1. Who is responsible for the data processing and whom can I contact?
Controller of your personal data within the meaning of Art. 4 (7) of the European General Data Protection Regulation (“GDPR”) is:
Berlin Phil Media GmbH
Leipziger Platz 1
Managing directors: Olaf Maninger and Robert Zimmermann
Phone: +49 (0)30 206 246 936
Fax: +49 (0)30 206 246 920
You may contact our data protection officer at:
Berlin Phil Media GmbH
– data protection officer –
Leipziger Platz 1
Phone: +49 (0)30 206 246 936
2. What sources and data do we use?
2.1 Visiting our Website
When you visit our website, the browser on your device automatically sends information to the server on our website. This information is temporarily stored in a so-called log file. The following information is collected and stored until it is automatically deleted: IP address of the requesting computer; date and time of access; name and URL of the accessed file; website from which access is made (“referrer URL”); if applicable, the search engine you used; the browser used; and, if applicable, the operating system of your computer as well as the name of your access provider.
The mentioned data will be processed by us for the following purposes:
- ensuring a functioning connection of the website,
- ensuring comfortable use of our website,
- statistical evaluation using a pseudonym in order to optimize our website as well as the quality and range of our offers,
- evaluation of system security and stability, and
- for other administrative purposes.
The legal basis for data processing is Art. 6 (1) (b) GDPR, insofar as data processing is required for the provision of the website or billing purposes. Apart from this, the processing is based on Art. 6 (1) (f) GDPR. Our legitimate interests follow from the purposes listed above for data collection. The log files are deleted after the end of the respective browser session, at the latest after seven days, unless their further storage is required for the above-mentioned purposes.
You can object to the statistical analysis of the log files at any time by sending an e-mail to email@example.com.
For each institutional access, Berlin Phil Media compiles the following – completely anonymous – statistics on the basis of this data: Number of institutional individual users (total/active); minutes viewed (total/average per institutional individual user); usage time (total/average per institutional individual user); number of rejected/blocked institutional individual users, total usage by device type (mobile, TV, desktop). These statistics (not: the underlying data) can be accessed by the educational institution in a password-protected area of the website http://institutions.digitalconcerthall.com/.
2.2 Using the Digital Concert Hall
In addition, we process personal data that we receive from you in the course of our business relationship. The legal basis for this is Art. 6 (1) (b) GDPR.
For example, we process personal data if you provide it to us when registering as a customer of the Digital Concert Hall or as a guest of the online shop. Customers of the Digital Concert Hall within the meaning of these data protection regulations are also members of an educational institution (“institutional individual users”) who register as customers of the Digital Concert Hall and use it free of charge as part of the DIGITAL CONCERT HALL FOR INSTITUTIONS initiative via multiple access capability of their educational institution (“institutional access”).
Berlin Phil Media requires the following data for the execution and processing of the streaming services offered in the Digital Concert Hall and the orders in the online shop: Title, full name, date of birth, email address, address (billing address and, if applicable, different shipping address), bank details or credit card data, and – for institutional individual users – name of the educational institution and status of the institutional individual user (student, teacher, employee). When registering as a customer of the Digital Concert Hall, you must also choose a password to allow future access to the customer area without having to re-enter your personal data. For registered customers, Berlin Phil Media sets up a customer account in which the customer's data is stored for further concert visits in the Digital Concert Hall or for further orders. You can access, correct and delete the data stored there at any time.
If an educational institution wishes to apply for institutional access as part of the DIGITAL CONCERT HALL FOR INSTITUTIONS initiative, Berlin Phil Media requires the following personal data in order to submit an individual contract offer to the educational institution and to set up institutional access: Type, name, address, and IP range of the educational institution; full name of the authorized representative; full name, job title, e-mail address and telephone number of a contact person.
