The purpose of this information on data protection is to inform you on the processing of your personal data when visiting and using the websites of CTS EVENTIM AG & Co.KGaA (hereinafter "EVENTIM", "we" or "us") and in reference to our marketing measures on our own websites as well the websites of third parties and on social networks in accordance with the General Data Protection Regulation (hereinafter "GDPR").

The data protection information for EVENTIM.CheckIn visitor data collection can be found here.

1 Scope, controller and definitions

1.1 Scope of this data protection information

1. This information on data protection applies to the visit and use of the EVENTIM websites on which a customer account can be created and tickets can be purchased in our online ticket shops, including online ticket shops that can be accessed via websites of Partners (so-called "Partnershops"). This information also applies to our related marketing activities on our websites, third-party websites and in social networks. You can access, save and print this information on data protection at any time and free of charge on our websites.

2. This information on data protection only concerns the processing of personal data within the meaning of Section 1.3, number 4. Other websites are not covered by this information on data protection and provide their own specific information on data protection.

1.2 Controller for the processing of your personal data

Unless otherwise stated in this information on data protection, the following is the controller for the processing of your personal data:

CTS EVENTIM AG & Co. KGaA
Contrescarpe 75-A
D-28195 Bremen
Germany
Email: kundenservice@eventim.de
Tel: +49 (0) 421 - 20 31 55 11.

For processing in connection with the execution of orders through certain Partnershops - we are jointly responsible, together with the respective operator of the partner site, as described in detail in section 2.7 below. You will find a list of Partnershops, which are operated under joint responsibility and the co-responsible partners here.

For processing related to marketing activities on our websites, third-party websites and in social networks that are carried out with the support of Eventim Media House GmbH as specified in section 2.1.3, 2.1.4, 2.1.5, 2.1.6 we are jointly responsible.

1.3 Definitions

This information on data protection is based on the following terms on data protection, which we have defined for easier understanding:

1. The GDPR is the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

2. Recipient is a natural or legal person, authority, institution or other body to which personal data is disclosed, regardless of whether it is a third party or not. Authorities, however, which within the framework of a specific inquiry mandate may receive personal data under Union law or the law of the Member States shall not be considered recipients; the processing of such data by these said authorities is carried out in accordance with the applicable directives on data protection in accordance with the purposes of the processing. Depending on the method of payment selected for ticket purchases, the recipients of your personal data may be banks or the postal service providers via whom we send you your ticket by post.

3. In accordance with Section 15 of the German Stock Corporation Act (AktG), the EVENTIM Group comprises all of CTS EVENTIM AG & Co. KGaA s affiliated companies. Further information is available at

https://corporate.eventim.de/en/company/

4. Personal data are all information relating to an identified or identifiable natural person, i.e. the data subject. An identifiable natural person is one who can be identified directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data can, for example, be name, contact data, user behaviour or bank data.

5. The Controller is the natural or legal person, public authority, agency or other body which alone or jointly with others decides on the purposes and means of processing personal data. Where the purposes and means of such processing are laid down by Union law or by the law of the Member States, the controller or the specific criteria for his appointment may be laid down in accordance with Union law or the law of the Member States. For the data processing described in this privacy policy, CTS EVENTIM AG & Co. KGaA is responsible; partly together with the operator of a partner-site (see section 1.2).

6. Processing is any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transfer, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying. Processing can be, for example, the collection and use of your order data for ticket sales.

2 Purposes, legal bases and, if applicable, data categories for processing your personal data

2.1 Processing of your data when you visit our websites as well as part of marketing measures on third-party websites and in social networks

If you access our websites to obtain information about our products and services without registering in the customer account, purchasing a ticket in our ticket shop or otherwise actively providing us with information (purely informational use), we process your personal data. In addition, we process your personal data as part of marketing measures on third-party websites and social networks. Your personal data is processed for the following purposes and on the basis of the following legal bases:

2.1.1 Processing for IT security purposes

1. When using our websites, we process your personal data that is technically necessary for us to make our websites available to you and to ensure stability and security when visiting them. For this purpose, we process the following personal data:

IP address
Browser Fingerprints
Browser User Agents
Cookies (see Cookie information Websites)

2. For the identification and defense against threats (bot defense, DDoS attacks), we use services of Akamai Technologies GmbHon our websites. Akamai processes the IP address of your end device on behalf of EVENTIM to prevent technical threats on our website. The IP address is usually transferred to Akamai servers in the USA and processed there. This data transfer is based on EU standard contractual clauses. This ensures adequate protection of your personal data.

3. For the delivery and acceleration of online applications (content delivery network) we use services of Akamai Technologies GmbH. Akamai processes the IP address of your end device. On behalf of EVENTIM, Akamai uses this information to ensure the high availability of our website. The IP address is usually transmitted to Akamai servers in the USA and processed there. This data transfer takes place on the basis of EU standard contractual clauses. This ensures adequate protection of your personal data.

4. We use Google reCaptcha v2 on our websites. reCaptcha is an offer from Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) and serves to prevent abusive automated entries in web forms and thus to protect the technical systems of the hoster.

When you call up one of our web pages in which reCaptcha is integrated, a connection is established to Google's servers. A reCaptcha cookie is set. Your IP address is transmitted to Google.

In addition, reCaptcha collects the following data by means of "fingerprinting":

- browser plugins used
- cookies set by Google in the last 6 months
- number of mouse clicks and touches you have made on this screen
- CSS information for the page you are viewing
- Javascript objects
- the date
- the browser language

The storage and analysis of the data is based on Art. 6 Para. 1 Sentence 1 lit. f) GDPR. The website operator has a legitimate interest in protecting its web offers from abusive automated spying and from SPAM. Insofar as personal data is transferred to Google in the USA, this is done on the basis of EU standard contractual clauses. This ensures adequate protection of your personal data. You may refuse the use of cookies and fingerprinting by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use the full functionality of this website.

The privacy policy and terms of use of Google can be found here: https://www.google.com/policies/privacy/ and here: https://policies.google.com/terms

5. Due to our legitimate interest in providing you with the websites and safeguarding IT security for you when using them, we process your personal data on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

2.1.2 Processing for analytical purposes

1. When you visit our websites, we may analyse and document how you use our websites, e.g. your surfing behaviour on our websites, which events and areas on our website you are interested in and, if you purchase a ticket from us, your order and shopping cart data. Furthermore, we aggregate this data in order to be able to evaluate, for example, the number of website visitors and their origin. For this purpose, we process the following personal data:

IP address (shortened)
Cookies (see Cookie information Websites)
E-mail address (hashed)

Hashing uses a function whereby your e-mail address is pseudonymized in a non-reversible manner.

2. We process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR. If you would like to object to the data processing for analytical purposes, please click on the following link: Cookie Settings

3. For this analysis, we use Google Analytics 360, a web analysis service of Google Ireland Ltd. ("Google"), on our website. Google Analytics 360 uses cookies that enable an analysis of the use of our websites. The information generated by the cookie about the use of our websites is in general transferred via a server operated by us in Europe to Google Analytics 360 in the US and stored there. This data transfer takes place on the basis of EU standard contractual clauses. This ensures adequate protection of your personal data. You can find out more here:

https://business.safety.google/adsprocessorterms/sccs/p2p-intra-group/

We shorten your IP address on the server we operate before it is transferred to a Google Analytics 360 server. An exception to this are websites that we operate under joint responsibility with our partners, there your information will be transferred to Google Analytics 360 after using IP anonymization on our websites. If you are in the European Union, this function shortens your IP address within Member States of the European Union or in other contracting states to the Agreement on the European Economic Area. On behalf of EVENTIM, Google Analytics 360 will use this information to evaluate the use of the websites, to compile reports on the website activities and to provide EVENTIM with further services associated with the use of the website and the Internet.

