Privacy

Studio Hamburg Produktion Gruppe GmbH (hereinafter referred to as “SHPG”) and its subsidiaries (cf. 2.4 {b}) are serious about the protection of your personal data. Trans- parent information relating to the processing of such data will be one of our particularly important concerns. Please find below explanations as to how we will handle the per- sonal data made available by you.

1. Accountability and Data Protection Officer
1.1. Responsibility for the processing of your personal data as described below will – subject to any third- party responsibility pursuant to Par. 2.4 (b) and Par. 3 hereof – rest with Studio Hamburg Produk- tion Gruppe GmbH, Jenfelder Allee 80, 22039 Hamburg, e-mail: produktion@studio-hamburg.de (hereinafter referred to as the “Controller”).
1.2. You will reach by post the competent Data Protec- tion Officer by means of a letter addressed to “Attn. Data Protection Officer” at Studio Hamburg GmbH, the address mentioned above, or by e-mail to be sent to datenschutz@studio-hamburg.

2. Scope and Purposes of, and Legal Foundations for, Data ProcessingController will process personal data within the framework of the applicable statutory provisions; in particular, the EU General Data Protection Regulation (the “GDPR”) and the German Federal Data Protection Act (the “BDSG”).The term “personal data” shall refer to any individual data relating to you personally, or rendering you identifiable.

The performance of a contract will require the provision of the following personal data: name, address, banking infor- mation, telephone number, and e-mail address. To be able to account for your fee in accordance with regulations, we shall also require the information concerning your personal details, as well as social and health insurance, as request- ed in the “Contract Annex – Statement Relating to Social Insurance”. If we are not in possession of these data, we will not be able to conclude and perform the contract with you. Please find below some detailed information about the purposes for which we will be processing personal data.

2.1. Performance of the contract concluded with you
We will store and utilise the personal data you make avail- able to us for the purpose of concluding and performing the contract, with a view to performing the contract concluded between you and Controller.

The foregoing will include the storage and electronic reten- tion of the contract in a contract database and, in addition, the storage and processing of your contact details for the purposes of contacting and corresponding in contractual matters and during the execution of the production to which the contract pertains. The data provided by you in the “Contract Annex – Statement Relating to Social Insurance” will be used by us for our declaration towards the social- insurance fund so that we will be able to account for your fee in accordance with regulations. Furthermore, and de- pending on the subject matter of the contract concerned, we shall in particular be processing personal data within the framework of the performance of a contract in the in- stances set out below:
– accounting for, and paying out, any fees agreed with you or proceeds participation in a production (e.g. in connection with option and literary-purchase agree- ments);
– verifying and controlling compliance with requirements as to rights granted and rights restrictions agreed by you contractually as towards Controller or any other subsidiary of SHPG;
– naming you as a participant within the framework of a production;
– processing of your contact details for the execution of a production; for instance, for the production-related cor- respondence with you, or for the purpose of co- ordinating appointments.
The statutory basis for data processing for the performance of contracts shall be Article 6, Clause 1 (b), of the GDPR.

2.2. Safeguarding of legitimate interests (execu- tion/handling of a production)

Furthermore, Controller will process personal data made available for the conclusion and execution of contracts to the extent that this may pertain to the due and proper exe- cution and handling of the production(s) to which the con- tract with you refers.
The execution and handling of a production are legitimate interests on the part of Controller as a production company and service provider, as well as of any other firms involved in the production. In individual cases, the following types of processing may be necessary for the safeguarding of such interests:
– the storage and utilisation of a contract for the execu- tion of accounting and pay-out of fees agreed with third parties, or proceeds participation in a production (e.g. in connection with option and literary-purchase agree- ments);
– the utilisation of the contract concluded with you as evidence of the rights granted by you in connection with the production as towards third parties, and for re- views and, if applicable, for any defence against poten- tial claims arising from §§ 32, 32a, UrhG [i.e. the Ger- man Copyright Act], as well as for any reversion of rights;
– the storage and disclosure of the contract and your contact details for the execution of a production, includ- ing its forwarding to additional third parties involved in such production (cf. Par. 3.1);
– the processing of your contact details for the execution of the production; for instance, for the production- related correspondence with you, or for the purpose of co-ordinating appointments.
The statutory basis for data processing for the pursuit of legitimate interests shall be Article 6, Clause 1 (f), of the General Data Protection Regulation.

2.3. Compliance with statutory requirements

Controller will be subject to a number of statutory obliga- tions and requirements such as, for instance, retention and notification duties under commercial and fiscal law. It is only insofar as it may be required for compliance by Con- troller with each of the relevant statutory requirements that Controller will be processing your personal data for these purposes as well.

In particular, the foregoing will include the retention by you, for the period prescribed by law, of the invoices made out by you towards Controller, as well as the disclosure by Controller of personal data to regulatory and prosecution authorities in the event of any statutory obligation to such effect. The statutory basis for data processing with a view to ensuring

compliance with statutory requirements shall be Article 6, Clause 1 (c), of the GDPR.