3. For what purpose and on what legal basis do we process your data?
We process personal data in accordance with the provisions of the GDPR and the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”):
3.1 For the performance of contracts and pre-contractual measures (Art. 6 (1) (b) GDPR)
The processing of personal data (Art. 4 (2) GDPR) takes place for the provision of the (streaming) services offered on our website, for the processing of the purchase contracts concluded in our online shop, for billing, implementation of pre-contractual measures and for answering your inquiries in connection with our business relationship.
As part of the DIGITAL CONCERT HALL FOR INSTITUTIONS initiative, data processing is used, among other things, to provide services, to prepare for the conclusion of the contract and to set up institutional access (the IP area is specified for the purpose of verifying the individual institutional users who have to register via the educational institution's network and log in every four weeks).
Further details for the purpose of data processing can be found in the respective contractual documents and terms and conditions.
3.2 For legitimate interests (Art. 6 (1) (f) GDPR)
If necessary, we process your data beyond the actual fulfilment of the contract to protect the legitimate interests of us or third parties, for example in the following cases:
- Answering your questions outside of a contract or pre-contractual measures;
- advertising or market and opinion research, unless you have objected to the use of your data;
- operation and optimization of the website;
- use of reCAPTCHA according to point 7 below;;
- enforcement of legal claims and defence in legal disputes;
- ensuring our IT security and IT operations;
- prevention and investigation of criminal offences.
- anonymized evaluation of streaming behavior as proof to music publishers, GEMA, and Stiftung Berliner Philharmoniker.
3.3 On the basis of your consent (Art. 6 (1) (a) GDPR)
If you have given us your consent to process personal data for specific purposes, this processing is lawful on the basis of your consent. You can withdraw your consent at any time. Please note that the withdrawal will only take effect for the future. The lawfulness of our processing based on your consent which took place before the withdrawal is not affected.
3.4 Due to legal obligations (Art. 6 (1) (c) GDPR)
In addition, we are subject to various legal obligations. The purposes of the processing include, inter alia, the fulfilment of retention periods under commercial and tax law.
On our website we use technically necessary cookies, web analysis cookies and tracking cookies for advertising purposes:
4.1 Technically necessary cookies
Most of the cookies we use are technically necessary to enable you to use our website and the services offered on it (e.g. secure login, adding products to the shopping cart in the order process) (“session cookies”). Our legitimate interest in data processing lies in these purposes; the legal basis is Art. 6 (1) (f) GDPR. The data will not be combined with other personal data and will not be used for advertising purposes. Session cookies are deleted after the end of the respective browser session, at the latest after seven days.
4.2 Web analysis cookies (Google Analytics)
For this web analysis we use the service Google Analytics, which is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
On our behalf, Google uses this information as a processor within the meaning of Art. 28 GDPR to evaluate your use of the website, to compile reports on website activities and to provide the website operator with further services associated with website use and Internet use. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.
You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google for all websites by downloading and installing the browser plug-in available at https://tools.google.com/dlpage/gaoptout?hl=en.
You can also – especially with browsers on mobile devices – prevent Google Analytics from collecting and processing your data by clicking here. An opt-out cookie will be set to prevent future collection of your data by Google Analytics when you visit this website. Please note that this opt-out cookie only applies to this browser and this website and will be deleted if you delete all cookies in your browser.
4.3 Tracking cookies for advertising purposes
If you have given your consent on our website, we also use tracking cookies for the purpose of targeted and interest-related online advertising (“advertising cookies”). These cookies collect and store information about your use of our website in pseudonymous form. The legal basis for data processing is Art. 6 (1) (a) GDPR. You give your consent to this tracking on our website by clicking on “OK” in our cookie banner; no advertising cookies are set or other tracking technologies (e.g. tracking pixels) are activated before this happens. The lawfulness of the processing carried out on the basis of your consent until withdrawal remains unaffected. We do not combine the information with other personal data that you voluntarily provide to us when you use the services on our website. We use the information to place advertisements on our website and on the websites of third parties (insofar as these are part of our advertising network) that correspond to your interests. You also benefit from this because you will be confronted with less advertising that is not tailored to your interests. We also use the information to measure and optimize the success of our advertising campaigns.