For more information on the terms of use and data protection of Google Analytics 360, please visit:

https://support.google.com/analytics/answer/6004245

4. We use Optimizely Web Experimentation (Optimizely) on our website to increase the attractiveness and optimise the content and functionality of our website. By playing out new functions and content to a percentage of our users and statistically evaluating the change in usage, we can regularly improve our offer.
In order to play out the new functions and content, we use cookies that determine your affiliation to a variant of the optimisation test and link it to a pseudonymous ID in order to provide you with the website on the basis of the fulfilment of a contract within the meaning of Art. 6 (1) sentence 1 lit. b) DS-GVO.
If you give us your consent to do so, we use this information to evaluate your use of our website, as well as to create reports on the optimisation test and related website activities. We process your personal data for this purpose on the basis of your consent within the meaning of Art. 6 para. 1 sentence 1 lit. a) DS-GVO.
In connection with the use of Optimizely cookies, your personal data is transferred to the USA. This data transfer takes place on the basis of EU standard contractual clauses. This ensures adequate protection of your personal data.
You can prevent the collection of information by Optimizely Web Experimentation by preventing the storage of cookies through an appropriate setting in your browser software or by deactivating Optimizely's tracking here. However, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent.

5. We use a user experience analytics tool from the service provider Contentsquare (Hotjar) to better understand the needs of our users and to optimize the offer and experience on this website. This tool works with cookies and other technologies to collect data about our users' behavior and about their end devices. For this purpose, we process the following (personal) data:

- IP address of the device (in anonymized form)
- screen size, device type (unique device identifiers) browser used
- Location (country only) and preferred language for viewing our website
- keyboard and mouse inputs (movements, position and clicks)
- referral URL and domain
- visited web pages with date and time

You can prevent the collection of information by preventing the storage of cookies by selecting the appropriate settings on your browser software or by deactivating tracking under Cookie Settings. However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

6. We use the product analytics tool Mixpanel to analyse and improve the use of our websites and apps. Mixpanel Inc. supports us in better understanding user behaviour, replaying pseudonymised sessions, conducting A/B tests and feature experiments, connecting data with our internal systems, and analysing key figures in relation to business performance. The following information is processed using cookies and similar technologies:
- Technical data about your device and browser
- Usage interaction with the website and app (e.g., clicks, navigation, feature usage)
- Session flows and derived statistics
- Pseudonymised identifiers (e.g., hashed email address)

The processing is carried out exclusively on the basis of consent within the meaning of Art. 6 Para 1 Sentence 1 lit. a) GDPR. As Mixpanel is based in the USA, data is transferred there. An adequate level of protection is ensured by the partner’s certification under the EU-US Data Privacy Framework and additional technical and organisational measures. Further information can be found here: https://mixpanel.com/legal/privacy-policy/

You can prevent the collection of information by preventing the storage of cookies by selecting the appropriate settings in your browser software of by deactivating tracking in the cookie settings.

2.1.3 Processing for the purpose of individual recommendations on our websites

1. If you visit our websites, we analyse and document your user behaviour to display individual recommendations on the websites based on this data. For this purpose, we process the following personal data:

IP address (shortened)
Order and shopping cart data
Favorites and bookmarks (if in use as defined in section 2.2.)
Cookies (see Cookie information Websites)

2. We process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR. If you would like to object to the data processing in displaying product recommendations, please click on the following link: Cookie Settings

3. For the display of individual recommendations, we use cookies on our web pages, which enable an evaluation and processing of the use of our web pages. You can prevent the collection of data generated by the cookie related to your use of the web pages (including your IP address) and the processing of this data by clicking on the following link and changing your settings there: Cookie Settings

We use an IP anonymization function on our websites. This means that IP addresses are processed in a shortened form; a direct personal reference can thus be excluded.

2.1.4 Processing for purposes of advertising and re-targeting on third party websites and social networks

1. If you visit our websites, we process your personal data for advertising measures in the form of remarketing and display advertising as well as with the help of social media plug-ins and for social media ads.

2. As part of display advertising, we carry out various marketing campaigns using tags (pixels) and cookies from our retargeting providers. When you visit our websites, tags and cookies are set and associated with products you have viewed or purchased. This allows you to see individual displays for EVENTIM products. We also play banner ads to users of Facebook, Instagram, TikTok and Reddit who have a similar profile to our existing customers and website visitors. For this, we process:

Web page type called up,
viewed product number,
when purchasing a ticket: ordered product number, sales value and order number, as well as preferences and
cookie IDs.

We process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR. If you do not want the retargeting function, please click on the following link: Cookie Settings

In connection with the use of tags and cookies from Google and Meta Platforms, Inc. (e.g. Facebook and Instagram) as well as Reddit your personal data is transferred to the US. This data transfer is based on EU standard contractual clauses. This ensures an adequate protection of your personal data.

For further details on data processing by the retargeting providers, please refer to the corresponding data protection information:

Google: https://policies.google.com/privacy?hl=de and further information: https://business.safety.google/intl/en/privacy/
Explanation of Google's use of third party data: https://policies.google.com/technologies/partner-sites
Meta: https://www.facebook.com/privacy/policy
TikTok Information Technology UK Limited & TikTok Technology Limited (Ireland): https://www.tiktok.com/legal/page/eea/privacy-policy/en
Reddit Netherlands B.V.: https://www.reddit.com/en-us/policies/privacy-policy

3. If you have finished a ticket purchase from us, a cookie is set by Google Ads, Google Analytics 360 and Microsoft Ads. If you enter corresponding search terms in Internet search engines after your purchase, individual recommendations for EVENTIM products and services can be displayed to you on the basis of your purchase with the help of this cookie (search engine marketing).
Your personal data is processed in the process. We process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR.
If you would like to object to the data processing by Google Ads, Google Analytics 360 and/or Microsoft Ads, please click on the following link: Cookie Settings

In connection with the use of Google Ads, Google Analytics 360 and Microsoft Ads, your personal data is transferred to the US. This data transfer is based on EU standard contractual clauses. This ensures an adequate protection of your personal data.

For further details on data processing by Google Ads and Microsoft Ads, please refer to the corresponding information on data protection:

Google: https://policies.google.com/privacy?hl=de and further information: https://business.safety.google/intl/en/privacy/
Google Ads: https://policies.google.com/technologies/ads
Explanation of Google's use of third party data: https://policies.google.com/technologies/partner-sites
Microsoft Ads: https://privacy.microsoft.com/en-us/privacystatement/

4. We place advertisements, so-called social media ads, in the social networks and apps from Meta like Facebook, Instagram and messenger as well as Reddit. If you have an account on these social networks and through your account settings on the social network agree to display advertising, you will receive corresponding recommendations on our products and services. The recommendations are generated based on your interests (e.g. "likes" of artists, "upvotes" of posts) stored in your public profile on Facebook, Instagram or Reddit.
For this, we process your public profile data. Based on your public profile interests (e.g. "likes" of artists, "upvotes" of posts) we show you individual advertising. In particular, we process

- your IP address,
- your device / cookie ID,
- page/feed activity,
- internet speed,
- purchasing activities
- social connections
- view port size
- operating system and
- user agent

to measure ad success. We process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

In doing so, your personal data is transferred to the US. This data transfer is based on EU standard contractual clauses. This ensures an adequate protection of your personal data.

For further details on data processing, we refer you to the information on data protection of Facebook, Instagram and Reddit:

Facebook: https://www.facebook.com/privacy/policy
Information about Facebook advertisement: https://www.facebook.com/about/ads/
Instagram: https://help.instagram.com/155833707900388
Reddit: https://www.reddit.com/en-us/policies/privacy-policy

5. On our website we also use TikTok Advertising, a service provided by TikTok Information Technologies UK Limited and TikTok Technology Limited ( TikTok ). Through the use of cookies and similar technologies, information about your usage behaviour on our websites (e.g., information about events viewed, device ID of your device, IP address, user agent) is collected in this context. The collection and transmission happens in joint controllership between us and Tik Tok. We process your personal data on the basis of your consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR. You can withdraw your consent to the use of TikTok Advertising at any time.

