The protection of your personal data is an important concern for us. We process your data in accordance with the applicable national and European data protection laws. In order that you know which data we process for which purposes and which rights you have in this regard, we would like to inform you about the processing of your personal data.
1. Name and Address of the controller
The controller for the purposes of the General Data Protection Regulation (GDPR), the German Federal Data protection Act (BDSG) and other provisions related to data protection is:
LETTERBOX FILMPRODUKTION GMBH
Jenfelder Allee 80
Tel.: 040/6688 4802
Fax: 040/6688 5428
2. Name and Address of the Data Protection Officer
Data protection Officer of the controller is:
Jenfelder Allee 80
3. General information on data processing
a) Scope of the processing of personal data
The controller only collects and processes personal data of users, as far as this is necessary for the operation of a functional website and its contents and services. The collection and processing of personal data of the users basically takes place with the user’s content. An exception applies in those cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.
b) Legal basis for the processing of personal data
Insofar the controller of the processing of personal data obtains the consent of the data subject, Art. 6 (1) lit. a GDPR serves as the legal basis. If the processing of personal data is required for the fulfilment of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to data processing operations that are necessary to implement pre-contractual measures. Insofar as the processing of personal data is required to fulfil a legal obligation to which the controller is subject, Art. 6 (1) lit. c GDPR serves as the legal basis. In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6 (1) lit. d GDPR serves as the legal basis. If the data processing is necessary to safeguard a legitimate interest of the controller or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the former interest, Article 6(1) lit. f GDPR serves as the legal basis for the processing.
c) Erasure of data and storage period
The personal data of the data subject will be deleted or blocked, as soon as the purpose of storage ceases to apply. Furthermore, personal data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned regulations expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
4. Processing on behalf of the controller and data security
On the basis of separate written agreements, the controller also has personal data processed by service providers within the frame of order data processing (“contract processors”) pursuant to Ar. 28 GDPR. The controller remains responsible to you under data protection law. The employees of the contract processors are obliged to maintain the confidentiality of your data just as the controllers own employees are. They are subject to the instructions of the controller. All technical and organisational measures required by law to protect your personal data from loss and misuse are guaranteed by the controller. Your personal data is stored in secure operating environments, which are only accessible to employees of the contract processors to the extent that this is absolutely necessary to fulfil the contractual tasks.
5. Access to this website
The controller collects and uses personal data of the users only as far as this is necessary to provide a functional website as well as the contents and services of the controller. Each time this website is called up, the system of the controller automatically collects the following data from the computer system of the calling computer and stores them in log files: name of the file accessed, date and time of access, amount of data transmitted, notification of successful access, type of your browser and version used, user’s IP address, user’s operating system, user’s Internet service provider, websites from which the user’s system managed to access this website, websites accessed by the user’s system via this website. This data is not merged with other data sources. The legal basis for the collection of data and their storage in log files is Art. 6 (1) lit. f GDPR.
The temporary collection of data by the system is necessary to enable the website to be delivered to the user’s computer and to ensure its reproduction. The data is also stored in log files to ensure the stability and functionality of the website. Furthermore, the data serves to optimize this website and to guarantee the security of the information technology systems of the controller against possible attacks from outside. This also includes the legitimate interest in data processing pursuant to Art. 6 (1) lit. f GDPR.
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. This is the case for the data collected for the provision of the website at the end of the respective session; within the framework of storing the data in log files after seven days at the latest. Further storage is possible. In this case the IP address of the user is deleted or alienated, so that an assignment of the calling computer is no longer possible. The collection of data for the provision of the website and its storage in log files is absolutely necessary for the operation of the offer, so that there is no possibility of objection on the part of the user.
6. Contact possibility via the website
On this website, you can contact the controller via an online contact form or via e-mail. The personal data (e.g. name, address, telephone number or e-mail address) transmitted to the controller via the input mask of the contact form or by e-mail serve exclusively the processing of contact inquiries of the users. The data will not be passed on to third parties. The legal basis for the processing of data transmitted via the contact form is, with the prior consent of the user, Art. 6 (1) lit. a GDPR, for the processing of data transmitted by e-mail Art. 6 (1) lit. f GDPR. For the aforementioned purposes, the data controller also has a legitimate interest in the processing of the data pursuant to Art. 6 (1) lit. f GDPR.
