Data Protection


1. Responsible


This data protection declaration applies to data processing by us as the controller in accordance with Art. 4 para. 7 General Data Protection Regulation (GDPR):


THE PRINCIPALS GmbH

Augsburger Strasse 33 10789 Berlin

Germany GERMANY

Managing Directors: Marcus Ruschmeyer

E-mail address: info@theprincipals.de


Registered in the commercial register at the district court Berlin-Charlottenburg under the commercial register number: HRB 125857 2


2. Definitions of terms


Insofar as this data protection declaration does not contain or implied a different definition, reference is made to the definitions in Article 4 GDPR with regard to the terms used. According to Article 4 No. 1 GDPR, personal data is all information relating to an identified or identifiable natural person. These are e.B. first and last name, date of birth, private and official contact details.


3. Use of processors


In order to be able to offer you our app, we rely on the services of the processor Fanbaze GmbH, Köpenicker Str. 7, 10997 Berlin, selected by us. Fanbaze GmbH itself uses servers of

1&1 IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany,

where the data is ultimately processed. If data is processed elsewhere in exceptional cases, we will point this out separately. Fanbaze GmbH was carefully selected by us as a processor and checked in advance. We have concluded an agreement with Fanbaze GmbH pursuant to Article 28 GDPR and of course regularly assure ourselves of the reliability and compliance with all data protection regulations by Fanbaze GmbH and its sub-processors, so that your data is always secure.


4. Legal basis for processing


The legal basis for the temporary storage of the data is Article 6 (1) (f) GDPR. Our legitimate interest lies in the purpose of data processing.


5. Purpose of data processing


The collection and storage of the processed data takes place for the use of the respective function of our app and is further processed by us for the following purposes:


  • Ensuring a smooth and comfortable use of our app - Evaluation of system security and stability - For other administrative purposes - Statistical evaluation of user-related data
  • Evaluation of system security and stability
  • For other administrative purposes
  • Statistical evaluation of user-related data


6. Processing of your personal data


Below we give you an overview of data processing operations that may affect your personal data in the course of your use of our app:


a. When downloading and purchasing the app

When downloading and purchasing the app, the necessary information is transferred to the Google Play Store (if you use our app on an Android device) or the Apple App Store (if you use our app on an iOS device). In particular, user name, e-mail address, time of download, payment information and the individual device identification number as well as any other data are required. We have no influence on this data collection and processing and are not responsible for it. We process the data only to the extent necessary to download the app your device.


Take a look at the privacy statements of Google (https://www.google.de/intl/de/policies/privacy/) or Apple (https://www.apple.com/de/privacy/privact-policy/).


b. Registration

If you register as a user of our app, then we collect and store your email address, your first and last name, the user name you entered, your telephone number, the time (date/time) of your registration as well as the password you have chosen in encrypted form and the date of creation. We will also assign you an ID number. This ID number is used exclusively for your identification within the app. Your last login date will also be stored by us. Finally, we store whether you want to stay logged in to the app or whether you always want to log in again when the app is started.


c. Setting up a profile

Our app offers you the possibility to set up your user profile after your registration. Here you can upload and save a profile picture, specify your gender as well as the city and country in which you live. We store the data you provide.


d. When calling the app

Every time you start the app, your device connects to a server of 1&1 IONOS SE, Elgendorfer Stra e 57, 56410 Montabaur, Germany. This results in connection data, which is stored in so-called log files. The data includes: Device ID of your device Version of your operating system IP address Date and time of the request Language settings


This data is required for us to provide you with our app and to be able to assign your device as well as to improve the app and our services. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f GDPR. The deletion takes place after seven days.


e. Use of push messages

You can subscribe to so-called push notifications in the mobile apps. This function is provided by the respective provider of the operating system that uses their devices and recorded by the app. If you use this service, it is necessary that the provider of your operating system (Apple or Google) collects data from you in order to be able to provide you with the service. The legal basis for data processing is the consent that you give directly on your device.


f. when forwarded to ticket shops

By clicking on the individual events, you will be forwarded through the app via your web browser to various ticket providers. If you should use the offers of these providers, the terms and conditions and the data protection information of the respective providers apply here, which can be called up within the respective websites.


7. Usage analysis


So that we can further improve the app, anonymous statistics are automatically created on how you use the app, such as how often, on which days and on which devices. The data on the way you use our app is required for us to ensure and further improve the stability and security of the app. The data collected in this way is not merged with your other profile information, but is included in anonymous statistics that help us to get to know our users better and to better adapt the app to their needs. This processing is necessary to ensure and further improve the stability and security of the app and is carried out on the basis of Art. 6 para. 1 p. 1 lit. f GDPR.


8. Transfer to third countries


We only process your personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) if it is necessary to fulfil our (pre)contractual obligations (in accordance with Art. 6 para. 1 p. 1 lit.b GDPR), on the basis of your consent (in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO), on the basis of a legal obligation (in accordance with Art. 6 para. 1 p. 1 lit.c GDPR) or on the basis of our legitimate interests (in accordance with Art. 6 (1) s. 1 lit. f DSGVO). The same applies if third parties process your data on our behalf in a third country. Furthermore, a transfer to a third country only takes place if this is permitted under Article 44 et seq. GDPR.


9. Your other rights


According to the GDPR, you have the following rights:

- A right to information pursuant to Article 15 GDPR

- The right to rectification pursuant to Article 16 GDPR

- The right to erasure pursuant to Article 17 GDPR

- The right to restriction of processing pursuant to Article 18 GDPR

- The right to object pursuant to Art. 21 GDPR

There is also the right to complain to a supervisory authority for data protection about the data processing carried out by us.


