Last revised: 02.10.2020
Information on the collection of personal data
(1) Below we inform you about the collection of your personal data when you use our website. Personal data are all data that can be related to you personally, e.g. name, address and email addresses, but also user behaviour, if relevant.
(2) The data controller pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) is
Gemeinde Oberammergau, Eigenbetrieb Kultur
Tel. +49 8822 949 88 0
Fax +49 8822 949 88 56
(3) You can contact our data protection officer at
Herr Thomas Pfefferle
(4) As a rule, anybody can use our website without having to disclose personal data. When you contact us by email or through a contact form, we will store the data you provide (your email address, your name and, if relevant, your telephone number) so that we can respond to your questions. We delete the data thus obtained once their storage is no longer necessary or restrict their processing if there is a legal requirement to retain the data.
Collection of personal data when our website is visited
1) If you use our website for purely informational purposes – in other words, if you do not register or otherwise provide information to us – we only collect the personal data sent by your browser to our server. If you decide to visit our website, we collect the following data which we require for technical reasons in order to display our website to you and to ensure its stability and security. The legal basis for this data collection is Article 6(1)(1)(f) GDPR:
– IP address
– Date and time of the request
– Time zone difference from Greenwich Mean Time (GMT)
– Content of the request (specific page)
– Access status/HTTP status code
– Data volume transferred in each case
– Website from which the request has come
– Operating system and its interface
– Browser software language and version.
2) In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive in accordance with the browser you are using and through which certain information is sent to the entity that sets the cookie (us, in this instance). Cookies cannot run programs or transmit viruses to your computer. They help to make the website more user-friendly and effective overall. Before using our site, we ask you for your preferred cookie settings. We differentiate here between technically necessary cookies, which are essential to operate the site, analysis cookies for evaluating your website activities and external services. We save the date and time of the page view, your cookie settings (consent status) and a random ID. You can adjust your settings at any time under “Cookies” in the footer.
a) Our website uses the following types of cookies, with their scope and function explained below:
– transient cookies (see b)
– persistent cookies (see c).
b) Transient cookies are automatically deleted when you close your browser. They include session cookies in particular. They store what is known as a session ID, which is used to assign various requests from your browser to the one session. This will allow your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close the browser.
c) Persistent cookies are automatically deleted after a predetermined duration, which may differ depending on the cookie.
d) You can delete the cookies in the security settings of your browser at any time. You may set up your browser as you wish and e.g. refuse to accept third-party cookies or all cookies. Please be aware that in that case you may not be able to use all features of this site. We also recommend that you manually delete your cookies and browser history on a regular basis.
Other functions and offerings of our website
1) In addition to using our website solely for informational purposes, you may also be interested in various services that we offer. As a rule, you will then need to disclose additional personal data that we will use to provide the respective service and to which the aforementioned principles of data processing apply.
2) In some cases, we may use external service providers to process your data. Such service providers have been carefully selected, examined with respect to the applicable standards under data protection law, and commissioned by us, are bound by our instructions, and are regularly checked.
3) Furthermore, we may pass on your personal data to third parties if contract conclusions or similar services are offered by us together with partners. You will receive further information on this when you provide your personal data or underneath in the description of the offering.
Use of an online shop
(1) Gemeinde Oberammergau, Eigenbetrieb Kultur does not itself – in connection with the 2022 Passion Play or otherwise – operate its own online shop. However, there is an option on our website to order tickets and what are known as Arrangements (comprising admission tickets, accommodation and other services) from our cooperation partner, Passionsspiele Oberammergau Vertriebs GmbH & Co. KG with registered office in Oberammergau, via an online shop set up and operated by that company to which you are forwarded via the “Book here” section.
(2) For more information on the online shop operated by Passionsspiele Oberammergau Vertriebs GmbH & Co. KG and the related processing of personal data, please refer to the offers provided by that company.
Partner and press registration
You can register to use our online offering for partners and media representatives. To register, you have to provide the data requested during registration, such as your name, address and email address. In addition, we record the date and time of registration and the IP address. As part of the registration/accreditation process, we use the data provided by you to assess whether or not you meet the criteria for approval.
If you give your consent, processing of data provided for registration purposes is based on Article 6(1)(a) of the GDPR. If you register with us for the the purposes of performance or initiation of a contract, the legal basis for processing the data is also Article 6(1)(b) GDPR.