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. This is the case when the processing of the user’s respective inquiry has been completed, i.e. it can be inferred from the circumstances that the facts in question have been finally clarified. The user has the possibility at any time to revoke his consent to the processing of personal data as well as to object to the storage of his personal data transmitted to the controller by e-mail. In this case, the conversation cannot continue. Users can contact firstname.lastname@example.org for this purpose. All personal data stored in the course of contacting us will then be deleted.
7. Press Service
Only if you have given your consent, Studio Hamburg Produktion Gruppe GmbH, Jenfelder Allee 80, 22039 Hamburg (“SHPG”) and each of the other companies of Studio Hamburg Produktion Gruppe GmbH (jointly “Group”) listed below will process your name and your e-mail address in order to inform you by e-mail within the framework of the “Studio Hamburg Produktion Gruppe GmbH Press Service” about productions of the companies and news of the Group relevant to productions and business (jointly “press service messages”). You will receive press service messages from the following companies of the Studio Hamburg Produktion Group (“Group”):
– Studio Hamburg Produktion Gruppe GmbH, Jenfelder Allee 80, 22039 Hamburg
– LETTERBOX FILMPRODUKTION GmbH, Jenfelder Allee 80, 22039 Hamburg
– REAL FILM Berlin GmbH, Köthener Straße 3, 10963 Berlin – Nordfilm GmbH, Büsumer Weg 51, 24106 Kiel
– Riverside Entertainment GmbH, Jenfelder Allee 80, 22039 Hamburg
– Doclights GmbH, Jenfelder Allee 80, 22039 Hamburg – B.vision Media GmbH, Wilhelm-Kabus-Straße 77, 10829 Berlin
– Amalia Film GmbH, Adelgundenstrasse 5b, 80538 München – Studio Hamburg UK, 5 Market Place, 4th Floor, London WIW 8AE
– FRIDAY FILM GmbH, Köthener Straße 3, 10963 Berlin
Your consent to receive the press service messages is voluntary and revocable at any time. You are under no contractual or legal obligation to provide your name and e-mail address for the purpose of sending press service messages. If you do not provide the data, you will not receive any press service messages. You can also revoke your consent by using the link provided for this purpose in each press service message or by e-mail to email@example.com. The legal basis for the described data processing for the dispatch of press service messages is your consent in conjunction with Art. 6 (1) lit. a GDPR. Processing to meet legally binding requirements
Data provided by you for receiving the press service message will be processed for these purposes only insofar as this is required to fulfil legally binding requirements to which SHPG or the other companies of the Group (see “Responsibility for press service messages”) are subject in each case. The legal basis for data processing to fulfil legal obligations is Art. 6 (1) lit. c GDPR.
Responsibility for press service messages
a) General information on (sub-) contract processing
For data processing within the scope of the press service, SHPG commissions external service providers (contract processors) with tasks in connection with registration and deregistration, the design, content management and the dispatch of press service messages and grants them access to your personal data for this purpose to the extent necessary in each case. This is done on the basis of processing contracts concluded for this purpose within the meaning of Art. 28ff. GDPR. The external service providers process personal data on behalf of and on the instructions of SHPG or – indirectly – on the instructions of the respective responsible company of the Group (see “Responsibility for press service messages”). The same applies to subcontractors who are used by external service providers within the frame of their (sub-)contract for the commissioned data processing. In the context of this (sub-)contract processing, personal data is transmitted to service providers in third countries. In these cases, the respective service provider is either certified under the EU-US Privacy Shield, for which an adequacy decision within the meaning of Art. 45 GDPR is available or suitable guarantees within the meaning of Art. 46 GDPR exist through the conclusion of EU standard contractual clauses issued by the EU Commission. b) MailChimp ((sub-) contract processor)
SHPG GmbH uses the “MailChimp” service for the technical implementation of de-registration and registration as well as the dispatch of press service messages. MailChimp is a cloud-based service for managing newsletter distribution. MailChimp is offered and operated by The Rocket Science Group LLC, Georgia, 674 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308. The Rocket Science Group LLC processes your personal data in connection with its press service as an external service provider (contract processor) on behalf and under the instructions of SHGP. If another company of the group is responsible for sending the press service messages (see “Responsibility for press service messages”), MailChimp is a subcontractor of this company.
