Privacy Policy

(Revised: May 2018)

Welcome to the website of Arena Berlin Betriebs GmbH, (the “Website”). Of course protecting your personal data and fair and transparent data processing is a key concern of ours. We’ve set out the information you need to review and apply your rights to data privacy.

1. Who is the responsible for data processing (the data “controller”)?

The controller is:

Arena Berlin Betriebs GmbH
Eichenstrasse 4
12435 Berlin


(hereafter “Arena”, “we”, “us)

2. How do I contact the Data Protection Officer?

The Data Protection Officer of the controller is:

DataCo GmbH
Dachauer Str. 65
80335 München


What are the purposes and legal basis on which we process personal data?

When you visit our website or contact us in a different way, we receive personal data from you.

We generally process data based on the following legal bases:

  • If you give us your explicit consent (point (a) of Article 6(1) GDPR), for example you want us to contact you directly or want to receive advertising that is tailored to your individual interests.
  • For the performance of our contractual obligations (point (b) of Article 6(1) GDPR).
  • As a company we are subject to various legal obligations (point (c) of Article 6(1) GDPR). For example, under tax law and commercial law we have a duty to retain certain documents.
  • We also process data based on a legitimate interest by us or by a third party (point (f) of Article 6(1) GDPR). This includes, for example, processing data for direct marketing purposes, sales promotions, IT security and combatting fraud. You have the right under Article 21(1) GDPR to lodge an objection against data processing based on this legitimate interest.

2.1 Data processing on our website

2.1.1 Visiting the website

If you are using the website for information purposes, i.e. if you do not actively send us information, we do not collect any personal data apart from the data your browser automatically sends to enable you to visit the website. This includes, for example:

  • IP address of the computer making the request for access;
  • the date and time of access;
  • the amount of data transferred.

We cannot generally assign these data to specific individuals. This data processing is only for the purpose of enabling the use of the website (setting up a connection). Where any personal data is involved when the data listed above is processed, this is on the basis of point (f) of Article 6(1) GDPR (legitimate interest; the legitimate interest is derived from the purpose stated above).

2.1.2 Contacting us

You can direct questions to us and send us messages via our e-mail address or by telephone. If you do, your e-mail address, your telephone number and the contents of your message, IP address, date and time of the request will be transmitted to us and stored. We only process your data to get in touch with you in the way you want and to deal with your request.

The legal bases for processing this personal data are as set out in points (a) or (b) Art. 6(1) GDPR (consent or to fulfil a contract/measures prior to entering into a contract).

2.1.3 Applications

You can apply to work at our company electronically, in particular by e-mail at We will of course only use your details to process your application and will not pass it on to third parties. Please note that e-mails sent without encryption are not protected against unauthorised access.

If you have applied for a specific post and this post has already been filled, or if we think you are equally or more suitable for a different post, we would like to pass your application on within the company. Please tell us if you do not agree to us passing it on in this way.

Your personal data are deleted immediately after the application process is completed or after a maximum of 6 months unless you have given us your express consent for the data to be stored for longer, or if a contract has been signed. The legal basis for this is as set out in points (a), (b) and (f) Art. 6(1) GDPR and Section 26 of the German Federal Data Protection Act (BDSG). Our legitimate interest is based on processing the respective applications.

2.1.4 Use of social plug-ins

This website uses social plug-ins from the following providers:

  • Facebook (operator: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA)
  • Twitter (operator: Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA)
  • Google+ (operator: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
  • Instagram (operator: Instagram LLC, 1601 Willow Rd, Menlo Park, CA, 94025, USA)
  • Vimeo (operator: Vimeo Inc., 555 West 18th Street, NY, New York 10011, USA)

These plug-ins normally record data from you by default and transmit them to the servers of the respective providers. To ensure your privacy is protected, we have taken technical measures that guarantee that your data cannot be recorded by the providers of the respective plug-in without your agreement. When a page with these plug-ins embedded is accessed, they are initially disabled. They are only enabled when you click on the icon to indicate that you agree to your data being transmitted to the provider. The legal basis for use of the plug-ins is as set out in points (a) and (f) Art. 6(1) GDPR.

