Data protection regulations
for the website: https://www.popboard.nrw/, which is operated by PopBoard NRW UG (haftungsbeschränkt), Klever Straße 23 in 40477 Düsseldorf, Germany
Responsible within the meaning of the GDPR, data protection in general:
Responsible within the meaning of the General Data Protection Regulation (GDPR) and for compliance with other data protection regulations is the:
PopBoard NRW UG (haftungsbeschränkt)
represented by the managing directors Anna-Kathrin Dietrich and Till Skoruppa
Klever Street 23
40477 Düsseldorf
mail@popboard.nrw
Data Protection Officer:
Our company does not have a data protection officer and does not require one in accordance with Section 38 BDSG.
General information:
We take the protection of personal data very seriously. We comply with the statutory data protection regulations when operating our website. We want you to know when we collect, process and use which data and what rights you have with regard to the use of your data.
Personal data is information that can be used to identify you. This includes information such as your name, address, postal address, telephone number, IP address and e-mail address. It does not include information that is not associated with your identity (such as the number of users of the website). In principle, you can use our website without disclosing your identity, i.e. without actively entering personal data. In the areas where you can enter personal data (e.g. newsletter subscription, contact form), you will be informed separately of the data protection provisions, or you must even agree to them when subscribing to the newsletter. When using our Pop-Map NRW, please note the special provisions below the Pop-Map NRW, where there is also a note in our cookie banner with the consent option.
Our website does not store any information regarding your digital path to us, i.e. data that you normally provide automatically when you visit a website (e.g. date and time of access, URL, browser, operating system, Internet service provider and including your IP address) as well as any information that you access via our website (so-called log files). Our hosting provider “DomainFactory” https://www.df.eu/de/ offers log files as an option. For domains that were ordered after February 8, 2010, such as ours, the creation and provision of log files by “DomainFactory” is deactivated by default. For our website, the creation and provision of log files was therefore already deactivated and we have not activated it manually. This means that no log files are generated when you visit our website.
Legal bases according to the GDPR
We are obliged to inform you of the legal basis for the processing of personal data: In principle, we may only collect and process your personal data with your consent, Art. 6 para. 1 lit. a GDPR, unless prior collection is not possible or the law has provided for exceptions (see below). We process the personal data collected about you for the fulfillment of a contract or a contract initiation relationship. The legal basis is Art. 6 para. 1 lit. b GDPR. Further legal bases for the processing of personal data are the fulfillment of our legal obligations Art. 6 para. 1 lit.c. GDPR or the protection of your vital interests or those of another natural person Art. 6 para. 1 lit. d GDPR. We may also process personal data if our company has a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, if your interests, fundamental rights and freedoms do not outweigh our interests in a balancing exercise.
Server location, security
We store your data on specially protected servers in Germany. The servers of “DomainFactory” are located in high-performance data centers in Strasbourg (France) and Cologne (Germany), both locations meet professional requirements. Nevertheless, we have deliberately opted for the Cologne location in Germany in order to guarantee you the highest possible protection with regard to the avoidance of data transfers abroad. We are continuously improving our security measures in line with technical developments, e.g. our website is SSL-encrypted: https://www.popboard.nrw/. Apart from the special cases regulated in these data protection provisions, your data will only be stored, processed and used to contact you or if we enter into a contractual relationship of any kind with you.
We must also point out that data transmission on the Internet is (generally) associated with security risks and that complete protection of data against access by third parties can therefore not be guaranteed. Please ensure that your data and your end device are protected against unauthorized access by third parties and that you always use the latest security software.
