Legal Information & Data Protection

1.    INTRODUCTION
By operating our website www.wacken-foundation.com  (hereinafter referred to as the “Website”), we process personal data. We treat such data confidentially and process it in accordance with the applicable laws – in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). With these data protection provisions, we would like to inform you which personal data we collect from you, for what purposes and on what legal basis we use it, and, where applicable, to whom we disclose it. In addition, we will explain which rights you are entitled to in order to safeguard and enforce your data protection rights.

2.    TERMS
Our data protection provisions contain technical terms used in the GDPR and the BDSG. For better understanding, we would like to explain these terms in simple words in advance:

2.1    Personal data
“Personal data” means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR). Information relating to an identified person may include, for example, the name or email address. Personal data also includes data where the identity is not immediately apparent but can be determined by combining one’s own or third-party information and thus finding out who the person is. A person may be identifiable, for example, by their address or bank details, date of birth or user name, IP addresses and/or location data. Relevant here is any information that in any way allows conclusions to be drawn about a person.

2.2    Processing
“Processing” within the meaning of Art. 4(2) GDPR means any operation or set of operations performed on personal data. This includes in particular the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
RESPONSIBLE ENTITY AND DATA PROTECTION OFFICER

3.    CONTROLLER
The controller responsible for data processing is:

Company:            Wacken Foundation ("we")
Authorized representative:     Andreas Faust, Executive Board of the Wacken Foundation
Address:             Hauptstraße 47, 25596  Wacken
Telephone:             +49 (0) 4827- 999 66 642
Fax:                 +49 (0) 4827- 99 69 749
E-mail:                 info@wacken-foundation.com

4.    DATA PROTECTION OFFICER
We have appointed an external data protection officer for our company. You can reach him at:

Name:                 Reinher Karl
Address:             HABEWI GmbH & Co. KG, Palmaille 96, 22767 Hamburg
Telephone:             040/ 18189800
Fax:                 040/ 181898099
E-mail:                 datenschutz@habewi.de

SCOPE OF PROCESSING

5.    SCOPE OF PROCESSING: WEBSITE
In the context of the website at the URL www.wacken-foundation.com, we process your personal data as set out in detail below under sections 6-13. We only process data that you actively provide on our website (e.g. by completing forms) or that you automatically provide when using our services.
Your data is processed exclusively by us and is generally not sold, lent or otherwise disclosed to third parties. If we use external service providers to assist us in processing your personal data, this is done within the framework of so-called commissioned processing, where we, as the client, are entitled to issue instructions to our contractors. For the operation of our website we use external service providers for hosting as well as for maintenance, servicing and further development. If additional external service providers are used for individual processing operations listed in sections 6-13, they will be named there.

As a rule, data is not transferred to third countries, nor is such transfer planned. Any exceptions to this principle will be explained in the processing activities described below.

THE PROCESSING ACTIVITIES IN DETAIL

6.    PROVISION OF THE WEBSITE AND SERVER LOG FILES

6.1    Description of the processing
Each time the website is accessed, we automatically collect information that your browser transmits to our server. This information is also stored in so-called log files of our system. This includes the following data:

•    Your IP address
•    the browser software you use, as well as its version and language
•    the operating system you use
•    the website from which you accessed our website (so-called referrer)
•    the subpages of our website you accessed
•    the date and time you accessed our website
•    amount of data transmitted

Your IP address is recorded in the log files only in shortened form by truncating the last three digits.

6.2    Purpose
The processing is carried out in order to enable access to the website and to ensure its stability and security. In addition, the processing serves statistical evaluation and improvement of our online offering.

6.3    Legal basis
The processing is necessary to safeguard the overriding legitimate interests of the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose stated in section 6.2.

6.4    Storage period
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collected to provide the website, this is the case when the respective session has ended. The log files are deleted after 30 days.

7.    CONTACT BY E-MAIL

7.1    Description of the processing
You can contact us via the email addresses provided on the website. In this case, the personal data transmitted with the email will be processed by us.

7.2    Purpose
The data transmitted with your email will be used exclusively for the purpose of processing and responding to your enquiry.

7.3    Legal basis
The processing is necessary to safeguard the overriding legitimate interests of the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose stated in section 7.2. If email contact aims at the conclusion or performance of a contract, the data processing is carried out for the performance of the contract (Art. 6(1)(b) GDPR).

7.4    Storage period
We delete the data as soon as it is no longer required to achieve the purpose for which it was collected. This is usually the case when the respective communication with you has ended. Communication is deemed to have ended when it can be inferred from the circumstances that your matter has been conclusively clarified. If statutory retention periods prevent deletion, the data will be deleted immediately after expiry of the statutory retention period.