The information mandatorily required for registration is needed to execute or initiate a contract for certain services to be provided by us.
(1) Giving your consent, you can subscribe to our newsletter by which we will keep you informed about the 2022 Passion Play and events held in the Passion Play Theatre.
(2) We use what is known as a double opt-in process for newsletter subscription. This means that, following registration, we will send you an email to the specified email address in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked. We also save the IP addresses used and the dates and times of registration and confirmation. The purpose of the procedure is for us to be able to provide proof of your registration and, if relevant, clarify any possible misuse of your personal data.
(3) Only your email address is required in order to send you the newsletter. You are also welcome to provide your first and last names, but this is optional. Following your confirmation, we save these data for the purpose of sending the newsletter. The legal basis for this is Article 6(1)(1)(a) GDPR.
(4) You are entitled to withdraw your consent and unsubscribe from the newsletter at any time. To revoke your consent, click on the “Unsubscribe from newsletter” link included in all newsletter emails or by sending a message to the contact details provided in the Imprint.
Use of rapidmail to send the newsletter
(1) We use rapidmail to send out our newsletter. Therefore, your data are transmitted to rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg i. Br., Germany (hereinafter: rapidmail). rapidmail is forbidden from using your data for any purpose other than sending out the newsletter. rapidmail is not permitted to share or sell your data. rapidmail is a German, certified newsletter software provider that has been carefully chosen in accordance with the requirements of the GDPR and the German Data Protection Act (BDSG).
(2) The email addresses of our newsletter recipients, as well as other data of theirs indicated in this Policy, are stored on rapidmail’s servers in Germany. This information is used by rapidmail to send and analyse the newsletter on our behalf.
(4) The behaviour of newsletter recipients towards us as the sender is statistically analysed. Among other things, it is evaluated whether or not the newsletter is opened, when it is opened and which links are clicked. Technical information such as the browser and email provider is also collected. We use these evaluations to identify our users’ reading habits and to adapt our content to them or to send different content according to our users’ interests.
(5) Unsubscribing from the newsletter also ends the sending thereof and the analysis by rapidmail. You can unsubscribe from the newsletter at any time by clicking on the link included in all newsletter emails or by sending a message to the contact details provided in the Imprint. Withdrawing consent to receive the newsletter is equivalent to unsubscribing.
Integration of YouTube videos
(1) We have integrated the YouTube.com platform into our website in order to post our own videos and make them publicly accessible and also playable directly from our website. The videos are all embedded in “enhanced privacy mode”, i.e. no data about you as a user are transferred to YouTube if you do not play the videos. The data mentioned in the next paragraph are only transferred if you play the videos, as YouTube is an offering from a third party that is not affiliated with us, namely YouTube LLC., a service operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). We have no control of such data transmission.
Use of Matomo
(1) This website uses the Matomo web analytics service so that we can analyse and regularly improve how our website is used. The statistics obtained help us to improve our site and make it more interesting for users. The legal basis for using Matomo is your consent in accordance with Article 6(1)(1)(a) GDPR, which you are asked for when you visit our website.
(2) Cookies are stored on your computer to evaluate this (for more details, please refer to the “Collection of personal data when our website is visited” section). The controller only saves the information collected in this way on its server in Germany. You can opt-out of the analysis by Matomo by not ticking “Statistics” in our cookie consent banner.
(3) This website uses Matomo with the “AnonymizeIP” extension. This allows IP addresses to be truncated for further processing so that data cannot be directly linked to individuals. The IP address transmitted by your browser by means of Matomo is not aggregated with other data collected by us.
(4) The Matomo program is an open source project. Privacy information from the third-party provider is available at https://matomo.org/privacy/policy.
Use of Facebook and Instagram pages
In addition to our own website, we also maintain a fan page on the social network Facebook. We use the fan page to post information about our activities and provide a channel for communication. The social network Facebook is operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter: Facebook).
1. Joint controllership
(2) In terms of data protection law, joint controllership between Facebook and ourselves must be assumed for the operation of the fan page and analysis of user data when the fan page is visited. Therefore, we have concluded an arrangement with Facebook regarding joint controllership under data protection law in accordance with Article 26 GDPR. The arrangement, referred to as the “Page Insights Addendum” or “Page Insights Controller Addendum”, is available here: https://en-gb.facebook.com/legal/terms/page_controller_addendum.