The further processing of the data transferred to TikTok is the sole data protection responsibility of TikTok. Please not that TikTok may assign the transferred information to your existing platform account and use it to show you interest-based advertising. In addition, TikTok may use your information to create a profile about you and use it for its own advertising purposes or to advertise third-party services. Insofar as TikTok processes your data in its sole responsibility, your data may be transferred to the USA. You can find more information on data protection at TikTok here: https://www.tiktok.com/legal/page/eea/privacy-policy/en

6. In order to be able to show you and users who are similar to you in their purchasing behaviour suitable recommendations for products and services on advertising platforms from Google (e.g. YouTube and search or display network) and social networks from Meta (e.g. Facebook, Instagram), and to measure campaign success, your encrypted e-mail address may be passed on to these networks after you have registered for our EVENTIM News. To measure campaign success, your encrypted email address and/or telephone number may be transferred to these networks with your consent. For this purpose, your e-mail address contact details will be encrypted in the hashing algorithm SHA-256 and transferred to the USA. This data transfer happens in accordance with the EU Standard Contractual Clauses. Thereby, appropriate protection of your personal data is ensured.

The transmission of data is independent of the existence of a Google or Meta user account. As soon as the matching of the hashed data with the hashed user data on Google or Meta proceeded, Google and Meta delete the transferred data. As a result, Google and Meta don’t have access to the hashed e-mail addresses contact details of people who are not registered on their networks beyond the matching process.

For further details on data processing by Google or Meta, please refer to the relevant data protection information: Meta: https://www.facebook.com/privacy/policy
Google: https://policies.google.com/privacy?hl=en and further information: https://business.safety.google/intl/en/privacy/

We process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

2.1.5 Processing for the purpose of displaying personalised advertising and content using the IAB TCF

1. When you visit our websites, we use the so-called Transparency & Consent Framework (“TCF”) with your consent to display advertising and content on the devices assigned to you that you may be interested in, based on an analysis of your data.
The TCF is an IAB Europe standard (https://iabeurope.eu/) for obtaining and implementing consent, including in connection with personalised advertisements and content. EVENTIM participates in the TCF and adheres to its specifications and guidelines. We use the Consent Management Platform with identification number 31.

To determine which advertising and content might be of interest to you and to display it, we collect and process the following data:
• Your IP address,
• Data regarding the use of our website, app and newsletter (e.g. website content and click paths),
• Data about your device,
• Data about the display of content and advertisements and your interactions with them,
• Characteristics derived from your data (e.g. age groups, product interests),
• Online identifiers assigned to you (e.g. cookie IDs).
We also process the so-called TC string assigned to you. This is an encoded string of characters used within the framework of the TCF, which contains information about the granting and scope of your consent.

2. We use cookies and similar technologies to collect your data, assign devices to you and to be able to display personalised advertising and content. In doing so, with your consent, we also store information on your device and access information stored there. You can find further information on the cookies used in connection with the delivery of advertising and content using the IAB TCF, including their duration of use, by clicking on the following link, opening the “Marketing” category and clicking on the question mark next to the providers marked “IAB”: Cookie Settings

3. The use of cookies and similar technologies is based on your consent in accordance with § 25 Para. 1 TDDDG in conjunction with Art. 6 Para. 1 Sentence 1 lit. a) GDPR. We also process your personal data, provided you have consented to such processing for the respective purpose, generally on the basis of consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR. The processing of your data to ensure security, to prevent and detect fraud, to resolve errors, to provide advertising and content, and to store and transmit your data protection decisions is carried out to safeguard these legitimate interests on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

You may amend or withdraw your consent at any time with future effect by clicking on the following link and making a new selection there: Cookie Settings
You may object to the processing of your data on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR by not giving your consent to “Advertising and content using the IAB TCF” and “Marketing” or by withdrawing your consent as described.

4. In connection with the processing of your data for the “purpose of displaying personalised advertising and content using the IAB TCF”, we also disclose your data to external recipients. These are, on the one hand, the so-called “providers”, i.e. companies with which we collaborate so that personalised advertising and content can be displayed to you using the IAB TCF as described above. You can find more information about these providers by opening the “Advertising and content using the IAB TCF” category in the cookie settings and clicking on the question mark next to the providers listed there: Cookie Settings
We also use external service providers who primarily support us with IT services and in the implementation of advertising campaigns. In doing so, your data is also transferred to third countries, i.e. countries outside the European Economic Area (see Section 4).

2.1.6 Use of cookies

1. When using our websites, cookies are stored on your computer. Cookies are small text files that are assigned and stored on your hard disk by the browser you use. Cookies allow certain information to flow to the controller that sets the cookie. These also contain personal data. This allows us to make our websites more user-friendly and effective. Cookies cannot run programs or transmit viruses to your computer.

2. For the use of cookies on the websites of our ticket shop, the Cookie Information websites of EVENTIM (see Cookie information Websites) apply.

3. If you give your consent that we may store certain or all cookies on your computer, a corresponding consent ID is generated and stored. The processing is carried out on the basis of Art. 6 Para. 1 Sentence 1 lit. c) GDPR.

2.1.7 External media contents from third parties

1. When you visit our websites, you can use map services to view the location of events and get in the mood for events and artists with videos and music samples. To provide you with these services, we use embedded third-party content on our websites. To display the content, your IP address is processed by the third-party providers and transmitted to their servers, which may be located in the USA. If applicable this data transfer takes place on the basis of EU standard contractual clauses. This ensures adequate protection of your personal data. Additionally, cookies are set, and other technical information are processed (e.g. browser type and longitude and latitude of your location).

2. This processing is based on your consent. Only after you have given your consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR for this processing, cookies will be loaded for the purpose of displaying maps as well as audio-visual content and your data will be transferred to the third parties. If you wish to object to the data processing, please click on the following link: Cookie Settings

3. A more detailed description of the services and how your data is processed can be found below:

Google Maps (API), a service of Google Ireland Ltd.
- Google Maps/Google Earth Additional Terms of Service: https://maps.google.com/help/terms_maps.html
- Google Privacy Policy: https://policies.google.com/privacy?hl=en

YouTube (API), a service of YouTube LLC
- YouTube Terms of Service: https://www.youtube.com/t/terms?hl=en&override_hl=1
- Google Privacy Policy: https://policies.google.com/privacy?hl=en

Apple Music (API), a service of Apple Inc.
- Apple Privacy Policy: https://www.apple.com/legal/privacy/en-ww/

2.1.8 Processing for the purpose of improving your website visit

1. In order to improve your visit to our websites, we show you six of your most recently visited Eventim contents as suggestions when you interact with the search bar. This includes artists, but also events or venues. This processing is based on your consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR. In order to offer you this feature, we store the Eventim contents you last visited in the local storage of your browser for up to 90 days after you have given your consent. You can object to the data processing by clicking on the following link: Cookie Settings

2. You can use our Event Finder to find events that are suitable for you by selecting your preferred genres, venues and time periods. The search result list is based on your input and is designed to help you quickly find the right events that are relevant to you. In order to offer you this function, which is based on consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR, we store your preferences in the local storage of your browser. You can object to the data processing by clicking on the following link: Cookie Settings

2.2 Registration and creation of a customer account

1. When you visit our websites, you can create a customer account. You can use this to purchase tickets and find out about events and leisure activities. You can also create lists of your favorite artists, venues and events, bookmark them and receive information about them. You can participate in exclusive pre-sales and ticket sales registration, subscribe to newsletters and take advantage of many other benefits relating to your ticket purchase. To register and use the customer account, you only need to provide your valid email address. In addition to this, you can provide further personal and contact data, such as your name and address. So-called session cookies are used for the technical realisation of the login.

2. Due to our legitimate interest, we process your personal data to enable you to create and use your customer account, as well as to enable the sale of tickets, for user-verification in case of changes of personal data in the customer account, and to inform you about our products and services. Processing is carried out on the basis of Art. 6 Para. 1 Sentence 1 lit. b) and lit. f) GDPR.