Contact possibility, contact form
You can get in touch with us by using our contact form or the contact details provided in the legal notice. In our form, we have separated voluntary information from mandatory information. If you click on the e-mail address mail@popboard.nrw or awareness@popboard.nrw, your e-mail program will automatically open due to the “Mail-To-Function” and you can send us an e-mail. Of course you can also contact us by post. The type and scope of your information is always voluntary. We will delete your message and your personal data once we have replied to your message, unless we enter into a contractual relationship with you, in which case we will store the messages in accordance with the general regulations (see also below under Duration of data storage, Data deletion). The purpose of data collection is to process your request; the legal basis is Art. 6 para. 1 lit. f or our legitimate interest, or Art. 6 para. 1 lit. f b GDPR for the contract initiation relationship. Revocation of the processing of personal data is possible at any time at mail@popboard.nrw and leads to the deletion of all data. Statutory retention obligations remain unaffected by this.
Disclosure of personal data to third parties
We do not pass on your data to third parties without your express consent, but please note that it is in your interest to exchange data generated from the integrated form of the Pop Map NRW, see below.
General data protection provisions regarding our social networks “Instagram”, “Facebook”, “LinkedIn”, “YouTube”
We would like to point out that we use the social networks “Instagram”, “Facebook”, “LinkedIn” and the video platform “YouTube”. Links will take you to the aforementioned platforms. The references to our social networks are all designed as links and not as plugins. In contrast to a link, a plugin would immediately transmit information to the respective server of the social network provider when you access our website with the relevant plugin. In order to make “YouTube” as data-secure as possible for you, we use “WP youtube lyte.” WP youtube lyte works in such a way that it only embeds a thumbnail of the video (often only one image). YouTube is only displayed or accessed when you click on the thumbnail, so you decide for yourself. Only if you follow the link on our website by clicking on it will your browser automatically establish a direct connection to the social network provider’s servers, even if you do not have a profile there or are not logged in. The platforms then receive the information that your browser (including your IP address) has accessed the corresponding page of our website, this is transmitted to the server of the respective operator and stored there. If you have a profile and are logged in, the platform in question can directly assign the visit to our website to your profile and save it. If you want to prevent the social platforms from directly assigning the data collected via our website to your profile, you must log out of the platforms before visiting our website. This does not affect anonymized “insights” that we receive, i.e. statistical information about, for example, the visitors, reach, etc. of our social networks. You can also completely prevent the plugins from loading with add-ons for your browser. We base our legitimate interest on Art. 6 para. 1 lit. f GDPR in order to increase our public profile, in particular to draw your attention to the added value of our social networks, in which we can react more quickly to current events and, if necessary, to perfect our social profiles based on the analysis results.
Facebook is operated by Meta Platforms, Inc. (until October 2021 Facebook, Inc.), 1601 Willow Road, Menlo Park, California, 94025, USA (“Facebook”). Facebook uses Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, for the services offered here (data protection). For more information on the purpose, scope and processing of data collection and information on the settings options for protecting your privacy, please refer to Meta’s privacy policy: https://www.facebook.com/privacy/policy/
Instagram is operated by Meta Platforms, Inc., 1601 Willow Road, Menlo Park, California, 94025, USA (“Instagram”). Instagram uses Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, for the services offered here (data protection). You can find out more about Instagram’s privacy policy at the following link: https://about.instagram.com/de-de/safety and https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect.
LinkedIn is operated by LinkedIn Corporation 2029 Stierlin Ct, Mountain View, CA 94043, USA. LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland (“LinkedIn”) is responsible for data processing in Europe. You can find out more about LinkedIn’s privacy policy at the following link: https://de.linkedin.com/legal/privacy-policy?
YouTube is provided by the company Google LLC, D/B/A YouTube 901 Cherry Ave, San Bruno, CA 94066, USA. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is responsible for data processing in Europe (“YouTube”). For information on the purpose, scope and processing of data collection as well as information on the settings options for protecting your privacy, please refer to YouTube’s privacy policy https://www.youtube.com/intl/ALL_de/howyoutubeworks/user-settings/privacy/ (these are redirected to Google’s privacy policy): https://policies.google.com/privacy?hl=de.
