Data protection information

of the Foundation Opera in Berlin, Am Wriezener Bahnhof 1, 10243 Berlin

First things first

Before the legal details, a few basic principles are explained:
We welcome the European Data Protection Regulation because privacy is worth protecting!
What it's about:
With the Classic Card Berlin, the provider (Stiftung Oper in Berlin) provides the user/customer with services to recommend (cultural) events with a direct channel, especially in the form of "apps" and digital solutions. In addition to the recommendation service for users, the Classic Card enables event organizers to sell tickets to the user via these "apps" and digital solutions. For this purpose, the organizer has authorized the Provider to conclude ticket purchase agreements on behalf of the organizer. The Provider therefore brokers tickets to the User exclusively on behalf of and for the account of the Organizer. The ticket purchase contract is concluded exclusively between the user and the organizer.
In concrete terms, this means:
  • The Classic Card provides information on cultural events in Berlin.
  • Classic Card calculates recommendations based on user behavior for events that might be of interest and displays them in the app. Appropriate info is also sent out for this purpose. If you no longer want to receive these messages, you can deactivate them at any time under "My Menu".
  • If tickets are booked via the app, the respective cultural institution knows that the event is scheduled to be attended so that it can react quickly in the event of cancellations.
  • Those responsible make a living from and also for ticket sales, but never sell the data they receive.
In the event that contact is no longer desired, it is requested to send an email to or to change the appropriate settings in the app under "My menu".

Processing activity

Online services for recommending (cultural) events and purchasing tickets for (cultural) events.

Person responsible for the operation of the services

Classic Card: Foundation Opera in Berlin, Am Wriezener Bahnhof 1, 10243 Berlin
Data Protection Officer Stiftung Oper in Berlin, Richard-Wagner-Strasse 10, 10585 Berlin-Charlottenburg
T: +49 (0)30 343 84 148

Person responsible for the event contract

With the purchase of the ticket, an "event contract" is created between the user and the organizer, for the fulfillment and execution of which the organizer alone is responsible. The organizer is identified separately (as the responsible party) when the ticket is purchased. The transmission of the data necessary for the processing of the purchase contract to the organizer is absolutely necessary for the fulfillment of the purpose of the contract.
In the processing of ticket purchase contracts, Ticket Gretchen GmbH („easy-connect“) acts as an order processor of the event organizers.

Types of data processed

Disclosed by the customer
  • Place of interest
  • Name
  • E-mail address
  • Date of birth (optional for special offers)
  • Payment and credit card data, voucher data
  • Contents of messages or reviews of the customer
  • ID card copies. The relevant metadata such as ID card number, type of ID card, validity, place and date of issue, date of birth are extracted and stored. Afterwards, the ID card copy is deleted immediately.
Additionally collected by the responsible party
  • IP addresses (log files)
  • User ID, push token, device ID, localization (language setting)
  • Webview used
  • Used device
  • Communication protocol
  • Information about account usage (e.g. creation date, number of logins, date of last request)
  • Information about purchased tickets
  • User behavior data (e.g..: Event viewed, favorited, added to shopping cart, purchased, rated).
  • Purposes of data processing - contract fulfillment or preparation
  • - Keeping information about (cultural) events available for retrieval
  • - Provision of services to recommend events based on the user's interests (with opt-out option at any time)
  • - Availability of online stores of the event organizers for the purchase of tickets
  • - Provision of communication channels for the dissemination of content and maintenance of the customer relationship
  • - Fulfillment of contractual obligations from the service contract with the responsible party
  • - Fulfillment of contractual obligations arising from the purchase and event contract concluded with the organizer

Data processing purposes - (overriding) legitimate interest:

  • Dissemination/playout of (also promotional) information for services and events by way of direct advertising ("marketing purposes"), to the extent permitted by law.
  • Maintaining and increasing customer satisfaction and customer loyalty by analyzing usage behavior with the aim of improving the range of services, this using Clevertap and Google Analytics
  • Provision of newsletters (including promotional newsletters) to customers with the option to opt out at any time
  • Transmission of electronic identification data of the user to third party providers in order to integrate content through contributions to social networks (e.g. YouTube) and other applications (e.g. Google Maps).