The Rocket Science Group LLC processes some of the data in the USA as a so-called third country and is certified under the EU-US Privacy Shield (and the Swiss-EU Privacy Shield). The current certificate can be downloaded here. [GT1] The European Commission has established an adequate level of data protection for US companies certified under the EU-US Privacy Shield (Art. 45 GDPR). c) Data transmission for the purposes of third parties
A transmission of personal data to state institutions and authorities only takes place within the framework of mandatory legal regulations. In addition, the data you provide for receiving the press service messages will not be passed on to third parties for their purposes.
9. Data protection provisions about the use of Google Applications a. Use of Google Analytics
Further information on data use by Google, possible settings and objections can be found on the following links on Google’s websites: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google when using our partners’ websites or apps”), http://www.google.com/policies/technologies/ads (“Data use for advertising purposes”), http://www.google.de/settings/ads (“Manage information that Google uses to show you advertising”).
b. Use of YouTube
On this website, the controller has integrated components of YouTube. YouTube is an Internet video portal that enables video publishers to set video clips and other users free of charge, which also provides free viewing, review and commenting on them. YouTube allows you to publish all kinds of videos, so you can access both full movies and TV broadcasts, as well as music videos, trailers, and videos made by users via the Internet portal. The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, UNITED STATES. The YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, UNITED STATES. With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which a YouTube component (YouTube video) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to download a display of the corresponding YouTube component. Further information about YouTube may be obtained under https://www.youtube.com/yt/about/en/. During the course of this technical procedure, YouTube and Google gain knowledge of what specific sub-page of our website was visited by the data subject. If the data subject is logged in on YouTube, YouTube recognizes with each call-up to a sub-page that contains a YouTube video, which specific sub-page of our Internet site was visited by the data subject. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject.
YouTube and Google will receive information through the YouTube component that the data subject has visited our website, if the data subject at the time of the call to our website is logged in on YouTube; this occurs regardless of whether the person clicks on a YouTube video or not. If such a transmission of this information to YouTube and Google is not desirable for the data subject, the delivery may be prevented if the data subject logs off from their own YouTube account before a call-up to our website is made. YouTube’s data protection provisions, available at https://www.google.com/intl/en/policies/privacy/, provide information about the collection, processing and use of personal data by YouTube and Google.
This website contains links to online offers of third parties over which the controller has no influence and therefore cannot assume any responsibility for data protection or content. Please read the privacy policies of the online offers that you access via this website.
11. Data protection provisions about the application and use of Facebook The controller has integrated components of the enterprise Facebook on this website. Facebook is a social network. A social network is a place for social meetings on the Internet, an online community, which usually allows users to communicate with each other and interact in a virtual space. A social network may serve as a platform for the exchange of opinions and experiences, or enable the Internet community to provide personal or business-related information. Facebook allows social network users to include the creation of private profiles, upload photos, and network through friend requests.The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. If a person lives outside of the United States or Canada, the controller is the Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. With each call-up to one of the individual pages of this Internet website, which is operated by the controller and into which a Facebook component (Facebook plug-ins) was integrated, the web browser on the information technology system of the data subject is automatically prompted to download display of the corresponding Facebook component from Facebook through the Facebook component. An overview of all the Facebook Plug-ins may be accessed under https://developers.facebook.com/docs/plugins/. During the course of this technical procedure, Facebook is made aware of what specific sub-site of our website was visited by the data subject. If the data subject is logged in at the same time on Facebook, Facebook detects with every call-up to our website by the data subject—and for the entire duration of their stay on our Internet site—which specific sub-site of our Internet page was visited by the data subject. This information is collected through the Facebook component and associated with the respective Facebook account of the data subject. If the data subject clicks on one of the Facebook buttons integrated into our website, e.g. the “Like” button, or if the data subject submits a comment, then Facebook matches this information with the personal Facebook user account of the data subject and stores the personal data. Facebook always receives, through the Facebook component, information about a visit to our website by the data subject, whenever the data subject is logged in at the same time on Facebook during the time of the call-up to our website. This occurs regardless of whether the data subject clicks on the Facebook component or not. If such a transmission of information to Facebook is not desirable for the data subject, then he or she may prevent this by logging off from their Facebook account before a call-up to our website is made. The data policy published by Facebook, which is available at https://www.facebook.com/privacy/explanation, provides information about the collection, processing and use of personal data by Facebook. In addition, it is explained there, which setting options Facebook offers to protect the privacy of the data subject. In addition, different configuration options are made available to allow the elimination of data transmission to Facebook. These applications may be used by the data subject to eliminate a data transmission to Facebook.