2.3 Registration and login using a single sign-on (SSO)

1. To make it easier for you to create a customer account and log in later, we offer you the option of registering or logging in using a single sign-on (SSO) procedure. This involves authenticating yourself with your access data with the selected provider (e.g., Facebook, Apple or PayPal). After clicking the branded button, you will be redirected to the login page of the provider of your choice. We receive selected profile data (e.g., name, email address and potentially delivery address and data of birth) in order to create a customer account or link an existing one. The specific data that is received depends on your setting with the respective provider.

2. The use of SSO is voluntary and allows you to log in directly via your chosen provider in the future without the need to register again.

3. We process your personal data on the basis of your consent in accordance with Art. 6 Para. 1 Sentence 1 lit. a) GDPR. You can revoke your consent at any time with effect for the future. To do so, you can remove the respective link in your customer account or directly in the settings of the chosen provider. The lawfulness of the processing prior revoking remains unaffected.

4. We are not responsible for the data processing for authentication by the respective SSO-provider. For further information on data processing in the context of registering via third parties, please refer to the respective data protection information of your chosen provider:

Apple: https://www.apple.com/legal/privacy/en-ww/
Facebook: https://www.facebook.com/privacy/explanation
PayPal: https://www.paypal.com/de/legalhub/paypal/privacy-full?locale.x=en_DE

2.4 Ticket purchases in the online ticket shop, in our reservation offices and via the ticket hotline.

1. We process your personal data when you buy a ticket on our websites or apps in the ticket shop, in our reservation offices or via our ticket hotlines. Mandatory fields are marked accordingly and include, for example, your name and address. The processing is carried out for the purpose of contract execution and processing with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

2. If you purchase a ticket for another person (third party), we process the third party s personal data (name and, if applicable, contact data) provided by you for ticket personalisation and, if applicable, for sending the ticket to the third party. These data are processed for the purpose of contract execution and processing with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR. If you provide data of a third party when purchasing a ticket, make sure that the third party is sufficiently informed by you about the processing of his/her data at EVENTIM and that you are entitled to provide the data.

3. When you purchase a ticket through our websites and choose either "purchase on account" or "hire purchase" payment methods, Klarna Bank AB (publ) uses tools to identify potential fraud. A corresponding check only takes place if you give your consent (opt-in). If the check is negative, the payment methods "purchase on account" or "hire purchase" are rejected. However, all other payment methods listed in the ticket shop are still available to you. When using the tools, it is possible to draw conclusions about your person. We process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR and due to the fact of our legitimate interest and Klarna's legitimate interest in fraud prevention on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

4. In order to offer you the payment method direct bank transfer on our website, we use the payment initiation service provider Tink AB. You will be redirected to the Tink website for payment processing and will find Tink s applicable terms and conditions and privacy policy there. For payment processing, we process your personal data (e.g. name, contact and account information, amount) on the bases of contract fulfilment within the meaning of Art. 6 Para. 1 Sentence 1 lit. b) GDPR. In some cases, account data such as the balance etc. may be used to carry out a risk assessment. This processing takes place due to the legitimate interest in fraud prevention on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

5. If you choose to pay by credit card, you can use the Click to Pay service to make the credit card use easier. If you decide to register with Click to Pay, your payment details will be available for your next order. Netcetera AG will process your email address and telephone number for this purpose. The provider's data protection information and terms are displayed directly in the payment process. Your data is processed on the basis of your consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

6. If you pay with a credit card, the so-called 3D-Secure 2.0 procedure (hereinafter: 3DS 2.0) is usually applied. 3DS 2.0 is a worldwide standard of card networks (Visa, MasterCard, JCB, Diners, AMEX etc.) developed by EMVCo, an association of card networks. 3DS 2.0 is one of the methods used to perform strong customer authentication in accordance with the EU 2015/2366 directive (Payment Services Directive 2, PSD 23). PSD 2 is implemented in Germany in the Payment Services Supervision Act. The 3DS 2.0 process confirms that the person initiating an eCommerce transaction is also authorized to use the respective payment card, i.e. it is intended to prevent the misuse of your credit card. The processing of the data required for 3DS 2.0 in accordance with section 3.4 of our Terms and Conditions (see https://www.eventim.de/en/help/terms/) is carried out for the purpose of executing and handling the contract with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

7. When issuing personalised tickets, we may also process special categories of personal data, such as your health data, if you provide such information when purchasing a ticket and agree that we may process this data. This includes, for example, the information that you are a wheelchair user, have an allergy or intolerance to food or a severe disability. We process this data to provide you with special price categories, special access to an event and special seats during the event. Your data is processed on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

8. If you decide to have your tickets sent by post, we will help you to avoid input errors and ensuring the successful delivery through address suggestions and validation. To do this, we use Loqate from our partner GB Group Plc and process your IP address and the address data you have entered. The processing is carried out on the basis of contact fulfilment within the meaning of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

9. If you receive and accept a digital ticket (EVENTIM.Pass) from a third person through forwarding, we process your personal data. The processing is carried out for the purpose of contract execution and processing with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

10. When you buy a ticket on our websites in the ticket shop, you may be redirected to a virtual queue in situations with particularly high visitor numbers. This is to ensure that we do not overload our websites. In order to determine your place in the queue and to enable you to buy tickets at the right time, your IP address and possibly browser data (e.g. user agent) are processed by Queue-it ApS. This processing is based on our legitimate interest in providing our websites securely and efficiently, on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

11. When you use a ticket sales registration, we possibly authenticate your registration to be able to exclude especially commercial buyers from the on-sale. In that case we will verify that you meet the requirement for the fair ticket purchase and thus for participation in the on-sale, we compare personal data from your Eventim customer account with your ticket sales registration, on the basis of contract initiation, execution and processing in accordance with Art. 6 Para. 1 Sentence 1 lit. b) GDPR. For example, this may involve your name and email address to ensure that you have only registered once for the respective on-sale. You will receive all information about the on-sale you registered for via email (see section 2.13.1).

12. If you have completed a ticket purchase with us, in some cases you will be shown an overlay from our partner Rokt (Rokt US Corp.; Rokt Pte. Ltd.) with individual product recommendations and service offers. Your personal data will be processed in the process. The processing is carried out on the basis of our legitimate interest (within the meaning of Art. 6 para. 1, sentence 1 lit. f) GDPR). If you have consented to the use of marketing cookies, Rokt also sets cookies that help to deliver offers that are as relevant as possible to you. In connection with the use of Rokt cookies, your personal data will be transferred to the USA. This data transfer takes place on the basis of EU standard contractual clauses. This ensures adequate protection of your personal data. You can prevent the collection of information by Rokt by preventing the storage of cookies by setting your browser software accordingly or by deactivating the corresponding tracking here. However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

2.5 Purchasing and selling tickets via fanSALE

1. As a private person, you can offer and purchase tickets and related EVENTIM services via our ticket exchange fanSALE (available under www.fanSALE.de). In your capacity as buyer or seller of a ticket, we process your personal data for the purpose of contract initiation, execution and processing on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

2. If you provide the delivery address of another person (third party) when purchasing a ticket on fanSale, we process the contact data of this third party on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR. In this constellation, make sure that the third party is sufficiently informed by you about the processing of his/her data at EVENTIM and that you are entitled to provide the data.

2.6 Purchasing merchandise in the online shop

1. We process your personal data when you buy merchandise on our websites. The processing is carried out for the purpose of contract execution and processing with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

2. If you purchase merchandise for another person (third party), we process the third party's personal data (name and, if applicable, contact data) provided by you for sending the merchandise to the third party. These data are processed for the purpose of contract execution and processing with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR. If you provide data of a third party when purchasing merchandise, make sure that the third party is sufficiently informed by you about the processing of his/her data at EVENTIM and that you are entitled to provide the data.

3. With regard to further processing directly related to the purchase of merchandise in the merchandise shop, the same information applies as for ticket purchases (see 2.4.3-10). This includes, for example, payment processing, the use of virtual queues, and the display of recommendations on the order confirmation page.