8.    COOKIES

8.1    Description of the processing
Our website uses cookies. Cookies are small text files that are stored on the user’s device when visiting a website. Cookies contain information that makes it possible to recognise a device and, if applicable, to enable certain functions of a website. In most cases, we only use so-called “session cookies”. These are automatically deleted when you end your internet session and close the browser. Other cookies remain stored on your device for a longer period of time and enable partner companies to recognise your browser or computer again (persistent cookies). Depending on the cookie, persistent cookies are automatically deleted according to the specified storage period.

8.2    Purpose
We use cookies to make our website more user-friendly and to provide the functions described in section 8.1. Among other things, we work with advertising partners who help us make our website as interesting as possible for you. For this purpose, cookies from third parties, our partner companies, may also be stored on your hard drive. If we allow third parties to use such cookies, we will inform you in the following sections about the information collected in this way.

8.3    Legal basis
The processing is necessary to safeguard the overriding legitimate interests of the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose stated in section 8.2.

8.4    Storage period
Cookies are automatically deleted at the end of a session or upon expiry of the specified storage period. Since cookies are stored on your device, you as a user have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies.
Below we have compiled links to instructions showing how you can change the settings in common browsers. Further information is available in your browser’s support menu:

Internet Explorer: windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies

Firefox: support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen

Chrome: support.google.com/chrome/bin/answer.py

Safari: support.apple.com/kb/ph21411

Opera: help.opera.com/Windows/10.20/de/cookies.html

Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, some functions of our website may not be available or may only be available to a limited extent

9.    SOCIAL NETWORKS
Our website does not use so-called social media plugins. The social network logos for Facebook, Twitter and Instagram displayed on our website are merely linked to the corresponding profiles of our organisation. If you click on one of the logos, you will be redirected to the external website of the respective social network.

10.    YOUTUBE VIDEOS

10.1    Description of the processing
Our website uses services of “YouTube”, a video platform operated by YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA (hereinafter “YouTube”). YouTube is represented by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use YouTube by embedding individual videos from the platform on our website as so-called iFrames (embedding) so that they can be played directly on our website. The videos are embedded in the “enhanced privacy mode” offered by YouTube, i.e. no personal data is transmitted to Google as long as you do not play the videos. Only when you play a video will data be transmitted to Google, over which we have no influence. When you play an embedded video on a subpage of our website, Google is informed which subpage you visited and which video you watched. Your IP address may also be transmitted to Google. If you are logged in as a YouTube or Google user, Google assigns this information to your user account. Google stores your data as usage profiles and uses it for advertising purposes, market research and/or the needs-based design of Google websites. You have the right to object to the creation of these usage profiles; to exercise this right you must contact Google directly. Further information on data protection at Google can be found at www.google.com/intl/de-DE/policies/privacy/.

10.2    Purpose
The processing is carried out in order to be able to display videos on our website.

10.3    Legal basis
The processing is necessary to safeguard the overriding legitimate interests of the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose stated in section 11.2.

10.4    Recipients and transfer to third countries
By embedding YouTube, personal data may be transmitted to YouTube LLC and/or Google. Google also processes your personal data in the USA and has submitted to the EU-US Privacy Shield. Further information on the EU-US Privacy Shield can be found at www.privacyshield.gov/EU-US-Framework.

11.    VIMEO VIDEOS

11.1    Description of the processing
Our website uses services of “Vimeo”, a video platform operated by Vimeo LCC, 555 West 18th Street, New York, New York 10011, USA (hereinafter “Vimeo”). We use Vimeo by embedding individual videos from the platform on our website as so-called iFrames (embedding) so that they can be played directly on our website. When you visit a subpage of our website on which a video is embedded, a connection to the Vimeo servers is established and the video is displayed within our website. This transmits to Vimeo which website you have visited. Your IP address may also be transmitted to Vimeo. When you play an embedded video, this information is also passed on to Vimeo. If you are logged in as a Vimeo user, Vimeo assigns this data to your user account. Further information on data protection at Vimeo can be found at vimeo.com/privacy.

11.2    Purpose
The processing is carried out in order to be able to display videos on our website.

11.3    Legal basis
The processing is necessary to safeguard the overriding legitimate interests of the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose stated in section 12.2.