2.4. Instances of data processing with your consent
a) Optionality, and Withdrawal of Consent
To the extent that you have granted us your consent to the processing of personal data for certain purposes, such da- ta processing will be based on that consent. Details as to the contents of a consent will be made availa- ble by Controller in response to an inquiry about such con- sent. Any consent will invariably be given on a voluntary basis, and may be withdrawn at any time. Please find fur- ther information about withdrawal at Par. 6.3. The statutory basis for data processing based on consent shall be Article 6, Clause 1 (a), of the GDPR.

b) Receipt of public-relations services by e-mail
It is only with your consent that Controller, as well as each of the firms mentioned conclusively below and being sub- sidiaries of the Studio Hamburg Produktion Gruppe, will use your name and e-mail address to keep you informed – within the framework of the “Studio Hamburg Produktion Gruppe Press Service” – about productions of the Studio Hamburg Produktion Gruppe, as well as production-related news items relevant to the group of companies, about Stu- dio Hamburg Produktion Gruppe (collectively, “Press Ser- vice Messages”). You will receive Press Service Messag- es from the following

Companies of the Studio Hamburg Produktion Group:
– Studio Hamburg Produktion Gruppe GmbH, Jenfelder Allee 80, 22039 Hamburg;
– LETTERBOX FILMPRODUKTION GmbH, Jenfelder
Allee 80, 22039 Hamburg;
– REAL FILM Berlin GmbH, Köthener Strasse 3, 10963 Berlin;
– Nordfilm GmbH, Büsumer Weg 51, 24106 Kiel;
– Riverside Entertainment GmbH, Jenfelder Allee 80, 22039 Hamburg;
– Doclights GmbH, Jenfelder Allee 80, 22039 Hamburg;
– B.vision Media GmbH, Potsdamer Strasse 79, 10785 Berlin
– Amalia Film GmbH, Adelgundenstrasse 5b, 80538 München;
– Studio Hamburg UK, 5 Market Place, 4th Floor, London WIW 8AE.

The “responsible” controller in respect of data processing shall in each case be the individual subsidiary of the Studio Hamburg Produktion Gruppe which processes your data for the mailing of Press Service Messages. The respective subsidiary will be named in the site notice of the individual Press Service Message. You may also contact the respon- sible subsidiary of SHPG {2.4. (b)} by e-mail to be sent to the address of presse-shpg@studio-hamburg.de.

3. Disclosure of Data

3.1. Disclosure towards other controllers
Controller will transmit the personal data provided by you prior to the conclusion of a contract to other controllers only to the extent that this may be necessary for the per- formance of the contract concluded with you (cf. Par. 2.1); to the extent that we shall be under an obligation to do so on the grounds of statutory provisions or by virtue of en- forceable administrative or court orders (cf. Par. 2.3); to the extent that we are in possession of your consent to such transmission (cf. Par. 2.4); or insofar as we (cf. Par. 2.2) or a third party may have a legitimate interest in such trans- mission.
In particular, and for the proper execution and handling of a production (cf. Par. 2.2), it may be necessary for Controller to disclose personal data towards third parties involved in the production (e.g. commissioning broadcasters, co- funding partners, E&O liability insurance) to the extent that such third parties on their part have a legitimate interest in the processing of such data. This may in particular include the following processing activities:

– disclosure towards third parties of the contract con- cluded between you and Controller, for the purpose of calculating and settling the agreed fees or proceeds participation in a production (e.g. in connection with op- tion and literary-purchase agreements);

– disclosure of the contract concluded between you and Controller, for the purpose of clarifying chains of enti- tlement to intellectual-property rights underlying contri- butions provided within the framework of the production;

– disclosure of your contact details for the purpose of executing the production, including its forwarding to other parties involved in such production.

The statutory basis for the processing of data in pursuit of legitimate interests shall be Article 6, Clause 1 (f), of the General Data Protection Regulation. To the extent that any third party may be processing for its own purposes any data transmitted by Controller (e.g. as part of the handling and execution of the production), processing will be carried out by each such third party on its own responsibility.

3.2. Data Processing as per Contract
In addition, SHPG or its subsidiaries (cf. 2.4. {b}) will en- trust external service providers (so-called “processors”) with tasks such as bookkeeping, payroll accounting, data hosting, press-service management (registration and de- registration, design, content management, mailing), cast- ings, and extras accounting. These service providers will have been selected diligently by SHPG or its subsidiaries, and will be monitored regularly with particular emphasis on the careful handling and protection of the data stored by them. We will impose obligations of confidentiality and compliance with statutory requirements on all service pro- viders. This will be based on each processor contract con- cluded for such purpose within the meaning of Article 28 ff. of the GDPR. The external service providers will be pro- cessing personal data on the order, and at the instruction, of SHPG or – indirectly – at the instruction of Controller (cf. Par. 1.1). The same shall apply mutatis mutandis to any subcontractors using external service providers within the framework of their (sub-) contracts for the data processing commissioned.
The mailing of Press Service Messages will be carried out centrally on behalf of all firms (cf. 2.4. b) by the press office of SHPG. If under data-protection legislation a different affiliate of the group is responsible for the mailing of the Press Service Messages, SHPG will process your personal data on the order, and at the instruction, of that affiliate. In any such case, instructions to sub-processors will be is- sued by SHPG on the order/at the instruction of the busi- ness enterprise in charge of the case.