(3) With reference to what are called “Facebook Insights data” (hereinafter “Facebook Insights”), Facebook assumes essential obligations under this arrangement, especially the obligation to inform data subjects and protect the rights of data subjects.
2. Purposes and legal bases of processing
(1) Our data processing in connection with our pages on Facebook and Instagram is conducted in accordance with Article 6(1)(f) GDPR based on our legitimate interest in public relations and communication. We use Facebook and Instagram to present our work and communicate with you. We may communicate directly with you via Facebook or Instagram in order to respond to questions you pose there. We also use Facebook and Instagram data to analyse and increase the reach of our communication. We erase such data once they are no longer required or restrict their processing if there is a legal requirement to retain the data, insofar as erasure or the restriction of processing is possible. Communication via Facebook is potentially insecure. You may also contact us via other channels at any time.
(2) Use of Facebook Insights
We use Facebook’s Facebook Insights features on our Facebook and Instagram pages to obtain anonymised statistical data about the use of and visitors to our Facebook and Instagram pages. The legal basis for this, pursuant to Article 6(1)(f) GDPR, is our legitimate interest in public relations and communication and, especially, the optimisation of our Facebook and Instagram pages. We obtain information regarding the use of our Facebook and Instagram pages via Facebook Insights, especially anonymised information about the visitor profiles, including demographic and geographic analyses. Facebook also compiles these usage statistics on a cross-device basis if relevant when you use Facebook or Instagram on multiple devices (e.g. in a browser and via an app).
Facebook conducts data processing within the context of Facebook Insights based on the joint controllership arrangement mentioned in Section 1 herein above. We only ever receive anonymised data from Facebook. Further information on the data processing conducted by Facebook within the context of Facebook Insights is available here: https://www.facebook.com/legal/terms/information_about_page_insights_data.
(3) General information on the data processing conducted by Facebook Ltd. is available for Facebook here: https://en-gb.facebook.com/about/privacy/ and for Instagram here: https://help.instagram.com/519522125107875.
4. Rights of data subjects
(1) You have the right to object (Article 21(1) GDPR) at any time, on grounds relating to your particular situation, to the processing of your personal data which is based on Article 6(1)(f) GDPR.
(2) You can adjust your settings to control the extent to which Facebook records your user behaviour when you visit Facebook and Instagram pages here as a registered Facebook user and here as a registered Instagram user. Other options for managing the data processing conducted by Facebook and Instagram, including an opt-out form, are available here https://www.facebook.com/help/contact/367438723733209 and in the general settings options for Facebook and Instagram.
(3) If the respective legal requirements are met, you have a right of access pursuant to Article 15 GDPR, a right to rectification pursuant to Article 16 GDPR, a right to erasure pursuant to Article 17 GDPR, a right to restriction of processing pursuant to Article 18 GDPR, a right to object pursuant to Article 21 GDPR and a right to data portability pursuant to Article 20 GDPR.
(4) You have the right to lodge a complaint with a data protection supervisory authority. The competent data protection supervisory authority for us is the Data Protection Authority of Bavaria for the Private Sector (BayLDA).
We use an encryption method on our website to protect your data against unwanted access. You can recognise this by the closed lock icon displayed in your browser status bar and https:// at the start of the address line.
Your rights as a data subject
(1) You have the following rights against us with regard to your personal data:
- Right of access pursuant to Article 15 GDPR
- Right to rectification pursuant to Article 16 GDPR
- Right to erasure pursuant to Article 17 GDPR
- Right to restriction of processing pursuant to Article 18 GDPR
- The right of access and the right to erasure are subject to the restrictions under Sections 34 and 35 BDSG
- Right to data portability pursuant to Article 20 GDPR
(2) If you are of the view that the processing of your personal data infringes legal requirements, you have the right to lodge a complaint with the competent data protection supervisory authority for us (Article 77 GDPR read in conjunction with Section 19 BDSG).
Storage period, blocking and erasure of personal data
We only store and process your personal data for as long as this is necessary for the respective purpose (cf. “Scope, purposes and legal bases for the data processing” section). In all other cases, we erase your personal data; the only exception are data that we have to continue to store in order to meet legal obligations (e.g. retention obligations under tax or commercial law).