2.7 Ticket sales via websites of special cooperation partners

1. If you purchase tickets through the websites of our cooperation partners ("Partner Sites"), your personal data will be processed in the respective Partnershop for the purpose of executing your order. As mentioned in section 1.2, certain cooperation partners are jointly responsible with us (Art. 26 GDPR) for processing your personal data in the context of ticket purchase within the meaning of this section.

2. We process your personal data as joint controllers with our special cooperation partners as defined in section 1.2, for the purposes and on the legal basis as described in detail in sections 2.4, 2.7, 2.12, 2.13, 2.16, 2.17, 2.18 and 2.19 of this privacy policy.

3. Please contact us if you have any inquiries regarding sections 2.16, 5, 6 and 7 (see contact details in section 1.2). Upon request, we would also provide you with the essentials of the agreement on shared data protection responsibility with our respective cooperation partner.

4. The processing of data about users of a Partnershop in connection with the use of an Internet offer and its functions outside of order processes (including processing for the purposes of IT security, usage analysis and the display of advertising - if necessary using cookies) - as detailed in sections 2.1 - 2.3 - is not subject to the common data protection responsibility with the cooperation partner. EVENTIM is solely responsible for these processing activities.

2.8 Credit assessment and profiling

1. If the customer selects the SEPA direct debit payment method, CTS EVENTIM reserves the right to obtain credit information from SCHUFA, Boniversum or infoscore within the scope of this contractual relationship.

2. Credit risk is assessed on the basis of mathematical-statistical procedures at the credit agency (SCHUFA Holding AG, Kormoranweg 5, D-65201 Wiesbaden, Germany, or Creditreform Boniversum GmbH, Hellersbergstr. 11, 41460 Neuss, Germany, or infoscore Consumer Data GmbH, Rheinstra e 99, 76532 Baden-Baden, Germany), so-called scoring. For this purpose, your personal data, which are necessary for the credit assessment (name, address, birthday) are transferred to the credit agency. We process your personal data for the purpose of credit assessment to avoid payment default. On the basis of the transferred personal data, including address data, a statistical probability of a credit default and thus your solvency is calculated. The credit agency then transfers your score value to us. Furthermore, CTS EVENTIM reserves the right to transmit data on non-contractual behaviour or fraudulent behaviour to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, or Creditreform Boniversum GmbH, Hellersbergstr. 11, 41460 Neuss, or infoscore Consumer Data GmbH, Rheinstra e 99, 76532 Baden-Baden in the event of continued non-payment of claims that are not substantiated and disputed. The data exchange with SCHUFA, Boniversum or infoscore also serves the fulfilment of legal obligations to carry out creditworthiness checks of customers ( 505a and 506 BGB). The SCHUFA, Boniversum or infoscore process the data received and also use them for the purpose of creating a profile (scoring) in order to provide their contractual partners in the European Economic Area and in Switzerland as well as any other third countries (insofar as the European Commission has issued a decision on the appropriateness of such data) with information for the purpose of assessing the creditworthiness of natural persons, among other things. This personal data is processed for the execution of your contract with us on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR as well as due to our legitimate interest in avoiding a default of payment on your part, according to Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

3. If you choose the payment method installment purchase and invoice purchase, Klarna Bank AB reserves the right to obtain creditworthiness information within the scope of this contractual relationship. For further information please refer to the General Terms and Conditions and Privacy Policy of Klarna Bank AB (publ).

4. The decision as to whether payment by direct debit, hire purchase and/or invoice purchase is possible is based on an automated decision. If your customer and order data are similar to the data of an order with payment problems, one of our employees will check your order process separately and manually.

5. If the credit check is positive, payment by direct debit, hire purchase and/or purchase on account is possible; if it is negative, we cannot offer you the payment method "direct debit", "hire purchase" and/or "purchase on account". Payment by another payment method is still possible.

6. The scope of the scoring is limited to whether payment by direct debit, hire purchase and/or purchase on account is possible. We use the scoring exclusively to prepare and execute the contract with you and to protect ourselves against possible payment defaults.

7. Further information on the activities of the SCHUFA can be found in the SCHUFA Information Sheet pursuant to Art. 14 GDPR or can be viewed online at https://www.schufa.de/en/global/data-protection/. The same applies to the infoscore information sheet (DE).

2.9 Shopping cart canceller e-mails

1. If you have started an order process in our ticket shop on our websites but have not completed it, we will send you a reminder e-mail to the e-mail address stored in your customer account regarding the purchase process you have started. You can complete this purchase process by logging into your customer account on our websites.

2. We collect and store your personal data to identify unfinished shopping carts. The collection and storage of your personal data is based on Art. 6 Para. 1 Sentence 1 lit. a) GDPR. If you wish to object to the data processing, please click on the following link: Cookie Settings

3. We process your personal data in order to remind you within the context of marketing measures of purchase processes that you have not yet completed. If you have not yet purchased a ticket from us, we will process your data on the basis of your consent according to Art. 6 Para. 1 Sentence 1 lit. a) GDPR. If you have already purchased a ticket from us, we process your personal data provided in previous order processes due to our legitimate interest in carrying out marketing measures on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

2.10 FanBonus

1. If you register for our FanBonus, you receive a refund depending on ticket sales (see FanBonus Terms and Conditions after login: https://www.eventim.de/en/fanbonus/terms).

2. We process your personal data from your orders and your annual turnover with us from the previous year for the purpose of executing a contract with you, on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

2.11 Fan reports

1. After visiting a venue or event, you can write a review on our websites. Your review is taken in a separate form in which you are asked to provide further personal data in addition to your rating (e.g. name and email address). Your fan report will be published under your chosen name, which you can enter voluntarily; anonymous publication is also possible. We process your data to publish your review on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

2. For fan reports, we work together with Bazaarvoice Inc, 10901 Stonelake Blvd, US, on whose servers the submitted reviews are stored. The data transfer to the US is based on EU standard contractual clauses. This ensures adequate protection of your personal data. For more information, you can read Bazaarvoice s privacy policy at the following link: https://www.bazaarvoice.com/legal/privacy-policy/

2.12 Customer surveys

1. To continuously improve our products and services and adapt them to your needs, we regularly invite our customers to participate in customer surveys. In doing so, we will use the information you provide during the purchase process (Sections 2.4, 2.5, 2.6 and 2.7) or during customer care requests (2.16) to contact you.

2. To continuously improve our customer service, you can voluntarily give us feedback on your satisfaction via a smiley as part of your customer service requests (section 2.16). You can then also voluntarily take part in an anonymous and more detailed survey, to which you will be automatically forwarded.

3. Due our legitimate interest in improving our products and services, we process your personal data on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR. You can object to this processing at any time (Section 5).

4. When you receive our customer surveys, we analyse and document whether you open the cus-tomer surveys and how you use it. In doing so, we process your personal data on the basis of our legitimate interest in designing our customer surveys to meet your needs, on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

2.13 Information e-mails, mailings and newsletters

1. If you visit our websites for information purposes only (Section 2.1) or if you create a customer account (Sections 2.2 and 2.3), you can register for our newsletter. If you would like to be informed as soon as your favourite artists and events are scheduled, you can register for our ticket alert and our waiting list or possibly a ticket sales registration. If you have created a customer account and have given consent, we will send you information about artists, venues and events that you have marked your favorites, bookmarks and ticket sales registration. Via the newsletter and the ticket alert to favorites and bookmarks as well as the waiting list newsletter, we inform you about products and services and also advertise them, if necessary, personalised. In doing so, we process your personal data on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

2. If you have purchased a ticket from us (Section 2.4) or have won tickets as part of our competitions (Section 2.15), we may send you information e-mails in order to inform you, for example, about the directions, parking spaces and specifications of the promoter (such as bag size). For this purpose, we process your personal data for the purpose of contract execution on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

3. After purchasing a ticket, we send you individual mailings about similar events, services and promotions (by post in some cases) as well as birthday e-mails. We will send these individual mailings regardless of whether you have subscribed to a newsletter. Due to our legitimate interests in informing you about changes to our products and services, in advertising our products and services and in carrying out marketing measures, we process your personal data on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

4. After your order has been placed, we will send you an order confirmation by e-mail. We process your personal data for this purpose on the basis of our legitimate interests within the meaning of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

5. When you subscribe to our newsletter and electronic mailings we analyse and document whether you open and how you use them. We process your personal data on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR to pursue our legitimate interest of structuring our newsletter and mailings in accordance with your needs and to improve the range of our marketing campaigns.

