The protection of your privacy is very important to us. We have therefore designed our internet services in a way that processes as little personal data as possible. In as far as we process personal data, this is done in accordance with the legal regulations. We collect your e-mail address and telephone number to make sure that we can inform you of cancellations or changes of shows in good time. We only pass on your data to third parties if we are legally entitled or obliged to do so (e.g. for purposes of contracts or criminal prosecution) or if you expressly wish us to.
Data Protection Declaration
Thank you for visiting our website. We would like to make sure that you enjoy browsing and feel safe. The following data protection regulations of Niedersächsisches Staatstheater Hannover GmbH will give you detailed information on the collection, processing and use of personal data.
General Treatment of your Personal Data
Niedersächsische Staatstheater Hannover GmbH
If you have any questions concerning the collection, processing or use of personal data or regarding information, correction, blocking or deletion as well as the revocation of given approval, please contact: Uwe Bösenberg, data protection officer of Niedersächsisches Staatstheater Hannover GmbH, email@example.com.
We have adopted technical and organisational measures to ensure the most comprehensive protection of your data. In addition to obliging our staff to comply with data secrecy and a careful vetting and control of service providers, we have also made our operating environment more than adequately secure.
On some pages, we use an encryption procedure to avoid unwanted access, particularly in cases where you provide us with data to invoice ticket purchases. Your data are transmitted via the internet, using an SSL-encryption (Secure Socket Layer). When this procedure is used, the lock-symbol in your browser’s status bar is closed and the address bar begins with https://www... When you are merely asking for generally available information, we dispense with the encryption.
Processing of Personal Data
We process personal data that you have actively transmitted to us. Furthermore, we automatically process personal data on account of your visit to our website. Therefore, the following activities may especially lead to processing of your personal data:
- Visiting our website
- Creating a customer account
- Purchasing tickets or vouchers in our webshop
- Contacting us
- Applying for a vacancy tendered on our website
- Analysis of which visitors go to our website and how they use it
- Analysis of the success of our marketing measures
- Personalisation of marketing measures
- Defence against attacks on our technical infrastructure
For details, please see the following explanations.
When you call up our website, your internet browser will automatically transmit data to our web server for technical reasons. These data will then be stored and processed by the company commissioned by us for this purpose. These data are (server log files):
- Browser type and browser version
- Operating system used
- URL of the referencing website
- Host name of accessing computer
- Date and time of the server request
- IP of the terminal that you are using to visit our website
The IP-address is a clearly identifiable numeric address from which your terminal device sends or accesses data to or from the internet. We or our service providers usually do not know who is behind an IP-address, unless you communicate data to us during your visit that enables us to identify you. A user may also be identified if legal measures are taken against them (e.g. in case of attacks against our website) and we are made aware of their identity in the context of the investigation proceedings. In general, therefore, there is no cause for concern that we could match your IP-address with you. By order of the responsible authorities, we may provide information about these data in individual cases if it is required for purposes of criminal prosecution, averting a danger, the accomplishment of legal tasks by intelligence services or military counter-intelligence services, or to enforce our rights to intellectual property. The IP-address is used to enable you technically to access and use our website and to recognise and defend against attack against our service provider or our website.
With this processing procedure, we pursue the legitimate interest of safeguarding the functionality of our website and to defend it against illegal attacks (via our service providers). The legal basis of this processing is Art. 6, par. 1 f) GDPR.
These IP-data are stored separately from other data that you enter during your use of our online services. As a rule, they will be deleted after 14 days if they should no longer be needed for the recognition of or defence against an attack.
We have commissioned the foundation kulturserver.de gGmbH, Almstadtstraße 4, 10119 Berlin, www.ggmbh.kulturserver.de, as the data processing company to operate our website. Compliance with data protection regulations has been stipulated and is checked at regular intervals. The foundation kulturserver.de gGmbH operates servers exclusively located in Germany.