Legal basis of data processing

1) Contract fulfillment
  • Online: The use of the online services of the responsible party is based on a contract iSd Art 6 para 1 lit b DSGVO, a registration relationship is created by a registration.
  • Conclusion of ticket purchase contracts: In the case of the purchase of tickets, the data processing of the organizer is based on the respective contract concluded and this serves the purpose of fulfilling the contract
2) Additional services: Consent. For individual services (e.g. newsletter), the responsible party explicitly obtains consent from the customer iSd Art 6 para 1 lit a DSGVO . This consent can be revoked at any time with effect for the future.
3) Overriding legitimate interests
IT Security The responsible party stores the IP addresses of mere visitors to the website for a period of 7 days in order to be able to defend against targeted attacks in the form of server overload ("denial of service" attacks) and other damage to the systems. The controller has an overriding legitimate interest in this data processing for the purpose of maintaining the functionality of its services provided online (recital 49 of the GDPR).
Information dissemination/direct advertising The Controller also processes customer data (but not those of children or special categories of personal data within the meaning of Art 9 of the GDPR ("sensitive data")) in order to use them for the purpose of direct advertising for (further) offers of the Controller. The controller has a legitimate interest in processing personal data for the purpose of direct marketing (Recital 47, last sentence of the GDPR). Only those customer data are processed which the controller has from a contractual relationship and for which the storage period is still running. This does not result in an extension of the storage period. The primary objective of data processing is customer acquisition. In doing so, the data controller relies on its freedom of acquisition and freedom of communication, which are protected under the Convention and the Constitution (in particular Art. 10 ECHR, which also protects advertising measures), and on the rights to
  • to the transmission of postal advertising;
  • to the transmission of electronic mail after consent.
When using this data, the responsible party complies with the provisions of communications law.
Retargeting Facebook uses the "Facebook Pixel" set by the responsible party in its services to place cookies on the user's device and to read existing cookies, other identifiers and enrich the profile created for the identifier or user. The responsible party has access to this data collected by Facebook, but uses it to play out advertising to the target group of those interested in the service of the responsible party.

Change of purpose

Information dissemination/advertising: the responsible party informs that it also processes the customer's personal data for the purposes of information dissemination/direct advertising and for retargeting purposes. In this way, the Responsible Party intends to inform about and promote its own services and the events of the Organizers. For this purpose, these data will not be given to any third party under its responsibility. There is no incompatibility with the purpose of the original data collection. The customer may object to the use of his personal data for direct marketing purposes at any time and without giving reasons.

Assessments of personal aspects of the customer ("profiling")

In order to be able to make suitable recommendations to the customer within the scope of the purpose of the contract, the responsible party analyzes and evaluates the customer's usage and demand behavior. The responsible party uses this evaluated behavior to provide the customer with targeted, interest-specific recommendations in accordance with Art 6 para 1 lit f DSGVO.

Obligation to provide data

The customer is under no obligation to provide data when using the services. During the purchase process, the fields required for the purchase process must be filled out truthfully.

Automated decision making

The customer is not subject to any automated decision-making that has legal effect vis-à-vis him.

Data sources

(unless disclosed by the customer or collected by the responsible party).
  • Email delivery "Mailchimp": The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA Data types: IP location, preferred email client, source of signup, campaign details (received, opened, clicked)
  • Facebook login: Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304Facebook ID and email address.
  • Data analytics and push notification sending "Clevertap": push token, device ID, user behavioral data (e.g.: event viewed, shopping cart, purchased, rated), device, operating system, user agent, localization
  • Capturing the source of the download: Branch and Appsflyer SDK: Used to detect from which source a user downloaded the app and is required, for example, for the referral system and deep linking into the app. The following characteristics are collected to identify the download source: iOS Identifier for Advertising (IDFA), iOS Identifier for Vendors (IDFV), Android Advertising ID (GAID), Android ID Branch Cookie ID, IP Address, Application version, Device model, Manufacturer, Operating system, Operating system version, Screen size, Screen resolution, Session start/stop time, Mobile network status (WiFi, etc)Application installed time, Application updated time, Device locale (country and language), Local IP address, Mobile platform, Branch SDK version, Developer ID