If you have given your consent on our website, we use the following tracking cookies (and tracking pixels) for advertising purposes:
4.3.1 Google AdWords with conversion tracking
This website uses the online advertising service Google Adwords with conversion operated by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”).
We use the service to place ads on the results page of a Google search or a Google advertising network website using Google (so-called AdWords). Our purpose is to draw your attention to our offers. Conversion tracking enables us to measure how successful our individual advertising measures are by means of certain parameters (e.g. insertion of advertisements or clicks by the user).
When you click on an ad placed by Google, Google stores a conversion tracking cookie on your computer. These cookies usually expire after 30 days and are not intended to identify you personally. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (mark that the user no longer wishes to be addressed) are usually stored as analysis values.
These cookies help Google recognize your browser. If you visit certain websites on an AdWords customer's website and the cookie has not yet expired, Google and the customer may recognize that you clicked on the ad and were redirected to the website. A different cookie is assigned to each AdWords customer. Cookies therefore cannot be traced through the websites of AdWords customers. We do not collect and process any personal data when using Google AdWords. We only receive statistical evaluations from Google with the total number of users who clicked on an ad and were redirected to a website with a conversion tracking tag. On the basis of these evaluations we can recognize which of the used advertising measures are particularly effective. We do not receive any further data from the use of advertising material; in particular, we cannot identify users on the basis of this information.
Due to the technologies used, your browser automatically establishes a direct connection to a Google server in the USA. The transfer of your information to a third country outside the EU is covered by an adequacy decision of the Commission within the meaning of Art. 45 GDPR, as Google has self-certified its adherence to the principles of the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework). By integrating AdWords with conversion tracking, Google receives the information that you have called up the corresponding website of our web presence or clicked on an advertisement from us. If you are registered with a Google service, Google may associate the data with your account. Even if you are not registered or logged in to Google, it is possible that Google may obtain and store your IP address.
You can prevent participation in this tracking procedure by choosing the appropriate cookie settings in your browser (see above) or by setting your browser so that cookies are blocked by the domain www.googleadservices.com (https://www.google.de/settings/ads). This setting is deleted if you delete your cookies. You can also deactivate personalized ads from providers that are part of the “About Ads” self-regulation campaign (http://www.aboutads.info/choices)which will also be deleted if you delete your cookies. You can also permanently deactivate personalized advertising in your browsers (Firefox, Internet Explorer, Google Chrome) at http://www.google.com/settings/ads/plugin Please note that in this case you may not be able to use all functions of our website in full.
Further information on data processing in the context of Google AdWords can be found at https://policies.google.com/privacy?hl=policies.
4.3.2 Google Analytics Remarketing (Cross-Device-Tracking)
This website uses Google Analytics Remarketing, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) for the purpose of cross-device remarketing.
This tool links the advertising target groups created with Google Analytics Remarketing to the cross-device features of Google AdWords and Google DoubleClick. This means that personalized and interest-related advertisements that were displayed to you on one device (e.g. smartphone) based on your previous usage and surfing behavior can also be displayed on other devices you use (e.g. tablet, PC).
If you have given Google permission (Art. 6 (1) (a) GDPR), Google will link your web and app browsing history to your Google Account for this purpose. This allows the same personalized ads to appear on every device you sign in to with your Google Account. You can withdraw your consent to the summary of information collected in your Google Account with Google at any time.
When you use these features, Google Analytics collects Google's authenticated user IDs that are temporarily linked to our Google Analytics data to define and create cross-device ad targeting.
4.3.3 Facebook Retargeting (Facebook Custom Audiences)
This website uses the remarketing function “Custom Audiences” of Facebook Inc, 1601 Willow Road, Menlo Park, CA 94025, USA (“Facebook”). This allows users of the website to view interest-based advertisements (“Facebook ads”) when visiting the social network Facebook or other websites that also use the process. We are interested in showing you advertisements that are of interest to you in order to make our website more interesting for you.
