(Revised: May 2018)
Welcome to the website of https://www.arena.berlin. Of course protecting your personal data and fair and transparent data processing is a key concern of ours. We’ve set out the information you need to review and apply your rights to data privacy.
1 Who is the responsible for data processing (the data “controller”)?
The controller is:
Arena Berlin Betriebs GmbH
(hereafter “Arena”, “we”, “us”)
2 How do I contact the Data Protection Officer?
You can contact our Data Protection Officer here:
What are the purposes and legal basis on which we process personal data?
When you visit our website or contact us in a different way, we receive personal data from you.
We generally process data based on the following legal bases:
- If you give us your explicit consent (point (a) of Article 6(1) GDPR), for example you want us to contact you directly or want to receive advertising that is tailored to your individual interests.
- For the performance of our contractual obligations (point (b) of Article 6(1) GDPR).
- As a company we are subject to various legal obligations (point (c) of Article 6(1) GDPR). For example, under tax law and commercial law we have a duty to retain certain documents.
- We also process data based on a legitimate interest by us or by a third party (point (f) of Article 6(1) GDPR). This includes, for example, processing data for direct marketing purposes, sales promotions, IT security and combatting fraud. You have the right under Article 21(1) GDPR to lodge an objection against data processing based on this legitimate interest.
2.1 Data processing on our website
2.1.1 Visiting the website
If you are using the website for information purposes, i.e. if you do not actively send us information, we do not collect any personal data apart from the data your browser automatically sends to enable you to visit the website. This includes, for example:
- IP address of the computer making the request for access;
- the date and time of access;
- the amount of data transferred.
We cannot generally assign these data to specific individuals. This data processing is only for the purpose of enabling the use of the website (setting up a connection). Where any personal data is involved when the data listed above is processed, this is on the basis of point (f) of Article 6(1) GDPR (legitimate interest; the legitimate interest is derived from the purpose stated above).
2.1.2 Contacting us
You can direct questions to us and send us messages via our e-mail address or by telephone. If you do, your e-mail address, your telephone number and the contents of your message, IP address, date and time of the request will be transmitted to us and stored. We only process your data to get in touch with you in the way you want and to deal with your request.
The legal bases for processing this personal data are as set out in points (a) or (b) Art. 6(1) GDPR (consent or to fulfil a contract/measures prior to entering into a contract).
You can apply to work at our company electronically, in particular by e-mail at email@example.com. We will of course only use your details to process your application and will not pass it on to third parties. Please note that e-mails sent without encryption are not protected against unauthorised access.
If you have applied for a specific post and this post has already been filled, or if we think you are equally or more suitable for a different post, we would like to pass your application on within the company. Please tell us if you do not agree to us passing it on in this way.
Your personal data are deleted immediately after the application process is completed or after a maximum of 6 months unless you have given us your express consent for the data to be stored for longer, or if a contract has been signed. The legal basis for this is as set out in points (a), (b) and (f) Art. 6(1) GDPR and Section 26 of the German Federal Data Protection Act (BDSG). Our legitimate interest is based on processing the respective applications.
2.1.4 Use of social plug-ins
This website uses social plug-ins from the following providers:
- Facebook (operator: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA)
- Facebook (operator: Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA)
- Google+ (operator: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
- Instagram (operator: Instagram LLC, 1601 Willow Rd, Menlo Park, CA, 94025, USA)
These plug-ins normally record data from you by default and transmit them to the servers of the respective providers. To ensure your privacy is protected, we have taken technical measures that guarantee that your data cannot be recorded by the providers of the respective plug-in without your agreement. When a page with these plug-ins embedded is accessed, they are initially disabled. They are only enabled when you click on the icon to indicate that you agree to your data being transmitted to the provider. The legal basis for use of the plug-ins is as set out in points (a) and (f) Art. 6(1) GDPR.
Once enabled, the plug-ins also record personal data such as your IP address and send these to the provider’s servers where they are stored. If social plug-ins are enabled, these set a cookie with a unique identifier when you visit the website. This also allows providers to create profiles about your usage behaviour. This happens even if you are not a member of the provider’s social network. If you are a member of the provider’s social network and are logged in to the social network when you visit this website, your data and information about the visit to this website may be linked to your profile on the social network. We do not have any control over the precise scope of data collected from you by the provider.
For more detailed information about the scope, nature and purpose of the data processing and on rights and settings you can use to protect your privacy, please refer to the privacy policies of the provider of the social network. These can be accessed at the addresses below:
- Facebook: https://www.facebook.com/policy.php
- Twitter: https://twitter.com/privacy/
- Google: https://www.google.com/intl/de/privacy/
- Instagram: https://help.instagram.com
YouTube videos are embedded on the website in privacy-enhanced mode. When the video is played the following data are transmitted to Google, which operates YouTube:
- the IP address;
- the specific address of the page accessed on our site;
- the browser identifier transmitted;
- system date/time of the visit and
- pre-existing cookies that can be used to uniquely identify your browser.