11.4    Recipients and transfer to third countries
Vimeo also processes data in the USA.

12.    DOUBLECLICK BY GOOGLE

12.1    Description of the processing
Doubleclick by Google is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Doubleclick by Google uses cookies to present you with advertising that is relevant to you. Your browser is assigned a pseudonymous identification number (ID) in order to check which ads were displayed in your browser and which ads were accessed. The cookies do not contain personal information.

12.2    Purpose
The use of DoubleClick cookies enables Google and its partner websites to place ads based on previous visits to our website or other websites on the internet.

12.3    Legal basis
The processing is necessary to safeguard the overriding legitimate interests of the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose stated in section 19.2.

12.4    Storage period and right to object
The storage period as well as your control and setting options for cookies are explained in section 10. You can prevent the storage of cookies by setting your browser software accordingly; however, we point out that in this case you may not be able to use all functions of our websites to their full extent. You can also prevent the collection of the data generated by the cookies and related to your use of the websites by Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link under “DoubleClick opt-out extension”: adssettings.google.com/authenticated . Alternatively, you can deactivate DoubleClick cookies on the website of the Digital Advertising Alliance via the following link: optout.aboutads.info .

12.5    Recipients and transfer to third countries
The information generated by the cookies is transmitted by Google for evaluation to a server in the USA and stored there. Google complies with the data protection provisions of the “Privacy Shield” agreement and is registered with the “Privacy Shield” programme of the US Department of Commerce. Google will only transfer data to third parties on the basis of legal requirements or within the scope of commissioned data processing. Under no circumstances will Google combine your data with other data collected by Google. Further information on the EU-US Privacy Shield can be found at www.privacyshield.gov/EU-US-Framework. Google’s privacy policy can be viewed at www.google.de/intl/de/policies/privacy .

SECURITY MEASURES

13.    SECURITY MEASURES
To protect your personal data from unauthorised access, we have equipped our website with an SSL or TLS certificate. SSL stands for “Secure Sockets Layer” and TLS for “Transport Layer Security” and encrypts data communication between a website and the user’s device. You can recognise active SSL or TLS encryption by a small lock icon displayed on the far left of the browser’s address bar.

YOUR RIGHTS

14.    DATA SUBJECT RIGHTS
With regard to the data processing by our organisation described above, you have the following data subject rights:

14.1    Right of access (Art. 15 GDPR)
You have the right to request confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have a right of access to this personal data and to the further information listed in Art. 15 GDPR, under the conditions set out therein.

14.2    Right to rectification (Art. 16 GDPR)
You have the right to request that we rectify inaccurate personal data concerning you without undue delay and, where applicable, to have incomplete personal data completed.

14.3    Right to erasure (Art. 17 GDPR)
You have the right to request that we erase personal data concerning you without undue delay, provided that one of the reasons listed in detail in Art. 17 GDPR applies, e.g. if your data is no longer required for the purposes pursued by us.

14.4    Right to restriction of processing (Art. 18 GDPR)
You have the right to request restriction of processing from us if one of the conditions set out in Art. 18 GDPR is met, e.g. if you contest the accuracy of your personal data, processing will be restricted for the period enabling us to verify the accuracy of your data.

14.5    Right to data portability (Art. 20 GDPR)
You have the right, under the conditions set out in Art. 20 GDPR, to request the provision of the data concerning you in a structured, commonly used and machine-readable format.

14.6    Withdrawal of consent (Art. 7(3) GDPR)
Where processing is based on consent, you have the right to withdraw your consent at any time. The withdrawal takes effect from the time it is asserted. In other words, it takes effect for the future. The withdrawal of consent therefore does not make the processing retroactively unlawful.

14.7    Right to lodge a complaint (Art. 77 GDPR)
If you believe that the processing of personal data concerning you infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. You may exercise this right with a supervisory authority in the EU Member State of your habitual residence, your place of work or the place of the alleged infringement.

14.8    Prohibition of automated decisions / profiling (Art. 22 GDPR)
Decisions that produce legal effects concerning you or similarly significantly affect you may not be based solely on automated processing of personal data – including profiling. We hereby inform you that we do not use automated decision-making, including profiling, with regard to your personal data.

14.9    Right to object (Art. 21 GDPR)
If we process personal data about you on the basis of Art. 6(1)(f) GDPR (to safeguard overriding legitimate interests), you have the right to object under the conditions set out in Art. 21 GDPR. However, this applies only insofar as there are reasons arising from your particular situation. After an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. We also do not have to stop processing if it serves the establishment, exercise or defence of legal claims. In any case – even irrespective of a particular situation – you have the right to object at any time to the processing of your personal data for direct marketing purposes.

Status: May 2018