Based on the marketing tools used (Facebook tracking pixel), your browser automatically establishes a direct connection to a Facebook server in the USA. The transfer of your information to a third country outside the EU is covered by an adequacy decision of the Commission within the meaning of Art. 45 GDPR, because Facebook has self-certified its adherence to the principles of the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework). By integrating Facebook Custom Audiences, Facebook receives the information that you have called up the corresponding website of our Internet presence, or have clicked on an advertisement from us. Facebook also receives the same information when it visits third-party websites, which also contain a Facebook tracking pixel. If you are registered with a Facebook service, Facebook can associate your visit with your account. Even if you are not registered with Facebook or have not logged in, it is possible that the provider may obtain and store your IP address and other identifying information.
We do not receive access to this tracking data (except in aggregated form) and you remain anonymous to us.
You can deactivate the “Facebook Custom Audiences” function as a logged-in user at https://www.facebook.com/settings?tab=ads. As far as Facebook uses retargeting cookies, you can deactivate the storage of cookies in the settings of your browser or at http://www.aboutads.info/choices. For more information about data processing by Facebook, please visithttps://www.facebook.com/about/privacy
5. Email marketing
If you have expressly consented according to Art. 6 (1) (a) GDPR, we use your email address to inform you in our email newsletter about us, in particular about our concerts. Your consent is recorded and can be called up at any time under “Your account” in the Digital Concert Hall.
To receive the newsletter, it is sufficient to provide an email address.
You can unsubscribe at any time, for example via the link at the end of each e-mail. Alternatively, you may send your request to unsubscribe by email to firstname.lastname@example.org at any time. In this case your email address will be deleted from our email distribution list and added to our blacklist. The withdrawal of your consent will only take effect for the future. The lawfulness of any processing based on your consent carried out before the withdrawal is not affected by this.
Please note that we evaluate the behavior of the recipients of our emails using pseudonymous usage statistics. For this purpose, the emails contain so-called web beacons or tracking pixels and links, which are each linked with an individual ID. Thus we record the time of opening and forwarding the e-mail as well as the clicking of the links contained therein, the IP address (to determine the country of retrieval) and the email program used. This data is not linked to your email address or other personal data, so that a direct personal relationship is excluded for us. The evaluation is based on aggregated usage statistics (delivery rate, opening rate, click rate, number of redirects, number of clicks on the links contained in the email, email programs used, openings and clicks by time of day and date, country of retrieval). Only in the event of cancellations or failed deliveries will we additionally receive information about the name and email address. This is (also) in your interest, so that we can immediately delete you from our email distribution list or correct the delivery problem. The pseudonymous evaluation of usage behavior serves to check the success of our email marketing and to constantly improve it. For these purposes, we have a legitimate interest in data processing. The legal basis is Art. 6 (1) (f) GDPR. You can object to the evaluation at any time pursuant to Art. 21 (2) GDPR by unsubscribing from the newsletter (e.g. via the link at the end of each email); an isolated objection only against the evaluation is (currently) not possible for technical reasons. We store your pseudonymous usage data until you object to the evaluation.
Dispatch and evaluation by Campaign Monitor
5.2 Existing customers
If you have already purchased goods or services from Berlin Phil Media, we inform you from time to time by email or letter about similar goods and services from Berlin Phil Media if you have not objected to this.
The legal basis for such data processing is Art. 6 (1) (f) GDPR. Our legitimate interest lies in direct advertising (Recital 47 GDPR).
You can object to the use of your email address and postal address for advertising purposes at any time without additional costs, for example via the link at the end of each email or by email to email@example.com.
6. Social-Media-Plugins (Facebook, Twitter, Google+)
We use social media plugins from the following providers on our website:
- Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA („Facebook”),
- Twitter Inc., 1355 Market St., Suite 900, San Francisco, California 94103, USA („Twitter”) and
- Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA („Google”).