On our website, we use the web analysis software Matomo (previously Piwik). This software utilises a so-called cookie. This is a small text file that is stored on your computer by your browser. By means of this cookie, the software obtains information on which website you called up and above all the following information:
- Browser type, browser engine, browser version
- Operating system
- Type of device
- Monitor resolution
- Access history
- Original website (e.g. Google)
- Date and time
- Dwelling time on the homepage and its subpages
- Recurring visit yes/no
- Anonymised IP-address
The software never creates personal profiles but rather uses pseudonyms at all times. The software does not allow us to generate personalised user statistics for our website. Furthermore, it generates statistics that help us to better understand how our website is found so that we can improve our search engine optimisation and our marketing measures. With this processing, we pursue the legitimate interest of improving both our website and our marketing measures. The legal basis for processing is Art. 6, par. 1 f) GDPR. The anonymised data are deleted after 180 days.
If you do not wish us to use Matomo for your visit to our website, you can state your objection here:
If you send us a message via one of the offered contact options (e.g. contact forms), we will use the data you have given us to process your enquiry. The legal basis for this is our legitimate interest in answering your enquiry according to Art. 6, par. 1 f) GDPR. If your enquiry is for the purpose of concluding a contract, a further legal basis is Art. 6, par. 1 b) GDPR. The data will be deleted after an appropriate period of time after completion of your enquiry. Should we be legally required to store the data for a longer period, they will be deleted once this period has elapsed.
Our online tickets sales are operated by our partner “Eventim”. You can find their data protection regulations on https://www.eventim-inhouse.de/datenschutz/. When you purchase tickets or vouchers in our webshop, we will process the data you have entered for purposes of concluding and implementing the contract. Required amounts of data will be transferred to service providers for purposes of shipping and invoicing. If PayPal is used, all transactions are subject to PayPal’s data protection declaration, accessible on https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.
The legal basis for processing is Art. 6 par. 1 b) GDPR.
If you claim a reason for a reduced ticket price during your purchase (e.g. because of a severe disability), we will use this to calculate the reduced ticket price and store the reason in order to be able to check credentials for this reduction, e.g. by the front-of-house staff.
Your data are transmitted to commissioned shipping companies in as far as shipping is necessary. For purposes of payment handling, your payment data are transferred to the financial institute or to the payment service provider selected during your order.
Your personal data will not be transferred unless you have expressly agreed to this or we are obliged to comply with legal regulations (e.g. for the exposure of crimes). Transfer of credit card numbers to non-authorised third parties is precluded in all cases.
We also process these data to detect and avoid fraud attempts, based on Art. 6 par. 1 f) GDPR. This is in pursuit of the objective to protect ourselves from fraudulent transactions.
Data that are stored in connection with a contract concerning purchase of tickets will be deleted after the legal requirement period to preserve records has elapsed. In as far as legal requirements for record keeping and preserving apply for the processing of a purchase contract, the legal basis for data processing is Art. 6 par. 1 c) GDPR.
We will delete or anonymise data when they are no longer required for the implementation of the respective contract and no legal requirement periods for preserving records apply anymore.
Tickets can be purchased without giving personal data in cash at our box offices.
Creating a Customer Account
To purchase a ticket online, you have to register first. You can use your customer account for other orders later if you have agreed to data usage according to Art. 6 par. 1 a) GDPR. You can log in to see or change your data here at any time.
For registration, we need your e-mail address, your form of address, first and family names, postal address, data for your selected payment method and your telephone number. These data are used to identify you when you log into your account, to issue and possibly ship tickets to you and to complete the payment transaction. Your voluntary data (e.g. your title or telephone number) will help us to optimise our service.
When you create a customer account in our webshop, we will process the data entered by you to create and administer the account and to enable you to use services in connection with your customer account. The legal basis for this processing is Art. 6 par. 1 a) GDPR. If creating a customer account occurs for purposes of concluding a contract with us, Art. 6 par. 1 b) GDPR is an additional legal basis for processing.
Your data will be stored until your customer account is deleted. If we are legally required to store them beyond that point (e.g. to fulfil book-keeping requirements), or legally entitled to a longer storage period (e.g. due to an ongoing legal dispute with the owner of a customer account), the data will be deleted after the storage obligation or the legal entitlement. If you have not used your customer account over a period that leads us to assume that you will no longer use it, we will delete the customer account without detriment to you.
Contact Data in Luca
The current Covid-regulations of the state of Lower Saxony state that all visitors must provide their contact data for purposes of consistent contact tracing, so that the health authorities can easily contact visitors in question in case of occurring infections or suspected cases. This data collection should occur primarily in digital form, following § 6 par. 1, sentence 8 of the Coronavirus Act of Lower Saxony.