6. In individual cases, you have the option on our websites to subscribe to newsletters and mailings (by post in some cases) from certain promoters, their service providers or other third parties (possibly based in a third country) by giving the corresponding consent. For this purpose, your personal data will be transmitted to the relevant promoter, its service providers or other third parties and processed by them under their own responsibility under data protection law. Your personal data will be processed on the basis of your consent defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

2.14 Personalisation

1. When you visit our websites and mobile apps, we collect data with your consent and link it to information that you provide to us, for example during the purchase process or when registering for our information channels (e.g. Eventim-News), in order to create and enrich pseudonymised user profiles and create target group segments on their basis. The profiles and target group segments are used for analysis purposes and to show you more personalised and interesting information on our websites, mobile apps, in the newsletter and on other communication channels (e.g. online advertising activities on third-party sites). This provides you with more personalised and interesting content (see sections 2.1.2, 2.1.3, 2.1.4 and 2.13). This also includes the use of these profiles to carry out online advertising activities for third parties such as event organisers. For this purpose, we collect and process:
- Information on the visit path
- Search behaviour on our websites and apps
- Order and shopping basket data (incl. order number)
- Personal settings, such as Eventim favourites and bookmarks, ticket alerts, etc.
- Geoinformation derived from shortened IP address
- Browser and device information (user agent)
- Pseudonymised IDs such as cookie IDs, mobile ad identifiers, hash values from email addresses and customer numbers

The user profiles and target group segments created are transferred to our systems for onsite design, online advertising activities and newsletter or direct marketing communication (see sections 2.1.2, 2.1.3, 2.1.4, 2.13).

2. The creation of profiles and target group segments and their use is based exclusively on your consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR. If you do not wish to receive any personalised content, you can change this at any time with effect for the future. To do so, revoke the consent you have given in the: Cookie Settings and your consent for EVENTIM news.

3. We use Zeotap GmbH ("Zeotap") to link your information on the basis of generated pseudonymised IDs. The pseudonymised IDs include, for example, the hash value created from your email address that you have stored in your customer account. In hashing, the email address is converted into an unchangeable alphanumeric value or hash value using a protected encryption process. The encryption process ensures that the same hash value is always generated for an individual e-mail address. This value in turn cannot be converted back into the original e-mail address.

4. Your data is processed and stored by Zeotap within the EU. In individual cases, Zeotap India Private Ltd. may access the data for technical support. This data transfer takes place on the basis of EU standard contractual clauses. This ensures adequate protection of your personal data. Further information can be found at https://zeotap.com/privacy-policy/.

2.15 Competitions

You can participate in various competitions on our websites and social media platforms. For this, we process your personal data to conduct the competition and to advertise our events. Your personal data is processed for the purpose of executing the contract with you and due to our legitimate interest in carrying out marketing measures, on the basis of Art. 6 Para. 1 Sentence 1 lit. b) and f) GDPR.

2.16 Customer Service

1. If you have any questions about events, your purchase (for example your ticket purchase), your customer account, our chatbot and live chat or other EVENTIM products and services, if you wish to exercise your rights under this information on data protection or if you wish to make a complaint, you can contact us (see contact details under Section 1.2).

2. Depending on the subject of your request, we may use your personal data stored in our systems in the course of other data processing (e.g. data that you have provided when purchasing tickets) to answer your questions. If and to the extent necessary to answer your inquiry, we also collect data from external sources (e.g. inquiry with the shipping service provider in the context of a shipment tracking or a request for investigation).

3. Your personal data are processed for the purpose of executing the contract with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR. If you exercise your rights towards us, we process your personal data for the purpose of fulfilling a legal obligation on the basis of Art. 6 Para. 1 Sentence 1 lit. c) GDPR. If you wish to inform yourself about our products and services or to make a complaint, we process personal data due to our legitimate interests in carrying out marketing measures and responding to your complaint on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR. In addition, based on our legitimate interest, we process your personal data to ensure efficient, fast and high-quality customer service. We also use automated systems to help us process customer requests. These systems help us with the pre-qualification, prioritisation and partially automated response to customer requests.

4. If you send us health data within the scope of your inquiry (e.g. information that you have a severe disability), we process this personal data only and insofar as this is necessary to answer your request and you have given us your express consent for this as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

5. We are available to you with our customer service chatbot and live chat. You will receive answers to your booked events, your account and many other topics via the chatbot and live chat. Depending on the subject of your inquiry, we and our service provider Novomind AG process your personal data after authentication by means of a login (e.g. order data) or checking a selection of your personal data. Cookies are placed for the technical functioning of the chatbot and live chat. The placement of cookies is based on your consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR. To answer your inquiries, we process your personal data for the purpose of contract fulfilment on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR and on the basis of our legitimate interest in automated, effective customer service (Art. 6 Para. 1 Sentence 1 lit. f) GDPR). The customer care chatbot processes personal data using artificial intelligence.

2.17 Reversed transactions on tickets

1. If necessary, it comes to a reversed transaction of your order. Your personal data will be processed on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

2. If you have not purchased your ticket from us yourself, but received it as a gift from the buyer, for example, and now send in the ticket due to the cancellation or relocation of the event, we process the data that you as a different sender provide us with informally or via the form on our website. We process your personal data for the purpose of returning your ticket and making a refund on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

3. If you have provided special personal data as defined in Section 2.4.6 on yourself or a third party when purchasing a ticket, we process this data for the purpose of reversing the ticket transaction on the basis of your consent as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR. Section 2.4.6 applies accordingly.

2.18 Dunning, collection and enforcement and defence of legal claims

1. In the case of outstanding receivables to us, we notify you by e-mail, SMS, post or telephone and, if necessary, send you a reminder. If and to the extent that no payment is made by you as a result, a collection procedure is initiated. If and to the extent that no payment is made by you as a result, a collection procedure is initiated.

2. The collection procedure is carried out by a collection service provider commissioned by us. As far as this is necessary for the execution of the collection procedure, the collection service provider carries out address investigations and accesses public registers for this purpose.

3. We process your personal data for the purpose of executing and processing the contract with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR and due to our legitimate interests in preventing misuse of our services and enforcing our legal claims, including collection, on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

4. We process your personal data to enforce and/or defend our rights or the rights of third parties (e.g., sports clubs and associations etc. for the purpose of prosecuting violations of their ticket terms and conditions). If and insofar as this is necessary to enforce and/or defend our rights or the rights of third parties, we also use data from other sources (e.g., public registers) for this purpose. We process your personal data due to a legal obligation on the basis of Art. 6 Para. 1 Sentence 1 lit. c) GDPR and due to our legitimate interest in safeguarding, enforcing and/or defending our legal interests or the interests of third parties on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

2.19 Other processing

2.19.1 Performance of internal audits and compliance

1. If we implement compliance programs and measures, for example to implement the requirements of the German Corporate Governance Code (DCGK) and to identify and correct misconduct, corresponding processing of your data may also occur. Additionally, your personal data can be processed within the Eventim Group in Germany and abroad in connection of internal audits.

2. We process your personal data to comply with our statutory obligations, on the basis of Art. 6 Para. 1 Sentence 1 lit. c) GDPR. In addition, due to our legitimate interests in reviewing the processes and efficiency in the group of companies, correcting any misconduct and preventing fraud and, if necessary, in enforcing and/or defending our rights, we process your personal data on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

2.19.2 Preparation of analyses

On the basis of your data, which we process as defined in Section 2 of this information on data protection, we may prepare analyses. These serve as the basis for business decisions to improve our products and services and adapt them to the needs of our customers. Due to our legitimate interest in improving our offer, we process your personal data on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR. The analyses created on this basis no longer contain any personal references, meaning it is no longer possible to draw any conclusions about your person.