Once enabled, the plug-ins also record personal data such as your IP address and send these to the provider’s servers where they are stored. If social plug-ins are enabled, these set a cookie with a unique identifier when you visit the website. This also allows providers to create profiles about your usage behaviour. This happens even if you are not a member of the provider’s social network. If you are a member of the provider’s social network and are logged in to the social network when you visit this website, your data and information about the visit to this website may be linked to your profile on the social network. We do not have any control over the precise scope of data collected from you by the provider.

For more detailed information about the scope, nature and purpose of the data processing and on rights and settings you can use to protect your privacy, please refer to the privacy policies of the provider of the social network. These can be accessed at the addresses below:

YouTube videos are embedded on the website in privacy-enhanced mode. When the video is played the following data are transmitted to Google, which operates YouTube:

  • the IP address;
  • the specific address of the page accessed on our site;
  • the browser identifier transmitted;
  • system date/time of the visit and
  • pre-existing cookies that can be used to uniquely identify your browser.

Cookies and pixel tags used to customise advertisements and search results are only set by YouTube when the video plays. No information is stored by YouTube about visitors to the website unless they view the video.

Please note that Google may receive additional data via cookies that are already stored. We have no control over how these data are used by Google. Google Inc. is responsible for collecting and processing these data.

If you visit any of our sites equipped with a Vimeo plugin, you will be connected to Vimeo’s servers. It tells the Vimeo server which of our pages you visited. In addition, Vimeo obtains your IP address. This also applies if you are not logged in to Vimeo or do not have an account with Vimeo. The information collected by Vimeo is transmitted to the Vimeo server in the United States.

If you are logged in to your Vimeo account, you allow Vimeo to associate your surfing behavior directly with your personal profile. You can prevent this by logging out of your Vimeo account.
For more information on how to deal with user data, see the Vimeo Privacy Policy at

2.1.5 Google Maps

This website uses Google Maps API provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to depict geographical information. When Google Maps is used, data on the use of the Maps function by visitors to the website are also collected, processed and used by Google. For more detailed information on data processing by Google, please refer to Google’s Privacy Policy.

2.1.6 Usage of Google Web Fonts

Google Web Fonts ( are used to visually improve the presentation of information on this website. The web fonts are transferred to the browser’s cache when the website is accessed so that they can be used for displaying text. If the browser does not support Google Web Fonts or prevents access, the text is displayed in the system’s default font. When the website is accessed, no cookies are stored on the user’s computer. Data transmitted in connection with the website view is sent to resource-specific domains such as or They are not associated with data that may be collected or used in connection with the parallel use of authenticated Google services such as Gmail. The IP address of the user’s device is also stored anonymously by Google. Further information on Google Web Fonts can be found at and in Google’s privacy policy:

Purpose of the data processing

This is necessary so that your browser can display an optically improved version of our texts. If your browser does not support this function, a standard font will be used by your computer.

Legal basis for the processing of personal data

The legal basis for data processing is Art. 6 para. 1 lit. f GDPR. The legitimate interest for processing personal data lies in a faultless operation and attractive presentation of our website.

Data deletion and storage period

We do not have any information about the duration of storage.

Possibility of objection and removal

You can set your browser so that the fonts are not loaded by the Google servers (e.g. by installing add-ons like NoScript or Ghostery for Firefox). If your browser does not support Google Fonts or if you block access to the Google servers, the text will be displayed in the system’s default font.