Staatstheater Hannover use the free guest-app Luca for this purpose in order to guarantee accessibility to the health authorities. If you would like to visit performances at Staatstheater Hannover, we ask you to register with Luca before your visit.
The data protection declaration of Luca will inform you about the scope, nature and purpose of personal data processing:
At no time will Staatstheater Hannover have access to the information about your contacts or locations that is stored with Luca because they have been encrypted by Luca. In case of an infection, the health authority in charge will call Staatstheater Hannover to provide them with the contact data of the visitors in question via a security code allotted to them. Only the health authority will be able to access this information on contacts or location. The Infection Protection Act in connection with the currently valid Coronavirus Act of the state of Lower Saxony and the Corona Regulations of the region of Hanover oblige Staatstheater Hannover to release the respective contact data. Data transfer to the health authorities will occur exclusively encrypted via Luca.
We would like to inform you about the processing of personal data in connection with Zoom-usage in the following.
Purpose of Processing
We use Zoom as a tool to carry out online meetings, events and/or webinars (henceforth: online meetings). Zoom is a service of Zoom Video Communications, Inc., based in the US.
If you access Zoom’s website, their service provider is responsible for data processing. However, accessing Zoom’s website is only necessary to download the software needed to use Zoom. You can also use Zoom by entering the respective meeting-ID and, as the case may be, other access data for the meeting directly into the Zoom-app. If you cannot or do not want to use the Zoom-app, the tool’s basic functions are also accessible via a browser version that you can also find on Zoom’s website.
What Data will be Processed?
Various kinds of data will be processed when you use Zoom. The range of data also depends on which data you enter before or while you take part in a meeting. In order to take part in an online meeting or enter the meeting space, you will have to at least state your name; this name can be selected freely. The following personal data are subject to processing:
- User details: Name, e-mail address, phone number (optional), password (if “single-sign on” is not used), profile picture (optional), department (optional)
- Meta data of the meeting: Topic, description (optional), participants‘ IP-addresses, information on device/hardware
- Recordings (optional): We have generally deactivated the function of recording and storing online meetings via Zoom as an MP4-file or saving chats.
- Telephone dial-up: Information on incoming and outgoing telephone number, name of the country, time of start and end. As need be, further connection data, like the device’s IP-address, may also be saved.
- Text, audio and video files: You may have the option to use the chat, question or survey functions. To this extent, the text you have entered will be processed in order to present it during the online meeting and to possibly log it. In order to enable video presentation and audio rendering, the data of your device’s microphone and, if applicable, video camera will be processed for the duration of your meeting. You can switch off or mute your camera or microphone at any time via Zoom’s applications.
Scope of Processing
We use Zoom to carry out online meetings. All participants are informed about the purpose and topic of the online meeting beforehand. Depending on the purpose of the online meeting, different deletion deadlines may apply.
We generally do not record online meetings; otherwise we will let you know about this beforehand in a transparent fashion and – as far as required – ask for your permission. The fact that the meeting is being recorded will also be indicated in the Zoom-app.
If it is necessary for purposes of logging the results of an online meeting, we will log chat content. But as a rule, this is not the case.
In the case of webinars, we may process the questions posed by participants for purposes of recording and post-processing.
If you have registered with Zoom as a user, reports on online meetings (metadata of the meeting, data on phone dial-up, questions and answers in webinars, survey function in webinars) can be saved for up to one month by Zoom.
Automated decision-making within the meaning of Art. 22 GDPR will not be employed.
Legal Basis of Data Processing
In as far as personal data are processed, Art. 6 par. 1 lit. f) GDPR is the legal basis for data processing. In these cases, our legitimate interest is the effective operation of online meetings.
Other than that, the legal basis for data processing in the course of operating online meetings is Art. 6 par. 1 lit. b) GDPR as far as the meetings are carried out in the context of contractual relations.
Recipient / Transfer of Data
Personal data that are processed in the context of participating in Zoom-online meetings are generally not passed on to third parties unless they are destined to be passed on. Please note that content from online meetings or personal meetings for purposes of discussion often serves precisely to communicate information to customers, interested or third parties, and is thus destined to be passed on.