4. Data Recipients in Non-EU Countries

a) General Information
Any transmission of data to recipients in countries outside of the European Union (the so-called non-EU countries) will be carried out only to the extent that –

– this will be necessary for the performance of the con- tract (e.g. fulfilment of orders, accounting towards co- funding partners/co-producers, promotion schemes);

– this is prescribed by law (e.g. notification duties under fiscal law);

or

– you have granted us your consent.b) Processors in non-EU countries

Within the framework of this type of (sub-) contract pro- cessing, personal data will be transmitted to service pro- viders in non-EU countries. In any such case, the respec- tive service provider will either have been certified under the EU-US Privacy Shield, with an adequacy decision hav- ing been obtained within the meaning of Article 45 of the GDPR; or appropriate safeguards within the meaning of Article 46 of the GDPR apply on the grounds of the stand- ard data-protection clauses as adopted by the EU Com- mission.c) MailChimp (contract data processing in the United States on behalf of the Press Service)

For the technical implementation of deregistration and reg- istration as well as the mailing of Press Service Messages (cf. Par. 2.4 b), SHPG will be using the MailChimp service. MailChimp is a cloud-based service for the management of newsletter mailings. The MailChimp service is offered and operated by The Rocket Science Group LLC, Georgia, 674 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308. The Rocket Science Group LLC will process your personal data, in connection with the Press Service, as an external service provider (a ‘processor’, cf. Par. 3.2) on the order and at the instruction of SHGP.

The Rocket Science Group LLC will be processing the data partly in the United States as a so-called non-EU country, and has been certified under the EU-US-Privacy Shield (as well as the Swiss-EU-Privacy Shield). A copy of the current certificate can be retrieved from here: (https://www.privacyshield.gov/participant?id=a2zt0000000 TO6hAAG&status=Active). In respect of the companies in the United States that have been certified under the EU- US-Privacy Shield, the EU Commission has found that these companies ensure an adequate level of data protec- tion (cf. Article 45 of the GDPR).5. Duration of Storage, and Erasure Controller will be storing and processing your personal da- ta only for as long as this may be required for achieving the respective purpose (cf. Par. 2). Beyond this, storing and processing will be carried out only to the extent admissible on the grounds of a different legal foundation, e.g. for com- pliance with statutory requirements (for instance, we are under an obligation, under fiscal and commercial law con- cerning retention periods, to hold available documents such as invoices, or certain types of documentary evi- dence, for a period of time as specified by law; cf. Par. 2.3).

6. Your Rights as a Data Subject

6.1. As a data subject affected by processing, you have a right to be informed pursuant to Article 15 of the GDPR, a right to rectification pursuant to Article 16 of the GDPR, a right to erasure pursuant to Article 17 of the GDPR, a right to restriction of processing pursuant to Article 18 of the GDPR, as well as a right to data portability pursuant to Article 20 of the GDPR. As far as the right to be informed and the right to erasure are concerned, the restrictions pur- suant to §§ 34 and 35 of the BDSG will apply.

6.2. For reasons following from your specific situa- tion, you have the right at any time to object to the processing of personal data relating to you which is carried out on the grounds of Article 6, Clause 1 (e), of the GDPR (data processing in the public interest) and Article 6, Clause 1 (f), of the GDPR (data processing based on a weigh- ing of interests). If you object, we will no longer process your personal data unless we can prove compelling legitimate reasons for such processing which override your interests, rights, and freedoms, or unless such pro- cessing serves the purpose of establishing, ex- ercising, or defending legal claims.

6.3. If the processing of personal data is based on a consent granted by you (cf. 2.4), you will have the right at any time to withdraw your consent. The foregoing will also apply to any consent that you granted us prior to the applicability of the GDPR,
i.e. prior to May 25, 2018. You may also declare withdrawal by e-mail message to be sent to produktion@studio-hamburg.de. tThe rightfulness of any data processing carried out prior to such withdrawal on the basis of consent will remain unaffected.

6.4. For your protection, Controller hereby reserves the right to require proof of identity in the event of the assertion of the rights set out in Par. 6.1 and Par. 6.3.

6.5. If you are of the opinion that the processing of your personal data contravenes statutory requirements, you will have the right to lodge a complaint with a data-protection supervisory authority having jurisdiction over us (cf. Article 77 of the GDPR, in con- junction with § 19 of the BDSG).

Member of Studio Hamburg Production Group
Contact