We use the so-called two-click solution. This means that when you visit our website, generally no personal data is passed on to the providers of the plugins. We offer you the possibility to communicate directly with the provider of the plugin via the button. You can recognize the provider of the plugin by the name of the respective plugin and the logo. Only if you click on the button and thereby activate it, will the plugin provider be informed that you have accessed the corresponding website of our online offer. In the case of Facebook, the IP address is anonymized immediately after collection, according to the provider. By activating the plugin, personal data is transferred from you to the respective plugin provider and stored there (for US providers in the USA). The transfer of your information to a third country outside the EU is covered by a Commission adequacy decision (C/2016/4176 of 12 July 2016 - http://data.europa.eu/eli/dec_impl/2016/1250/oj)within the meaning of Article 45 GDPR, because Facebook, Twitter and Google have self-certified their adherence to the principles of the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework).
If you click on a button, the plugin provider stores the data collected about you as user profiles and uses it for purposes of advertising, market research and/or demand-oriented design of its website. You have the right to object to the creation of these user profiles. To exercise this right, you must contact the respective plugin provider. The data transfer is independent of whether you have an account with the plugin provider and are logged in there. If you are logged in with the plugin provider, your data collected with us will be directly assigned to your existing account with the plugin provider. If you click on the button and, for example, link the page, the plugin provider will also save this information in your user account and communicate it to your contacts publicly. We recommend that you log out regularly after using a social network, especially before activating the button, as you can thus avoid being assigned to your profile with the plugin provider.
The legal basis for the use of the plugins is Art. 6 (1) (f) GDPR. The plugins serve to promote our website and our goods and services through selected social media channels. This advertising purpose is our legitimate interest in data processing, which you yourself trigger by a conscious action (clicking on the button).
For more information about the purpose and scope of data collection and processing by the plugin provider and your rights and settings to protect your privacy, please visit
- http://www.facebook.com/help/186325668085084 (Facebook),
- https://twitter.com/privacy (Twitter) and
- https://www.google.com/policies/privacy/partners/?hl=de (Google).
Our website also contains simple links to our profiles on Facebook, Twitter and YouTube (operated by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA). If you click on these links, you will leave our website. The data processing on the websites of the social media providers is subject to the privacy policies available there.
7. Google reCAPTCHA
On our websites we use the service reCAPTCHA of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) to prevent the misuse of our websites by bots.
For this purpose, reCAPTCHA analyses the usage behavior on our web pages (e.g. when using our streaming services or forms) to determine whether the respective processes are triggered by a human or an automated program. To do this, reCAPTCHA automatically collects and analyses various information (e.g. IP address, duration of the visit to our website, mouse movements of the user). The data will be forwarded to a Google server in the USA. The transfer of your information to a third country outside the EU is covered by a Commission adequacy decision http://data.europa.eu/eli/dec_impl/2016/1250/oj) within the meaning of Art. 45 GDPR, because Google has undertaken to comply with the principles of the EU-US Privacy Shield.
On our website www.digitalconcerthall.com, we use a visible reCAPTCHA. When certain processes are triggered (e.g. sending a form, playing a video), a user may have to take action and confirm that he is not a robot.
On our website www.berliner-philharmoniker-recordings.com, we use an invisible reCAPTCHA, which analyses the mouse movements and recognises whether they are human behaviour.
In both cases, data processing starts automatically as soon as a user accesses the website. The analysis by reCAPTCHA takes place in the background.
The legal basis for data processing is Art. 6 (1) (f) GDPR. Our legitimate interest is to detect and prevent the misuse of our websites by automated programs.
8. Who gets my data?
Within our organization, those departments or individuals get access to your data that need it in order to fulfil our contractual and legal obligations.
Processors (Art. 28 GDPR) may also receive data for the aforementioned purposes. These are companies in the categories of IT services, logistics, printing and shipping services, telecommunications, sales and marketing.
We share your personal data with third parties if this is necessary to fulfil an existing contractual relationship between you and Berlin Phil Media or to implement pre-contractual measures (Art. 6 (1) (b) GDPR) or for the purposes of legitimate interests (Art. 6 (1) (f) GDPR).