10. Security measures


We take organizational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of the data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. These measures can be viewed in Annex 1 (TOM).


11. Changes to this privacy policy


We reserve the right to change our privacy policy if this should be necessary due to new technologies or changes to our data processing processes or to adapt it to changes in the legal situation that is relevant to us. However, this only applies to this privacy policy. If we process your personal data on the basis of your consent or contain components of the privacy policy provisions of the contractual relationship with you, any changes will only be made with your consent. You can call up the current version of our privacy policy at any time in our app.





Annex 1: Technical organisational measures (TOM)


Preamble


The controller has implemented appropriate measures for confidentiality, integrity, availability and resilience, as well as procedures for regular review, evaluation and evaluation. The general part describes technical and organizational measures that apply regardless of the respective services, locations and customers. The Annexes describe measures that apply beyond the measures documented in the general part.


1. Confidentiality


Confidentiality is the property that personal data is not made available or revealed to unauthorized persons, entities or processes.


Access


  • Reception and security service
  • Individual, documented and role-dependent access authorizations (cards, Transponders and keys)
  • Employee and visitor cards
  • In principle, visitors may only stay in the building accompanied by an employee
  • Alarm and burglar alarm system
  • Offices are locked outside working hours


Physical access control


  • Formal user and authorization procedures
  • Login only with username, password and where required 2-factor authentication
  • Systemically forced password policies
  • VPN for remote access and by devices managed by the controller
  • Mobile Device Management Mobile disks are encrypted
  • Automatic locking of desktops after a few minutes of inactivity
  • Clean Desk Policy
  • access control
  • Keeping asset registers and deriving measures based on data classification
  • Use of cryptographic methods (e.B. encryption)
  • Implementation of authorization concepts according to the need-to-know principle
  • Separation of application and administration access
  • Logging of access attempts
  • Setting up administrator workstations
  • Minimum number of administrators
  • Use of document destruction


Pseudonymization


  • If possible or necessary, personal data are processed pseudonymously (separation of the assignment data and storage in a separate system)


Separation control


  • Separation of development, test and production environment
  • Personal data may not be used for testing purposes
  • Multi-client capability / logical separation of data for relevant applications: separate databases, schema separation in databases, authorization concepts and/or structured file storage


2. Integrity


The integrity of personal data is maintained if it is correct, unchanged and complete.


Forwarding control


  • Provision of data over encrypted connections (e.B. SFTP)
  • Disclosure of personal data in the sense of the need-to-know / need-to-do principle
  • Personal data is classified according to their need for protection, whereby confidential data may only be transmitted via secure communication channels
  • Where possible, e-mail encryption is used
  • Where possible, personal data will only be transmitted in pseudonymised or anonymised form Documentation of the transfer of physical storage medium
  • Disclosure of paper documents containing personal data in a sealed opaque envelope


Input control


  • Technical logging of the input, modification and deletion of personal data as well as control of the logs
  • Traceability of input, modification and deletion of data by individual user names (not user groups)
  • Role-based authorization concept (read, write, and delete rights)
  • Logging of administrative changes


3. Availability and resilience


The availability of personal data is available if they can always be used by users as intended.


  • Use of hardware and software firewalls
  • Intrusion Detection Systems
  • Overvoltage protection of the outer skin of the building against lightning strike
  • Uninterruptible power supply (UPS) Emergency manuals for data recovery, protection against accidental destruction and loss Perform recovery tests
  • Where necessary use of redundant systems (e.B. RAID)
  • Regular testing of data backups External audits and security tests


4. Procedures for periodic review, evaluation and evaluation


How is it ensured that the aforementioned data backup measures are regularly reviewed?


Data Protection Management


  • Data protection officer and an information security officer are appointed
  • Establishment of a data protection and information security organization
  • All employees are obliged to maintain confidentiality in the handling of personal data and are made aware of the secrecy of telecommunications
  • Employees are sensitized in the handling of personal data
  • New employees receive information material regarding the handling of personal data
  • A list of processing activities is maintained and data protection impact assessments are carried out as required
  • Processes for the exercise of data subject rights are established


Order control


  • Data processed on behalf of the client will only be processed according to instructions from the client
  • Contractors are carefully selected with regard to technical and organizational measures taken to protect personal data
  • Instructions for the handling of personal data are documented in text form
  • If necessary, order processing agreements or appropriate safeguards for the transfer of data to third countries are concluded


Privacy-friendly preferences


  • It is ensured procedurally that systems and products are developed in a data protection-friendly manner
  • Only those personal data are collected that are necessary for the respective purpose


Incident response management


  • Documented process for the detection, reporting and documentation of data breaches with the involvement of the data protection officer
  • Documented procedure for dealing with security incidents with the involvement of the information security officer




Annex 1.2: Special technical and organizational measures for data centers


  • All data centers are certified according to the ISO 27001 standard
  • Electronic access control systems monitor and ensure access to the respective data center only for authorized persons
  • Security gate Video cameras as well as burglary and contact detectors monitor the outer skin of the building
  • Defined security zones
  • Highly redundant network infrastructure
  • Fire and/or smoke detector has a direct connection at the local fire brigade
  • Cooling system in the data center / server room
  • Server room monitoring temperature and humidity
  • No sanitary connections in or above data centers
  • Alarm message in case of unauthorized access to data centers



Copyright 2021 © Fanbaze GmbH