Use of Google Fonts (locally integrated) We also use Google Fonts from Google. Google is operated by the company Google LLC, D/B/A YouTube 901 Cherry Ave, San Bruno, CA 94066, USA. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is responsible for data processing in Europe. We use this service on the basis of our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in order to present our website to you in a good and uniform way. You can find Google’s privacy policy at: https://policies.google.com/privacy?hl=de. However, when you visit our site, your IP address is not transmitted to Google and the web fonts are not loaded into your browser cache because we have installed Google Fonts locally. This means that the fonts of the website are no longer loaded via Google’s servers, but you upload the fonts locally on your own website.
Use of the mailing service provider (newsletter provider) “CleverReach”
We have decided to use the newsletter provider “CleverReach” to send and analyze our newsletter. This service is offered by CleverReach GmbH & Co KG, Schafjückenweg 2, 26180 Rastede in Germany. It was important to us that the provider’s servers are located in the EU.
CleverReach enables us to analyze your usage behavior so that we can adapt our newsletter to your wishes and needs, e.g. whether you have opened our newsletter at all or whether you have used a link. Conversion tracking allows us to track your behavior even further, e.g. whether you have taken further action after following the link. We can define this further tracking as part of conversion tracking in advance, whereby we always observe data minimization.
You can find more information about the analysis functions here: https://www.cleverreach.com/de-de/newsletter-tool/newsletter-reporting/ or about the general use of data by CleverReach here: https://www.cleverreach.com/de-de/datenschutz/. We comply with the requirements of the GDPR, https://www.cleverreach.com/de-de/datenschutz-und-sicherheit/eu-dsgvo/, in particular we have concluded an order processing contract with CleverReach.
CleverReach uses world-class, highly secure data centers that employ state-of-the-art electronic monitoring and multi-factor access control systems. The data centers have undergone independent certifications and audits. They have received DIN ISO/IEC 27001 certification and have been confirmed as a Level 1 service provider for the credit card industry’s data security standard (DSS/PCI). They also undergo annual SOC 1 audits and have been successfully confirmed at “Moderate” level for US government systems and at DIACAP level 2 for DoD systems, see https://www.cleverreach.com/de-de/datensicherheit/.
The storage period of your data, or the analyzed activities, is stored for between 3 and 6 months, depending on the number of newsletter recipients, see here: https://support.cleverreach.de/hc/de/articles/202372941-Wie-lange-speichert-CleverReach-die-Aktivit%C3%A4ten-.
You can delete your data at any time by canceling or unsubscribing from the newsletter, including the e-mail address as part of your registration. You will find a corresponding unsubscribe function or link in every newsletter.
The use of the shipping service provider CleverReach is carried out in accordance with Art. 6 para. 1 lit. a GDPR if you have given your consent as part of our newsletter subscription. Otherwise on the basis of Art. 6 para. 1 lit. f GDPR, we base our legitimate interest on our business concern that our newsletters are user-friendly and customer-optimized.
Use of Mapbox as part of our “Pop-Map NRW”
With our pop map we show you the pop structures in NRW interactively. We use the map service “Mapbox” for this. Mapbox is offered by MapBox Inc, 740 15th St NW, Washington, DC 20005, USA. The contents of our pop map are integrated into our website and sent to your browser. When you use the functions of the open source map tool, your IP address is stored and your user behavior is also registered, and this information is transferred to a Mapbox server in the USA and stored there. Access data is also transmitted to Mapbox, such as time of visit, operating system, browser information and location. We have no influence on this data transfer. At the very least, no personal data is transferred to third parties. You can find more information on the handling of user data in Mapbox’s privacy policy (unfortunately only available in English): https://www.mapbox.com/legal/privacy. Mapbox is Privacy Shield certified. On July 16, 2020, Europe’s highest court (the ECJ) declared the EU-US Privacy Shield invalid. Mapbox has responded as follows: https://www.mapbox.com/legal/dpa/. Mapbox uses standard contractual clauses approved by the EU Commission as the basis for data processing for recipients based in third countries or for data transfer to third countries, see Art. 46 (2) and (3) GDPR. These clauses oblige Mapbox to comply with the EU level of data protection when processing personal data outside the EU. These clauses are based on a decision of the EU Commission. You can manage the cookies set by Mapbox in your browser settings (depending on the browser, “Delete and manage cookies”), but you may then not be able to use all the functions of our pop map.