Objection to or withdrawal of consent for the processing of your data
(1) If you have given your consent to the processing of your data, you may revoke such consent at any time. You have the right to object, on grounds relating to your particular situation, to the processing of your personal data conducted on the basis of Article 6(1)(e) GDPR (data processing carried out in the public interest) and Article 6(1)(f) GDPR (data processing based on a consideration of interests) at any time. Such a withdrawal affects the legitimacy of the processing of your personal data once you have notified us of the withdrawal.
(2) If our processing of your personal data is based on the balance of interests, you have the right to object to processing. In particular, this is the case if the processing is not necessary for the performance of a contract with you; more details on this are provided in the description of functions below. When you exercise such a right to object, we ask that you specify the reasons why we should not process your personal data in this manner. If your objection is justified, we will examine the situation and either cease or adjust the data processing or explain to you the compelling legitimate grounds on which we will continue to process the data.
(3) Of course, you have the right to object to the processing of your personal data for purposes of advertising and data analysis at any time. You can use the following contact details to inform us of your objection to advertising: email@example.com.
Disclosure of data to third parties
(1) In principle, we only use your personal data within the Eigenbetrieb Kultur department. If and insofar as we involve third parties in the performance of contracts, such third parties only receive personal data to the extent that the transmission is necessary for the relevant service. This is the case if disclosure to partner companies is necessary based on your order or request or fulfilment of a contractual obligation. These partner companies may also be located outside of the EU and the EEA.
(2) If we outsource certain data processing elements (“commissioned processing”), we contractually oblige the processors to use personal data only in accordance with the requirements of data protection laws and to ensure the protection of the rights of data subjects.
(3) Data are not transferred to entities or persons outside of the EU other than the cases mentioned in this Policy and such a transfer is not planned.
Dear (prospective) customer,
We wish to inform you about the processing of your personal data and your rights under data protection law in relation to this.
The specific data processed and the way in which they are used largely depend on the requested/agreed services.
In order to ensure that you are fully informed about the processing of your personal data within the context of the performance of a contract or in order to take steps prior to entering into a contract, please take note of the following information.
Controller within the meaning of data protection law
Passionsspiele Oberammergau Vertriebs GmbH & Co. KG
Tel. +49 8822 949 88 57
Fax +49 8822 949 88 56
When you visit our website, information in the form of cookies may be stored on your computer in order to identify visitor preferences, for example, and to optimise the website design accordingly. This helps us, for example, to improve the ease of navigation and to achieve a high degree of user-friendliness.
Cookies are text files that are stored on a user’s hard drive when they visit a website. They are harmless for your computer and cannot be read by third parties. They allow information to be kept available for a particular period of time and enable identification of the user’s computer.
The cookies that we use are, where possible, session cookies that are automatically deleted again once the browser session ends. Occasionally, cookies with a longer storage duration may also be used so that your settings and preferences can be considered the next time you visit our website as well.
If our cookies are accepted, they remain on your computer for 30 days unless you delete them. During online booking, cookies are temporarily stored for the booking process. They are then automatically deleted after 30 minutes of inactivity or after you have left the website.
The legal basis for using necessary cookies is our legitimate interest in the proper provision of our website within the meaning of Article 6(1)(b) GDPR.
Data processing in the context of ticket booking and other travel services
The provision of personal data in relation to a decision to conclude or perform a contract or take steps prior to entering into a contract is voluntary. However, we can only make a decision within the framework of contractual measures if you provide the personal data needed for conclusion or performance of a contract or for measures taken prior to entering into a contract.
Legal basis for data processing for the performance of a contract: booking request/travel booking
The processing is performed at your request and is necessary pursuant to Article 6(1)(1)(b) GDPR for the performance of a contract and in order to take steps prior to or after entering into a contract. If these data are not provided, it is not possible to make a booking and/or to perform a contract. We obtain the data directly from you.
We process your personal data in compliance with the provisions of the European General Data Protection Regulation (GDPR) and the German Data Protection Act (BDSG).
Where necessary and legally permitted, we process your data beyond the actual contractual purpose in order to meet legal obligations pursuant to Article 6(1)(c) GDPR. Moreover, processing may be performed for the purposes of legitimate interests that we and/or third parties may have and to defend or establish legal claims pursuant to Article 6(1)(f) GDPR. Where relevant, we shall inform you separately, indicating the legitimate interest, insofar as this is required by law.