2.19.3 eventimcard application

1. Once you file an application for an eventimcard - a free of charge Mastercard Gold provided by Advanzia Bank S.A., 9, Rue Gabriel Lippmann L-5365 Munsbach, Luxembourg - under https://www.eventim.de/campaign/eventimcard, your personal data, i.e. salutation, name, surname, nationality, address, email address, mobile phone number, date and place of birth, as well as your IP address, will be processed for providing the requested credit card and the ensuing contractual communication according to Art. 6 Para. 1 Sentence 1 lit. b) GDPR. Your data will be provided to Advanzia Bank S.A. to check your application and, in case of approval, providing the card and performing the contractual relationship. Providing the said personal data is voluntary, although not providing any of the data will prevent a contract from coming into force.

2. Furthermore, you may register for our newsletter for exclusive offers and specials for eventimcard holders, and offers from EVENTIM; Section 2.13 is applied accordingly.

3 Storage and erasure of your personal data

1. We store your personal data for as long and as far as it is necessary for the purposes for which they are processed (Section 2).

2. As soon as the data is no longer required for the purposes stated in Section 2, we store your personal data for the period in which you can assert claims against us or we against you (statutory limitation period usually of three years, beginning at the end of the year in which the claim arises; e.g. at the end of the ticket transaction).

3. In addition, we store your personal data for as long as and insofar as we are legally obliged to do so. Corresponding proof and storage obligations result, inter alia, from the German Commercial Code and the German Fiscal Code (e.g. Section 257 HGB; Section 147 AO). The retention period is up to ten years.

4 Categories of recipients of personal data

1. When providing, implementing and managing our products and services, we collaboratively transfer your personal data to companies within the EVENTIM Group as part of an work-sharing process. The transfer is based on our legitimate interest in carrying out internal administrative activities efficiently and collaboratively, for fraud prevention to ensure the security of our customer accounts, as well as in improving our products and services on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

2. If you purchase tickets on the websites of our partners, we will in some cases transfer your personal data to them for marketing purposes. Furthermore, as part of affiliate marketing, our network partners (AWIN, Partnerize, Tradedoubler) may receive pseudonymous information for this purpose. The processing is based on your consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

3. When you purchase tickets on the websites of our special cooperation partners (Section 2.7), we process your personal data as joint controllers with our partners. On the basis of the agreement concluded with our partners (Art. 26 in conjunction with Art. 6 Para. 1 Sentence 1 lit. b) GDPR), we transfer your personal data for the purpose of contract execution and, if applicable, processing with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR. Our cooperation partners also use the personal data to organise the event for which tickets were purchased and to send emails for information and marketing purposes. This is done on the basis of the cooperation partner s legitimate interest in providing purchasers of an event with relevant information about the event as well as communications when the same or similar event to the one for which a ticket was purchased takes place. Your personal data is processed on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

4. If you purchase our products and services on our websites or register for newsletters, we will transfer your personal data to Eventim Media House GmbH for the purpose of carrying out advertising measures if you give us your consent to do so within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

5. If you purchase tickets our websites via our loyalty partners or on the websites of our loyalty partners who have integrated our online shop, we transfer personal data to them as part of the bonus programmes. Your data is transferred when you purchase a ticket, so that the Loyalty Partner can assign the purchase to a specific person, the customer. The customer then receives bonus points (such as Miles and More, PAYBACK, etc.). We transfer your data for the purpose of executing and, if necessary, processing the contract with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

6. If you subscribe to newsletters from certain promoters, their service providers or other third parties on our websites, we will transmit your personal data to the respective promoter, its service provider or other third parties. Your personal data will be processed on the basis of your consent defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

7. In addition to this, your personal data is transferred to service providers who provide the platforms, databases and tools for our products and services (e.g. our website, the sale of tickets, sending of newsletters and information e-mails), create analyses of user behaviour on our websites, display marketing campaigns and process your personal data on our behalf as part of ticket purchases. The transfer of your personal data takes place for the purpose of contract execution with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR, due to our legitimate interest in improving and promoting our products, on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR and provided that you have given us your consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR for the processing of your personal data.

8. When you purchase a ticket on our websites, we offer you various payment options. For the processing of the payment and, if necessary, a refund of the purchase price, we transfer your personal data to banks, payment service providers, financial service providers and credit card companies, depending on the selected payment method. We transfer your personal data for the processing of your ticket purchase and, if necessary, the reverse transaction on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR. In addition, we may also transfer your personal data to credit agencies to check your creditworthiness (see Section 2.8). The transfer is made to execute the contract with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR and due to our legitimate interest in avoiding payment defaults on your part, according to Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

9. If we send you your ticket or merchandise by postal services, we transfer your personal data to shipping service providers. The transfer takes place for the purpose of contract execution with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

10. If you fail to meet your payment obligations, we initiate a collection procedure (Section 2.18). For the execution of the collection procedure, we transfer your personal data to collection service providers who carry out the procedure for us. We process your personal data for the purpose of executing and processing the contract with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR and due to our legitimate interests in enforcing our legal claims, including collection, on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

11. In the context of legal disputes, we transfer your data to the competent court and, if you have appointed a lawyer, to him/her to carry out the legal dispute. We process your personal data on the basis of a legal obligation on the basis of Art. 6 Para. 1 Sentence 1 lit. c) GDPR and due to our legitimate interest in representing, enforcing and / or defending our legal interests, on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

12. We are entitled to transfer your personal data to the Event Organizer if there is a suspicion that you have violated the Organizer's general terms and conditions, so that the organizer can take legal action or assert other legal claims against you. The processing of your personal data is carried out for the purpose of implementing and executing the contract on the basis of Art. 6 Paragraph 1 Sentence 1 lit. b) GDPR as well as on the basis of the legitimate interests of the respective organiser for the purpose of legal prosecution on the basis of Art. 6 Paragraph 1 Sentence 1 lit. f) GDPR.

13. For some events we create so-called guest lists on behalf of the respective organizer and transmit them to the organizer so that he can carry out the allocation of seats and take into account menu requests. If you take part in our competitions (Section 2.15), we transmit the personal data of the winner to the respective promoter of the competition for this purpose. We transfer your personal data for the purpose of contract execution with you and with our contractual partners on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR. If and as far as this is necessary for the event, we also transfer health data (e.g. information on allergies at food events), if you have provided this information when purchasing a ticket and given us your consent for the transfer of the data as defined in Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

14. Information e-mails, mailings and newsletters (Section 2.13) are sent by service providers commissioned by us and, in some circumstances we may analyse and document your use of them. For this purpose, we transfer your personal data to the service providers. In doing so, we process your personal data as follows:

- If you give us your consent to send you newsletters when visiting our websites for information purposes only (Section 2.1) or when creating a customer account (Sections 2.2 and 2.3), we transfer your data on the basis of your consent within the meaning of Art. 6 Para. 1 Sentence 1 lit. a) GDPR.

- After purchasing a ticket (Sections 2.4, 2.5 and 2.7) or after successful participation in a competition (Section 2.15), we transfer your personal data in order to provide you with information on the event, for the purpose of executing the contract with you on the basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR.

- In addition, after purchasing a ticket (Sections 2.4, 2.5 and 2.7) or after participating in one of our competitions (Section 2.15), we transfer your personal data to inform you about changes to our products and services and to promote our products. The transfer of your personal data occurs due to our legitimate interest in carrying out marketing measures, on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

- In order to analyze the use of our newsletter and mailings, we transmit your personal data on the basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR to pursue our legitimate interest of structuring our newsletter and mailings in accordance with your needs and to improve the range of our marketing measures.