The IP address is deleted after 30 days.
If you have given your consent in the context of our cookie banner, the legal basis is Art. 6 para. 1 lit. a GDPR. The purpose of using Mapbox is in the interest of an appealing presentation of our website and to make it easy to find the venues, festivals, labels, promotion centers, music publishers and distributors, recording studios, music and universities as well as rehearsal rooms indicated by us on the website as part of our pop map. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR represent.
Incidentally, no data is transferred abroad.
Transmission of data to (domestic) third parties (showcase.nrw):
Use of the form and provision of personal data as part of our “Pop-Map NRW”
Through the integration of the form in the context of our “Pop-Map NRW,” your IP address, your browser (user agent) and the time of access (the time) are stored and transmitted to the server of https://www.showcase.nrw/ through the functional type of integration of the form in the context of the pop-map via so-called inline framing or “iframing” for short.
showcase.nrw is a joint project of the Landesmusikrat NRW e.V., respectively its project create music NRW, and the VUT West e.V., respectively its project New.Heimat.Sounds.
Contact:
Project management create music NRW: Carsten Schumacher Phone: 0211-86 20 64-36
Project management New.Heimat.Sounds.:
Arnd Sünner Phone: 02241-169 16-30
The personal data specified or requested and entered in the form will also be collected. This may vary depending on the category; mandatory information is marked accordingly. Data is stored on the showcase.nrw server and, in the “Locations” category, is also sent to showcase.nrw by email. If you select “Musicians/ Bands”, the data will be sent by e-mail to a selected employee of “PopBoard NRW”. However, this is done securely via a link as follows: Selected employees have access to the backend of showcase.nrw, where the data is stored. New entries are only sent a link generated by the backend, which then leads to the release of the data in the backend. No data is stored in these release e-mails. The personal data for the selection “Musicians/bands” is therefore not sent in an email or as a file. It can only be viewed via the link by means of a personal log-in in the backend of the database. The data protection provisions of the site also apply: https://www.showcase.nrw/ at https://www.showcase.nrw/legal/datenschutz.
Use of cookies, deactivation option, cookie banner
Cookies are used when you use our website. Most browsers are set to accept cookies automatically. However, you can restrict or deactivate the storage of cookies or set your browser to notify you as soon as cookies are sent. You can also delete cookies that have already been saved. Please refer to the operating instructions of your browser manufacturer for information on how to do this. Complete deactivation may, however, restrict the functionality of our website, meaning that you may not be able to use all functions properly. Cookies are small text files that are stored on your computer and saved by your browser in order to present you with the most personalized offer possible, which is why you are free to decide whether to use cookies. If you access our website, the provider’s server may also return the cookie to your browser in addition to the page. The browser then decides, depending on the local settings, whether the cookie is stored on your computer. As pure text files, cookies cannot penetrate your system or cause damage there. The text files are set by the server of a selected website and sent by your browser to the server we use the next time you visit this website.
We use cookies to count page views. A random number – a kind of pseudonym – is set for the user in the form of the cookie, which the server uses to recognize that the request is from the same user, but without obtaining information about the identity or other data of the user. Moreover, such cookies generally only have a lifespan of 24 hours. Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. However, cookies recognize the calling browser even after the end of a session and a new page call and serve to make our website more user-friendly. We do not create any user profiles by using technically necessary cookies.
The legal basis with regard to technically necessary cookies is Art. 6 para. 1 lit. f GDPR and Art. 6 para. 1 lit. f or lit a GDPR if you give your consent for technically unnecessary cookies in the banner.