2.1.7 More information about Google

To our knowledge, Google has committed to compliance with the Privacy Shield Framework issued by the US Department of Commerce between the EU and the USA on the collection, use and storage of personal data from EU member states. Google has certified that it will comply with the relevant Privacy Shield Principles. The EU Commission believes that the USA ensures appropriate legal protection for personal data sent out of the EU to self-certified organisations in the USA under the Privacy Shield Framework. Additional information is available at:

2.1.8 How are cookies used on this website?

Cookies are stored on your computer when you use our website. Cookies are small text files that are attributed to the browser used by you and stored on your hard disk which send certain information to the source setting the cookie. Cookies cannot run programs or transfer viruses to your computer. They are used to make our Internet offering more user friendly and effective. We also use cookies to allow us to identify you when you make return visits if you have an account with us. If you don’t have an account, you will need to log in again every time you visit.

This website uses the following types of cookies; we also explain their scope and how they work below.

Transient cookies

These cookies are automatically erased when you close the browser. They are mostly session cookies. These store a “session ID” which is used to attribute multiple requests by your browser to the overall session. This allows your computer to be recognised when you return to our website. Session cookies are erased when you log out or close the browser.

Persistent cookies

These cookies are automatically erased after a predefined period which may vary depending on the cookie. You can erase these cookies at any time in your browser’s security settings.

Flash cookies

The flash cookies we use are collected by your flash plug-in, not your browser. We also use HTML5 storage objects which are stored on your device. These objects store the data required regardless of the browser you are using and do not have an automatic expiry date. If you do not want flash cookies to be processed, you need to install an add-on such as “Better Privacy” for Mozilla Firefox ( or the Adobe Flash Killer cookie for Google Chrome. You can stop HTML5 storage objects from being used by setting your browser to Private mode. We also recommend that you regularly clear your cookies and browser history manually.

Blocking cookies

You can configure your browser settings to match your preferences, for example you can refuse to accept third-party cookies or all cookies. Please note that if you do you may not be able to use all the functions available on this website.

If any personal data is involved when the personal data is processed as described in clause 3.a, the legal basis for this is as set out in point (f) of Article 6(1) GDPR (legitimate interest; the legitimate interest is derived from the purposes stated above (in particular, optimising usage of website and improving user experience)).

2.2 Use of company appearances in social networks

2.2.1 Facebook

Information about the processing of your personal data during the use of the Facebook pages of Arena Berlin GmbH can be found here: (PDF)

2.2.2 Instagram

Instagram, part of Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2 Ireland.

On our company page we provide you with information and offer the Instagram user the possibility to communicate. If you take an action on our Instagram business page (e.g. comments, likes, posts) you need to be aware that you make personal data public (e.g. name, profile picture). However, as we generally or in large part have no influence on the processing of your personal data by the companies responsible for the Arena Berlin GmbH-company appearance on Instagram, we cannot make binding statements on the purpose and scope of the processing of your data. Please see Instagram’s privacy policy for more information:

Our corporate social media presence is used for communication and information sharing with (potential) customers. The publications about the company may contain the following content:

  • Information about products
  • information about services
  • contests
  • advertising
  • customer contact

Every user is free to publish personal data through activities.

The legal basis for data processing is Art. 6 para.1 p.1 lit. f DSGVO. The data generated by the company appearances is not stored in our own systems.

You may, at any time, object to the processing of your personal data that we collect during your use of our Instagram corporate site, make your personal data protection rights listed in section IV of this privacy policy effective.Therefor send us an informal email to

For processing your personal data through Instagram and the corresponding contradictory possibilities, you can find further information here:

2.3 Newsletter

We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter referred to as “newsletters”) only with the consent of the recipient or a legal permission. If the contents of the newsletter are specifically described within the scope of registration, they are decisive for the consent of the user. In addition, our newsletters contain information about our services, programs and us.

In order to subscribe to our newsletters, it is generally sufficient for you to enter your e-mail address. However, we may ask you to provide a name in the newsletter for the purpose of addressing you personally or to provide further information if this is required for the purposes of the newsletter.

The registration to our newsletter takes place in principle in a so-called Double-Opt-In procedure. This means that you will receive an e-mail after your registration in which you will be asked to confirm your registration. This confirmation is necessary so that nobody can register with external e-mail addresses. The registrations for the newsletter can be logged in order to be able to prove the registration process according to the legal requirements. This can also include the storage of the registration and confirmation time, as well as the IP address.