12. Your Rights
a) Right of access (Art. 15 GDPR)
You can obtain confirmation of the controller whether personal data concerning you are being processed by the controller. If such processing has taken place, you can request the following information from the person responsible: the purposes for which the personal data are processed; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data concerning you have been or are still being disclosed; the planned period of the storage of the personal data concerning you or, if specific information on this is not possible, criteria to determine the storage period; the existence of a right to have your personal data corrected or deleted, a right to have processing restricted by the controller or a right to object to such processing; the existence of a right of appeal to a supervisory authority; all available information on the origin of the data if the personal data are not collected from the data subject; the existence of automated decision-making, including profiling in accordance with Article 22 (1) and (4) GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject. You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
b) Right to rectification (Art. 16 GDPR)
You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.
c) Right to erasure (Art. 17 DSGVO)
You may request the data controller to delete the personal data relating to you without undue delay and the controller is obliged to delete this data without undue delay if one of the following reasons applies: The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed. You revoke your consent, on which the processing was based pursuant to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR and there is no other legal basis for the processing. You file an objection against the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21 (2) GDPR. The personal data concerning you have been processed unlawfully. The deletion of personal data concerning you is necessary to fulfil a legal obligation under EU law or the law of the Member States to which the data controller is subject. The personal data concerning you have been collected in relation to information society services offered pursuant to Art. 8 (1) DSGVO. If the data controller has made the personal data concerning you public and is obliged to delete it pursuant to Art. 17 (1) GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data. The right to erasure does not exist where processing is necessary: to exercise the right of freedom of expression and information; to fulfil a legal obligation required by the law of the EU or the Member States to which the controller is subject, or to perform a task in the public interest or in the exercise of official authority conferred on the controller; for reasons of public interest in the field of public health in accordance with Art. 9 (2) lit. h and i and Art. 9 (3) GDPR; for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right referred to in paragraph 1 of this section is likely to make it impossible or seriously impair the achievement of the objectives of such processing, or for the assertion, exercise or defense of legal claims.
d) Right of restriction of processing (Art. 18 GDPR)
You may request the restriction of the processing of personal data concerning you under the following conditions: if you dispute the accuracy of the personal data concerning you for a period which allows the data controller to verify the accuracy of the personal data; the processing is unlawful and you refuse to delete the personal data and instead request the restriction of the use of the personal data; the data controller no longer needs the personal data for the purposes of the processing but you need them for the assertion, exercise or defence of legal claims, or if you object to the processing pursuant to Art. 21 (1) GDPR and it is not yet clear whether the legitimate reasons of the person responsible override your reasons. If the processing of personal data concerning you has been restricted, such data may only be processed – apart from being stored – with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the EU or a Member State. If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
e) Right to information according to Art. 19 GDPR
If you have exercised your right to have the data controller correct, delete or limit the processing, the data controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort. You shall have the right vis-à-vis the data controller to be informed of such recipients.
f) Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another controller without obstruction by the controller to whom the personal data was provided, provided that the processing is based on a consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) lit. b GDPR and the processing is carried out using automated procedures. In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this. The right to transferability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
g) Right to withdraw data protection consent (Art. 7 (3) GDPR)
You have the right to withdraw your data protection declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until withdrawal. h) Right of appeal to a supervisory authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to the NDR Broadcasting Data Protection Officer in Hamburg if you believe that the processing of your personal data is in violation of the GDPR. The supervisory authority shall inform the complainant of the status and the results of the complaint, including the possibility of a legal remedy according to Article 78 GDPR.
i) Right to object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you under Article 6(1) lit. e or f of the GDPR; this also applies to profiling based on these provisions. In this case, the controller no longer processes the personal data concerning you, unless the controller can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the possibility to exercise your right to object in connection with the use of information society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC. You also have the right to object to the processing of personal data concerning you for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR for reasons arising from your particular situation, unless such processing is necessary to fulfil a task in the public interest.