We only share such information as is required by the respective service provider to perform the task assigned to him. The service provider undertakes to treat the data confidentially in accordance with this data protection declaration and the relevant data protection laws and not to pass it on to third parties.
In addition, your personal data will be disclosed or transmitted if required to do so by law (Art. 8 (1) (c) GDPR) or if you have given your consent (Art. 6 (1) (a) GDPR).
Under these conditions, recipients of personal data may be, for example:
- Subcontractors (e.g. mail order companies) used by Berlin Phil Media to provide the services offered via the website.
- Banks for the collection of fees.
- Public authorities and institutions in the event of a legal obligation or official order.
9. How long will my data be stored?
If necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and processing of a contract. It should be noted that our business relationship is a continuing obligation which – until termination of your registration on our website – is intended for years.
In addition, we are subject to various storage and documentation obligations arising, inter alia, from the German Commercial Code (Handelsgesetzbuch – “HGB”) and the German Fiscal Code (Abgabenordnung – “AO”). The retention and documentation periods specified there are, e.g., 6 years for correspondence in connection with the conclusion of a contract and 10 years for accounting documents (Sec. 238, 257 (1) and (4) HGB, Sec. 147 (1) and (3) AO). Such storage and documentation obligations apply in particular if you conclude a contract with us (e.g. registration in the Digital Concert Hall or in the Recordings Shop, conclusion of a purchase contract on these portals, contract on the use of the Digital Concert Hall as part of the DIGITAL CONCERT HALL FOR INSTITUTIONS INITIATIVE).
Finally, the storage period also depends on the statutory limitation periods, which, for example, according to Sec. 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – “BGB”), are generally three years long, but can, in certain cases, also be up to thirty years.
After expiry of the storage and documentation obligations and the relevant limitation periods, we delete the data.
Log files and cookies are deleted after expiry of the above-mentioned storage periods.
10. Is any data transferred to a third country or to an international organisation??
11. What data protection rights do I have?
You have the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to limitation of processing (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). The restrictions according to Sec. 34 and 35 BDSG apply to the right of access and the right of cancellation. You also have the right to object to data processing by us (Art. 21 GDPR). If our processing of your personal data is based on consent (Art. 6 (1) (a) GDPR), you can withdraw this at any time; the legality of data processing based on the consent until withdrawal remains unaffected by this.
To assert all these rights and for further questions on the subject of personal data, please contact our data protection officer (firstname.lastname@example.org) or our postal address (see point 1 above) at any time.
Regardless of this, you have the right to file a complaint with a supervisory authority – in particular in the EU Member State where you are staying, working or allegedly infringed – if you believe that the processing of personal data concerning you violates the GDPR or other applicable data protection laws (Art. 77 GDPR, Sec. 19 BDSG).
12. Is there an obligation to provide data?
In the context of our business relationship you only have to provide the personal data which is necessary for the establishment, execution and termination of a business relationship or which we are legally obliged to collect. Without this data we will usually have to refuse the conclusion of the contract or the execution of the order or we will no longer be able to execute an existing contract and may have to terminate it.
Mandatory information is marked as such on our websites.
13. To what extent is there automated decision making in individual cases?
We do not use fully automated decision making according to Art. 22 GDPR for the establishment and implementation of a business relationship. Should we use these procedures in individual cases, we will inform you separately, where required by law.
14. Data security
We take a variety of security measures to adequately protect personal data to an appropriate extent.
All customer information is stored on secure servers that are protected from access from other networks by a software firewall. Only those employees who need information to process a specific request or order have access to the data. The employees are trained in the safe handling of data.
Insofar as we collect personal data on our pages, the transmission is encrypted using the industry standard Secure Socket Layer (“SSL”) technology. This applies to all particularly sensitive data such as credit card numbers and account information.
15. Availability of the data protection provisions
Last updated: 24 May 2018