasure and Restriction of Personal Data

Unless otherwise stipulated for individual cases in this privacy policy, personal data will be erased when it is no longer necessary for the purposes for which it was collected or otherwise processed, and no statutory retention obligations prevent its erasure. Furthermore, we erase personal data processed by us upon request pursuant to Art. 17 GDPR, provided the conditions specified therein are met. If personal data is required for other legally permissible purposes, it will not be erased, but its processing will be restricted pursuant to Art. 18 GDPR. In the event of restriction, the data will not be processed for other purposes. This applies, for example, to personal data that we are required to retain for commercial or tax law reasons. For instance, documents pursuant to § 257 para. 1 nos. 2 and 3 of the German Commercial Code (HGB) and § 147 para. 1 nos. 2, 3, 5 of the German Tax Code (AO) are retained for 6 years, and documents pursuant to § 257 para. 1 nos. 1 and 4 HGB and § 147 para. 1 nos. 1, 4, 4a AO are retained for 10 years.

8. Cookies

Cookies are used within our online offering. Cookies are small text files that your browser automatically creates and stores on your device (laptop, tablet, smartphone, PC, or similar) when you visit our site. Cookies do not cause any damage to your device, do not contain viruses or other malicious software. Information is stored in the cookie that is generated in connection with the specifically used device. However, this does not mean that we thereby gain immediate knowledge of your identity. Cookies primarily serve to make the online offering more user-friendly, effective, and secure.

The following cookies are used on our website:

8.1 1. Necessary Cookies

The data processed by necessary cookies is required for the stated purposes of safeguarding our legitimate interests and those of third parties in the provision and operation of our website pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in conjunction with § 25 para. 2 no. 2 TTDSG.

Name:

wires

Purpose:

Recognizes the session during your visit to the website.

Duration:

Session expiry

Example Content:

3a946179d655ab266d7a218d072121da

Most browsers automatically accept cookies. However, if you do not wish this, you can configure your browser to prevent cookies from being stored on your device or to always display a notification before a new cookie is created. Information on removing cookies in Internet Explorer / Edge can be found at: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies. Information on removing cookies in Firefox can be found at: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?redirectlocale=en-US&redirectslug=delete-cookies-remove-info-websites-stored. Here you can learn how to remove cookies in Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac.

A general objection to the use of cookies for online marketing purposes can be declared for a variety of services, for example, at http://www.youronlinechoices.com/ or the deactivation page of the Network Advertising Initiative http://optout.networkadvertising.org. However, disabling cookies may prevent you from utilizing all functions of our online offering.

III. Individual Processing Operations

1. Hosting

To provide our online offering, we utilize services from hosting companies, including the provision of web servers, storage space, database services, security services, and maintenance services. In this context, we, or our hosting provider, process personal data of users of our online offering based on our legitimate interests in the efficient and secure provision of this online service, in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.

2. Access Data and Log Files

When accessing our online offering or its individual pages, information is automatically transmitted by the browser on your device to our online offering's server. This information is stored in so-called log files by us or our hosting provider and deleted after a maximum of 7 days.

The following information is stored:

  • IP address of the requesting computer in anonymized form;
  • Date and time of access;
  • Name and URL of the retrieved file;
  • Website from which access was initiated (Referrer URL);
  • Browser used and, where applicable, the operating system of your computer;
  • Status codes and amount of data transferred;
  • Name of your access provider.

This data is processed for the following purposes:

  • Provision of the online offering, including all functions and content;
  • Ensuring seamless website connectivity;
  • Ensuring convenient use of our website;
  • Ensuring system security and stability;
  • Anonymized statistical analysis of access data;
  • Website optimization;
  • Disclosure to law enforcement authorities in the event of an unlawful intrusion/attack on our systems;
  • Additional administrative purposes.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest arises from the data collection purposes outlined above. Under no circumstances do we use the collected data for the purpose of drawing conclusions about an individual.

3. General Inquiries

If you contact us using the contact details published on our website (e.g., via email) and transmit personal data to us, we will use this data to process your request based on Art. 6 para. 1 sentence 1 lit. b GDPR, provided that your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR and/or our legitimate interest in the effective processing of inquiries addressed to us pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. The data will remain with us until you request its deletion, revoke your consent for storage, or the purpose for data storage ceases to apply (e.g., after your inquiry has been fully processed). Mandatory legal provisions – particularly retention periods – remain unaffected.

4. Applications

If you wish to apply to us, we request your name, contact details, and the submission of application documents so that we can review your application and establish personal contact with you. Data processing for the purpose of handling your application is carried out pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR, based on the consent you voluntarily provide. All personal data collected in connection with the application form will be retained for a period of 6 months after the conclusion of the application process, taking into account the objection periods of the General Equal Treatment Act (AGG), and subsequently deleted, unless retention is necessary for the documentation of other processes (e.g., subsequent employment).

IV. Links to Social Media Profiles

Within our website, we provide hyperlinks to social media profiles on social networks. If you actively click on a link to such a profile, your browser establishes a direct connection with the servers of the respective provider, whereby the provider gains knowledge of your visit. If you are simultaneously logged into the respective social network, the provider can associate the visit to the profile with your user account there. In this context, personal data may be processed in the USA. Further information on the processing of personal data can be found in the privacy policy of the respective social network. The purpose of linking our website with social media profiles is to increase the visibility of our online offering. Accessing social media profiles is based on your voluntary decision pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. The legal basis for the associated data transfer to the USA is also your voluntarily given consent pursuant to Art. 49 para. 1 lit. a GDPR.

V. Media Content

Within our website, we partially use third-party content that is loaded directly from the servers of the providers specified in detail below. The purpose of integrating this content is to make our online offering more attractive.

1. Other Media Content

The legal basis for the use of the following media content is our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest in using third-party content is to improve the reach of our website through attractive web content. Further legitimate interests are listed individually below.

1.1 Cloudflare cdnjs

This website uses the Content Delivery Network cdnjs. The provider is Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA (hereinafter "Cloudflare"). The purpose of data processing is the provision of static and dynamic web content such as HTML, CSS, .js, and image files on our website. In this context, your IP address, which of our web pages you have visited, and potentially other data that Cloudflare can determine in connection with the connection, are collected. The legal basis for data processing is our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interests include the provision, maintenance, and secure operation of our website. The information collected by Cloudflare in connection with the provision of cdnjs may be transferred to and stored on servers in the USA. Cloudflare has joined the EU-U.S. Data Privacy Framework (EU-U.S. DPF). The data transfer to Cloudflare is thus legitimized on the basis of an adequacy decision pursuant to Art. 45 GDPR. Further information on how Cloudflare handles your personal data can be found in Cloudflare's privacy policy at: https://www.cloudflare.com/de-de/privacypolicy/.


As of: 05/2024