15. We conduct customer surveys and customer evaluations. For this purpose, your contact details are sent to our mailing service providers, via whom we invite you to our surveys and evaluations. We process your personal data on the basis of our legitimate interest in improving our products and services on the basis of your evaluation and conducting surveys and evaluations efficiently, on the basis of Art. 6 Para. 1 Sentence 1 letter f) GDPR.

16. If we transfer data to recipients in a third country (located outside the European Economic Area), you can find a description under section 2. Some third countries are certified by the European Commission through so-called adequacy decisions to have a data protection standard that is comparable to the level in the European Economic Area. A list of these countries can be found here (https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). If a country does not have a comparable data protection standard, we ensure that data protection is adequately guaranteed by other measures, e.g. by means of standard contractual clauses of the European Commission for the protection of personal data (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914&qid=1694511844343) or binding internal data protection regulations (so-called Binding Corporate Rules).

17. Beyond this, we transfer your personal data only and insofar a legal obligation exists on our part to pass it on. The transfer takes place on the basis of Art. 6 Para. 1 Sentence 1 lit. c) GDPR (e.g. to the police authorities in the context of criminal investigations or to the data protection supervisory authorities).

5 Justified interests in data processing and objection

1. We process your personal data as defined in Section 2 due to our legitimate interests particularly in ensuring IT security on our websites, carrying out analyses and marketing measures, informing you about our products and services, increasing the scope of our products and marketing measures, preventing fraud and misuse, avoiding payment defaults, representing, enforcing and defending our legal interests (possibly also in court) and carrying out internal administration efficiently and collaboratively.

2. To the extent, we process your personal data on the basis of these legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f) GDPR), you have the right to object at any time to the processing of your personal data on grounds relating to your particular situation. Notwithstanding the above, in cases of direct advertising (such as newsletters or retargeting measures) you have the right to object at any time to the processing of your personal data without giving reasons. We will then no longer process your data for this/these purpose(s) unless our legitimate interests in processing overweight or the processing serves to establish, exercise or defend legal claims. Please send your request to:

- by e-mail to kundenservice@eventim.de,
- by tel. to +49 (0) 421 - 20 31 55 11 or
- in writing to CTS EVENTIM AG & Co. KGaA, Data Protection, Contrescarpe 75-A, D-28195 Bremen, Germany.

3. If you object to the data processing according to Section 5.2, we process your personal data collected in this context to answer your inquiry. Your personal data is processed in order to fulfil a legal obligation on the basis of Art. 6 Para. 1 Sentence 1 lit. c) GDPR.

6 Consent and revocation of your consent

1. If you have given us your consent for the processing of your personal data, you can revoke this at any time. The revocation of your consent is effective for the future. The legality of the processing of your personal data up to the time of revocation remains unaffected.

Your consent to the use of your email address for the purpose of advertising or market or opinion research can be revoked independently in the login area "My EVENTIM". To log out of all subscribed email services, please log in to "My EVENTIM" and select "Unsubscribe" on the page "Newsletter & Ticket Alarm" in the bottom section:

https://www.eventim.de/en/?fun=page&pagename=mycustomerdata

Otherwise, please address your revocation:

- by e-mail to kundenservice@eventim.de,
- by tel. to +49 (0) 421 - 20 31 55 11 or
- in writing to CTS EVENTIM AG & Co. KGaA, Data Protection, Contrescarpe 75-A, D-28195 Bremen, Germany.

2. If you revoke your consent, we will process your personal data collected in this context to respond to your inquiry. Your personal data is processed in order to fulfil a legal obligation on the basis of Art. 6 Para. 1 Sentence 1 lit. c) GDPR.

7 Your rights

1. You may at any time, in accordance with the GDPR, request that we

- provide you with information about the personal data concerning you that we process (Art. 15 GDPR),
- rectify any personal data concerning you that is inaccurate (Art. 16 GDPR) and/or
- erase (Art. 17 GDPR), block (Art. 18 GDPR) and/or release (Art. 20 GDPR) your personal data stored by us.

2. Please send your request:

- by e-mail to kundenservice@eventim.de,
- by tel. to +49 (0) 421 - 20 31 55 11 or - in writing to CTS EVENTIM AG & Co. KGaA, Data Protection, Contrescarpe 75-A, D-28195 Bremen, Germany.

3. If you assert your rights against us, we process your personal data collected in this context to answer your inquiry. Your personal data is processed in order to fulfil a legal obligation on the basis of Art. 6 Para. 1 Sentence 1 lit. c) GDPR.

4. Without prejudice to your rights under Section 7, you may lodge a complaint with a data protection supervisory authority if you believe that EVENTIM's processing of personal data concerning you is in breach of the GDPR (Art. 77 GDPR).

8 Other

1. The provisions of this information on data protection (available free of charge on our websites), including the cookie information of CTS EVENTIM AG & Co. KGaA (available free of charge on our websites) apply in the version valid at the time of use of our websites.

2. We reserve the right to supplement and amend the content of the information on data protection. The updated data protection information is valid from the time it is published on our websites.

9 Contact details of the Data Protection Officer

Please direct any questions regarding data protection to:

Data Protection Officer
CTS EVENTIM AG & Co. KGaA
Contrescarpe 75-A
D-28195 Bremen
Germany
E-mail: datenschutz@eventim.de

Cookie information Websites

Scope of application

This cookie information provides more specific data protection information as required by Section 2.1.6 about the use of cookies and similar technologies on websites of CTS EVENTIM AG & Co. KGaA and affiliates of CTS EVENTIM AG & Co. KGaA as defined by Sec. 15 AktG [“Aktiengesetz”: German Stock Corporation Act] (referred to here as “EVENTIM”, “we” or “us“).

General information on cookies

Cookies and similar technologies can be small text files which are saved in the browsers of your end devices when you visit our websites. Cookies can save and track your actions and settings in our websites for the duration of the browser session and, in some cases, beyond this. Cookies and similar technologies also enable the recognition of your browser. For instance, after leaving the website, the content of your shopping basket is reconstructed or events recently viewed are displayed again.

Types of cookies

First-party
On the one hand, we use first-party cookies, i.e. cookies placed by our server on our websites and which can only be accessed via our server.

Third-party
On the other, our websites also incorporate third-party cookies and similar technologies which are placed by servers of others and/or our websites or domains and that can be read by third parties. With these technologies, your browser can be tracked beyond our website, for instance so as to be able to display EVENTIM advertisements on the websites of our partner companies.

Storage period

Session
Some of the cookies and similar technologies we use are session-based cookies, i.e. cookies and similar technologies which are only stored for the duration of your visit to our websites.

Persistent
We also use persistent cookies and similar technologies which stay saved on your browser after the session and are automatically deleted after a predefined expiry date.

Purposes

Essential
These cookies and similar technologies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Statistical and Comfort
These cookies and similar technologies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you deactivate these cookies and similar technologies, then some of our services may not function properly.

Marketing
These cookies and similar technologies may be set through our site websites by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you deactivate these cookies, you will experience less targeted advertising. For further information on marketing cookies and similar technologies used to display personalised advertising and content via the IAB TCF, please refer to Section 2.1.5.

External media contents
These cookies and similar technologies allow third-party embedded media content to load on our websites and let us display it for you. If you disable this category, the embedded media content will no longer be displayed to you.

Cookie settings

Via your browser settings you can limit or completely prevent the storage of (certain) cookies and similar technologies for all websites and delete any cookies and similar technologies that have already been saved. For more information about this please consult the instruction manual or help functions of your browser.
Our websites can in principle still be visited and used after restricting/deactivating cookies and similar technologies in the browser settings. However, please note that in particular the complete deactivation of cookies can limit the functionalities of our websites.
You can prevent future collection of your data when visiting our websites by clicking on the following link and changing your settings there: Cookie Settings

As of: 24.03.2026

To save the Information on Data Protection, please click on the following link using the right mouse button and then select "Ziel speichern unter..." or "Save target as...". Open Information on Data Protection as PDF