Cookies and pixel tags used to customise advertisements and search results are only set by YouTube when the video plays. No information is stored by YouTube about visitors to the website unless they view the video.
Please note that Google may receive additional data via cookies that are already stored. We have no control over how these data are used by Google. Google Inc. is responsible for collecting and processing these data.
2.1.5 Google Maps
2.1.6 More information about Google
To our knowledge, Google has committed to compliance with the Privacy Shield Framework issued by the US Department of Commerce between the EU and the USA on the collection, use and storage of personal data from EU member states. Google has certified that it will comply with the relevant Privacy Shield Principles. The EU Commission believes that the USA ensures appropriate legal protection for personal data sent out of the EU to self-certified organisations in the USA under the Privacy Shield Framework. Additional information is available at: https://www.privacyshield.gov/EU-US-Framework.
2.1.7 How are cookies used on this website?
This website uses the following types of cookies; we also explain their scope and how they work below.
These cookies are automatically erased when you close the browser. They are mostly session cookies. These store a “session ID” which is used to attribute multiple requests by your browser to the overall session. This allows your computer to be recognised when you return to our website. Session cookies are erased when you log out or close the browser.
These cookies are automatically erased after a predefined period which may vary depending on the cookie. You can erase these cookies at any time in your browser’s security settings.
The flash cookies we use are collected by your flash plug-in, not your browser. We also use HTML5 storage objects which are stored on your device. These objects store the data required regardless of the browser you are using and do not have an automatic expiry date. If you do not want flash cookies to be processed, you need to install an add-on such as “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe Flash Killer cookie for Google Chrome. You can stop HTML5 storage objects from being used by setting your browser to Private mode. We also recommend that you regularly clear your cookies and browser history manually.
You can configure your browser settings to match your preferences, for example you can refuse to accept third-party cookies or all cookies. Please note that if you do you may not be able to use all the functions available on this website.
If any personal data is involved when the personal data is processed as described in clause 3.a, the legal basis for this is as set out in point (f) of Article 6(1) GDPR (legitimate interest; the legitimate interest is derived from the purposes stated above (in particular, optimising usage of website and improving user experience)).
3 Are my data transmitted to third parties?
In order for Arena to be able to process your data in accordance with the purposes described above, it may be necessary for other recipients to view and process your data.
3.1 External service providers (processors)
Your data are passed on to service providing partners where they are acting on our behalf and support Arena in providing its services.
Processing of your personal data by sub-contracted providers is subject to the provisions relating to processing on behalf of a controller set out in Art. 28 GDPR.
3.2 Other service providers, partners and third parties
Arena may work with other partners where this is necessary to provide our services or we are legally obliged to surrender data. These may include the following partners or third parties:
- Banks and payment service providers;
- Shipping companies;
- Disclosure to public bodies or in response to a court order.
The legal basis for these types of processing of your personal data is as set out in point (c) Art. 6(1) GDPR (to meet a legal obligation).
4 Are my data processed outside the EU/EEA and how is my privacy ensured?
Arena is highly committed to processing your data within the EU/EEA. However, it is possible that we use service providers that are active outside the EU/EEA. In such cases we ensure that an appropriate level of data protection is in place before we transmit your personal data. This means that a level of data protection that is comparable to the standards within the EU is in place via EU standard contracts or an Adequacy Decision such as the EU Privacy Shield.
5 How long are my data stored?
6 What are my rights and how can I pursue them?
You have the following rights with regard to us with respect to the personal data concerning you:
6.1 General rights
You have a right to access, rectification, erasure, restriction of processing or to object to processing, and a right to data portability. Where data are processed on the basis of your consent, you have the right to withdraw this at any time with future effect.
6.2 Rights when data is processed in accordance with a legitimate interest
You have the right under Article 21(1) GDPR to lodge an objection, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on point (e) (data processing in the public interest) or (f) (data processing to uphold a legitimate interest) of Article 6(1) GDPR, including profiling based on those provisions. If you object, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or if processing is used for the establishment, exercise, or defence of legal claims.
6.3 Rights in relation to direct marketing
Where we process your personal data for direct marketing purposes, you have the right under Article 21(2) GDPR to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
6.4 Right to lodge a complaint with a supervisory authority
You also have the right to complain to a competent data protection supervisory authority about the processing of your personal data.
7 Data security
Arena uses the latest technical measures to ensure data security (e.g. SSL encryption), particularly to protect your personal data against risks when data are transmitted and against detection by third parties. These measures are adjusted to reflect the state of the art.
8.1.2 Links to other websites