When you access our website, a banner appears informing you accordingly, instructing you and asking you whether you wish to consent to applications. We refer to these data protection provisions in our consent banner, i.e. you are informed accordingly and can agree or disagree to the applications described in our data protection provisions (accept, reject or view settings). The banner leaves essential information of our website uncovered.
Data subject rights (right of access, right to rectification and restriction, right to erasure, right to withdraw consent, right to data portability, your right to automated decision-making, right to object, right to be informed, right to lodge a complaint with the supervisory authority).
The GDPR strengthens your rights as a data subject when personal data is processed. Exercising your rights is free of charge.
Right to information: Upon request, we are obliged to provide you with information about the personal data stored about you, including, insofar as it relates to the origin of this data, the recipients or categories of recipients, the purpose and duration of storage, if applicable, stating your criteria, Art. 15 GDPR.
Right to rectification: Your right to rectification includes personal data that is incomplete or incorrectly collected or processed by us, Art. 16 GDPR.
Right to erasure: You have a right to erasure if personal data has been processed unlawfully, the purpose of the data processing no longer applies, you have withdrawn your consent or objected and there is no other legal basis for the processing, Art. 17 para. 1 GDPR. There is no right to erasure if we are entitled to rely on the exercise of our legal rights, to fulfill a legal obligation, for reasons of public interest, for the delegated exercise of official authority or on the basis of the right to freedom of expression.
Right to restriction: You have the right to restrict the processing of your personal data in accordance with Art. 18 GDPR if you request restriction instead of erasure, if you need your data for your legal claims or if you dispute the accuracy of the personal data.
Right of revocation: You can revoke your declaration of consent for the future at any time, Art. 7 para. 3 GDPR.
Right to data portability: You have the right to data portability, Art. 20 GDPR, to the effect that you receive your personal data in a structured, commonly used and machine-readable format. You also have the right to transfer this data to a third party if necessary.
In accordance with Art. 22 GDPR, your right not to be subject to a decision based on automated processing that significantly affects you applies to automated decisions in individual cases, including profiling. In addition to your consent, an exception may exist if it is necessary within the framework of the contractual relationship or if legal regulations prescribe this and at the same time measures provide you with sufficient protection.
Right to lodge a complaint with the supervisory authority: If you believe that the processing of your personal data violates data protection regulations, in particular the GDPR, you have the right to lodge a complaint with a supervisory authority, Art. 77 GDPR. The competent supervisory authority is the supervisory authority of the place of the infringement you have complained about, your place of work or the member state in which you are resident. Further legal remedies remain unaffected by this.
Separate right of objection: You have the right to object to the processing of your personal data at any time, Art. 21 GDPR, if the processing is based on Art. 6 para. 1 lit. e or f GDPR takes place. You have this right in particular to object to direct marketing.
You can reach us at:
PopBoard NRW UG (limited liability)
represented by the managing directors Anna-Kathrin Dietrich and Till Skoruppa
Klever Street 23
40477 Düsseldorf
If you have exercised your data subject rights against us, you have a right to information to the effect that we will inform all recipients to whom we have disclosed your personal data of the exercise of your data subject rights, Art. 19 GDPR.
Duration of data storage, data deletion
We only store your data for as long as is permitted by the storage period prescribed by the aforementioned standards of the GDPR and/or is necessary for the contact option you may have requested and the processing of the contractual relationship. The storage to secure our own claims, statutory retention and any associated claims for surrender remain unaffected by this. The retention period is 10 years in accordance with §§ 147 para. 1 AO, 257 para. 1 no. 1 and 4, para. 4 HGB, in particular for tax-relevant documents, or 6 years for commercial letters. Otherwise, personal data will be deleted or blocked.
Validity of and changes to data protection provisions
We reserve the right to change the data protection provisions due to legal requirements or the further development of the website. You can view and print out the current data protection provisions on our website at any time.
PopBoard NRW UG, April 2024