Categories of personal data
We only process data connected with the establishment of a contract or the steps prior to entering into a contract.
If you provide us with the personal data of other persons (e.g. fellow travellers), you must ensure that they consent to this and you have permission to transmit the data.
You have to ensure that these persons are aware of how we may process their personal data and what rights they have.
The following data are collected and processed as part of booking and contract performance:
- Title (of all passengers)
- First and last names (of all passengers)
- Address (for sending booking data/invoice and travel documents, information on changes to your travel itinerary that are known in advance e.g. resulting from orders issued by authorities or security-related measures)
- Date of birth/age of all passengers
- Telephone number of the main traveller/contact person (for making contact at short notice in the event of security arrangements/changes)
- Email address (for sending a summary of the booking data/invoice/travel documents
- Information on changes to your travel itinerary that are known in advance, e.g. resulting from orders issued by authorities or from security-related measures)
- Credit card data in the event of payment by credit card
- Bank details in the event of payment via SEPA direct debit
This also includes the related customer support.
We will send your booking confirmation to the postal or email address provided by you.
If necessary, personal data are shared with companies involved in processing the contract, e.g. service providers such as hoteliers, restaurants, and financial institutions for payment processing.
In the event of payment by credit card, your data needed for this, such as name, address and the purchase data, are shared with the respective credit card company.
Subject to these conditions, other recipients of personal data may include, e.g.:
• external tax consultants
• public bodies and institutions (e.g. public prosecutors, police, supervisory authorities, tax authorities) if there is a legal or official obligation.
We may also share your data directly with external service providers (e.g. security service providers, customer service providers, printing service providers, travel insurers) who require such data to establish or perform the contract subject to these conditions and who, acting strictly in accordance with our instructions, support us in the processing and provision of services – as a rule – under the provisions on contract data processing pursuant to Article 28 GDPR.
Consent by minors
Persons under 18 years of age should not transfer any personal data to us without the permission of their guardians. Pursuant to Article 8 GDPR, children up to 16 years of age may only provide the necessary consent with the permission of their guardians. We do not knowingly collect and/or process personal data of minors.
Data processing for the protection of vital interests
We may process your data in individual cases to protect your vital interests, e.g. so that an evacuation list can be provided to emergency services in the event of an emergency. The data are processed on the basis of Article 6(1)(d) GDPR. The data are erased after the required retention periods have expired.
If you subscribe to our newsletter, your email address is used for our own advertising purposes until you cancel your subscription. You will receive regular information on current topics as well as emails relating to special occasions, such as separate promotions. The emails may be personalised and individualised based on our information about you.
Unless you have given us your consent in writing, we use what is known as a double opt-in process for subscriptions to our newsletter, i.e. we only then send you the newsletter and ask you to confirm that you wish to receive our newsletter by clicking on a link in the email.
If you have explicitly subscribed to our newsletter, your consent constitutes the legal basis for processing your data pursuant to Article 6(1)(a) GDPR.
Under the applicable legal provisions, we may send you our newsletter without having obtained your express consent based on the fact that you have ordered certain goods or services from us and we have therefore received your email address and you have not objected to receiving information from us by email.
In this case, our legitimate interest in direct mailing constitutes the legal basis pursuant to Article 6(1)(f) GDPR.
You have the right to object in such an instance. If you choose to exercise this right, the processing will be terminated for the purposes of direct marketing without any costs being incurred other than the transmission costs in accordance with basic tariffs. We will immediately cease sending you the newsletter on receipt of your objection. If possible, please direct your objection to: firstname.lastname@example.org.
Transfer to a third country and automated decision-making
A transfer a to third country is not intended. There is no automated decision-making.
Duration of data storage
Where necessary, we process and store your personal data for the duration of our business relationship and in order to fulfil contractual purposes. This includes, without being limited to, contract initiation and processing. Moreover, we are subject to various retention and documentation obligations that arise from, without being limited to, the German Commercial Code (HGB) and German Fiscal Code (AO). The retention and documentation periods prescribed there range from two to ten years. Finally, the duration of storage also depends on statutory limitation periods, which are usually three years as per section 195 et seq. of the German Civil Code (BGB), for example, but may also be up to thirty years in certain circumstances.
Contact details of our Data Protection Officer
Herr Thomas Pfefferle