The newsletter is sent on the basis of the recipient’s consent pursuant to Art. 6 Para. 1 lit. a, Art. 7 DSGVO in conjunction with § 7 Para. 2 No. 3 UWG or on the basis of legal permission pursuant to § 7 Para. 3 UWG. The registration procedure is recorded on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f DSGVO. Our interest is directed towards the use of a user-friendly and secure newsletter system that serves our business interests as well as the expectations of the users and furthermore allows us to provide evidence of consent.

You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. You will find a link to cancel the newsletter at the end of each newsletter. We may store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before deleting them in order to be able to provide evidence of a previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of a consent is confirmed at the same time.

3. Are my data transmitted to third parties?

In order for Arena to be able to process your data in accordance with the purposes described above, it may be necessary for other recipients to view and process your data.

3.1 External service providers (processors)

Your data are passed on to service providing partners where they are acting on our behalf and support Arena in providing its services.

Processing of your personal data by sub-contracted providers is subject to the provisions relating to processing on behalf of a controller set out in Art. 28 GDPR.

3.2 Other service providers, partners and third parties

Arena may work with other partners where this is necessary to provide our services or we are legally obliged to surrender data. These may include the following partners or third parties:

  • Banks and payment service providers;
  • Shipping companies;
  • Disclosure to public bodies or in response to a court order.

The legal basis for these types of processing of your personal data is as set out in point (c) Art. 6(1) GDPR (to meet a legal obligation).

4. Are my data processed outside the EU/EEA and how is my privacy ensured?

Arena is highly committed to processing your data within the EU/EEA. However, it is possible that we use service providers that are active outside the EU/EEA. In such cases we ensure that an appropriate level of data protection is in place before we transmit your personal data. This means that a level of data protection that is comparable to the standards within the EU is in place via EU standard contracts or an Adequacy Decision such as the EU Privacy Shield.

5. How long are my data stored?

Except where another retention period is set in the other provisions of this Privacy Policy, we only store the personal data acquired by us in connection with the use of the website as long as this is necessary to process your concerns and/or requests to us and then only to the extent required under our legal obligations to retain data. Where we no longer need your data for the purposes described above, they shall only be stored and not processed for any other purposes during the retention period stipulated by law.

6. What are my rights and how can I pursue them?

You have the following rights with regard to us with respect to the personal data concerning you:

6.1 General rights

You have a right to access, rectification, erasure, restriction of processing or to object to processing, and a right to data portability. Where data are processed on the basis of your consent, you have the right to withdraw this at any time with future effect.

6.2 Rights when data is processed in accordance with a legitimate interest

You have the right under Article 21(1) GDPR to lodge an objection, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on point (e) (data processing in the public interest) or (f) (data processing to uphold a legitimate interest) of Article 6(1) GDPR, including profiling based on those provisions. If you object, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or if processing is used for the establishment, exercise, or defence of legal claims.

6.3 Rights in relation to direct marketing

Where we process your personal data for direct marketing purposes, you have the right under Article 21(2) GDPR to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

6.4 Right to lodge a complaint with a supervisory authority

You also have the right to complain to a competent data protection supervisory authority about the processing of your personal data.

7. Data security

Arena uses the latest technical measures to ensure data security (e.g. SSL encryption), particularly to protect your personal data against risks when data are transmitted and against detection by third parties. These measures are adjusted to reflect the state of the art.

8. Other

8.1.1 Amendments to the Privacy Policy

This version of our Privacy Policy is continuously updated to reflect developments on the Internet or our offering. We shall announce amendments in good time on this page. You should visit this page regularly to see the latest updates to our data usage provisions.

8.1.2 Links to other websites

Our website may contain links to the websites of other providers. Please note that this Privacy Policy applies solely to Arena’s websites. We have no control over whether other providers comply with the applicable laws on data privacy.