Other recipients: The provider of Zoom will necessarily be made aware of the data mentioned above, as far as this is stipulated within the context of our data processing contract with Zoom.
Data Processing outside the European Union
Zoom is a service rendered by a provider from the US. Personal data processing will thus also occur in a third country. Our data processing contract with Zoom complies with the requirements of Art. 28 GDPR.
An appropriate level of data protection is guaranteed by the conclusion of so-called EU standard contractual clauses. As an additional protective measure, we have designed our Zoom-configuration in a way that lets us operate our online meetings via our own connecting servers, which are exclusively located in EU-datacentres: After log-in or, respectively, authentication via Zoom US, the connection with the online meeting is transacted on our systems, which are operated by DTS Systeme GmbH.
If you submit an application to a vacancy tendered by us or send us an unsolicited application, we will process your data for purposes of carrying out the application process and for decisions regarding the establishment of an employment relationship. The legal basis for processing is § 26 BDSG and secondarily Art. 6 par. 1 f) GDPR.
If we should be unable to consider your application, we will delete your application including all submitted documents two months after our rejection, unless further storage is in our legitimate interest in order to be able to prove compliance with legally binding duties, e.g. according to the General Equal Treatment Act (GETA). In these cases, deletion occurs when these reasons no longer exist. Legal basis for prolonged storage is § 26 BDSG and secondarily Art. 6 par. 1 f) GDPR.
By withdrawing your application, you can object to further processing of your data at any time.
If we enter into an employment relationship with you, we will inform you about processing of your data and your rights on a separate occasion.
Supplier and Invoice Data
In the context of handling supplier contracts, we collect contact data (first and family name, postal address, e-mail address, telephone number, tax number) and bank details. Supplier data are primarily business-oriented and therefore not subject to data protection laws. As far as natural persons are concerned by this, we will process these data on the basis of the respective contract for the lawful transaction according to Art. 6 par. 1 lit. b) GDPR and will delete the data following the legal periods for preserving records, which according to trade and tax regulation is usually after ten years.
Right of Information
According to Art 15 GDPR, you have the right to demand confirmation on whether we process your personal data. If this is the case, you have the right to information about these personal data and to the information detailed in Art. 15 GDPR.
Right to Correction
According to Art. 16 GDPR, you have the right to demand immediate correction of incorrect personal data that refer to you. With consideration of the purposes of processing, you also have the right to demand the completion of incomplete personal data, also by means of a complementing declaration.
Right to Deletion
You have the right to demand that personal data that refer to you are immediately deleted. We are obliged to delete personal data immediately as long as one of the reasons detailed in Art. 17 GDPR applies. For details, please see Art. 17 GDPR.
Right of Restriction of Processing
According to Art. 18 GDPR, you have the right to demand a restriction of the processing of your personal data under certain conditions.
Right of Data Portability
In certain cases detailed in Art. 20 GDPR, you have the right to obtain your personal data in a structured, established and machine-readable format, or respectively to demand the communication of these data to another responsible party with no hindrance from our side, as long as the processing is based on agreement according to Art. 6 par. 1 a) GDPR or Art. 9 par. 2a) GDPR or on a contract according to Art. 6 par. 1b) GDPR, and the processing occurs by means of automatic procedures.
Right of Objection
According to Art 21 GDPR, if data is collected on the basis of Art. 6, par. 1 p. 1 lit. e) or f), you have the right to object to the processing these data; this also applies to any profiling based on these regulations.
Should we process your personal data for purposes of direct marketing, you have the right to object to the processing of your personal data for purposes of such marketing at any time; this also applies to profiling if it is connected to such direct marketing.
If you would like to exercise one of your rights, please contact us as the responsible party at the contact data stated above or use one of the other suggested ways of sending your message to us. If you have any questions, please contact us at firstname.lastname@example.org.
Your Right of Complaint with a Supervisory Authority
According to Art. 77 GDPR, you have the right to register a complaint with the supervisory authority, irrespective of any other legal redress concerning administrative or general law. This law applies especially in the member state of your residence, your workplace or the location of the alleged infraction, if you should be of the opinion that the processing of your personal data is in breach of the GDPR.
The postal address of the state representative for data protection in Lower Saxony is: Prinzenstraße 5, 30159 Hannover.