External recipients of data

A) Integration of third-party services into the Platform: transmission of electronic identification data, in particular IP address:
  • Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA,
  • Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA,
  • Twitter Inc, 795 Folsom St, Suite 600, San Francisco, CA 94107, USA,
  • LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA,
  • YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA
  • Vimeo: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
  • Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland,
B) Organizers (are specified in each case during the purchase process): e-mail, first name, last name, newsletter subscription for the respective organizer (separate opt-in), order details, date of birth, if applicable.
C) Processor
  • Development & Operation of Classic Card Solutions (App and Website): Technology Partner„easy-connect“ - Ticket Gretchen GmbH, Mariahilferstraße 109, 1060 Wien, Österreich
  • Host provider - server location Frankfurt: Amazon Web Services, Inc., 410 Terry Avenue North Seattle WA 98109, United States
  • Google Analytics (with "anonymize IP"): Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
  • Email campaign dispatch "Mailchimp": The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA
  • Payment service: Stripe, 510 Townsend Street, San Francisco, CA 94103, USA Payment gateway for processing credit card payments and SOFORT - bank transfer. Stripe is certified under the EU-U.S. Privacy Shield Framework. Stripe processes personal data in accordance with the EU standard contractual clauses."
  • Payment service: BS PAYONE GmbH, Lyoner Straße 9, D-60528 Frankfurt/Main The critical payment data (e.g.: credit card information) is forwarded directly from the customer to the payment service without any storage of the data on the servers of Ticket Gretchen GmbH. Only pseudonymized data is stored at Ticket Gretchen.
  • Payment service: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg Payment by the customer is made directly with PayPal. Only data relevant to the order will be requested (amount, status).
  • Payment service: Blue Code International AG, Gartenstrasse 5, 8853 Lachen, Switzerland Processes Blue Code payments
  • Payment service - SOFORT Überweisung: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden The payment by the customer is made directly to the payment provider, this triggers a bank transfer from the end customer to Ticket Gretchen.
  • ID validation & verification for special offers (e.g. U27): AriadNEXT, ZAC des Champs Blancs, 1219 Avenue des Champs Blancs, 35510 CESSON SEVIGNE - FRANCE
  • Clevertap data analysis - EEA server location: WizRocket Inc, 440 N Wolfe Rd, Sunnyvale, CA 94085, USA. Hosting and processing of data takes place exclusively within the EEA in Amazon Web Services data centers.
  • Data evaluation Branch - server location USA: Branch Metrics Inc. 2443 Ash Street, Palo Alto, California 94306, USA.
  • Data analysis: Graf Moser Management GmbH, Mariahilferstraße 109/20, 1060 Vienna, Austria. Hosting takes place in data centers in Germany.
  • Server monitoring - server location USA: Rollbar, 221 Main St. Suite 780, San Francisco, CA 94105, USA
  • Processing of IP addresses (conversion to country information): MaxMind, Inc. -14 Spring St., Suite 3, Waltham, MA 02451, US
The Controller expressly reserves the right to use additional commissioned data processors. These will then be identified in the update of the data protection information following the start of use. These data processing activities of the commissioned data processors take place under the responsibility of the data controller.

Internal recipients

  • System administrator
  • Specialist department - marketing and sales
  • Management

Third country transfer

The following data is transferred to countries outside the EU in the course of data processing:
  • Google (EUStandard contractual clauses) Country: USA Types of data- Google Analytics: anonymized IP address, website title, browser-specific information, information about website usage Types of data- Google Maps: electronic identification data.
  • Mailchimp (EU standard contractual clauses) Country: USA Data types: email address, name, user type.
  • Branch Metrics (EU standard contractual clausesCountry: USA Data types- Website: IP address, download link clicked, user agent, referrer, cookie, phone number when using the "Text-Me-The-App" feature on the website. Data types- App SDK: iOS Identifier for Advertising (IDFA), iOS Identifier for Vendors (IDFV), Android Advertising ID (GAID), Android ID, Branch Cookie ID, IP Address, Application version, Device model, Manufacturer, Operating system, Operating system version, Screen size, Screen resolution, Session start/stop time, Mobile network status (WiFi etc.), Application installed time, Application updated time, Device locale (country and language), Local IP address, Mobile platform, Branch SDK version, Developer ID
  • Rollbar (EU standard contractual clauses) Country: USA Data types: In case of an error, the ticket Gretchen User ID and meta information about the error (e.g.: affected performance, error message, etc.) is stored. The data is automatically deleted again after 7 days.
  • Facebook SDK (EU Standard Contractual Clauses Country: USA Data types: explicit events - information from events that are tracked. E.G.: View event, shopping cart, purchase. Implicit Events - Information from events that are implicitly logged when an advertiser uses other features of the Facebook SDK, such as integration with Facebook Login or the "Like" button. Automatically logged events - Basic interactions in the app (e.g., app installs, app launches) and system events (e.g., SDK loading, SDK performance) that are automatically logged. Developers can disable automatic logging and log explicit events manually instead (instructions here for iOS and Android). Facebook App ID - A unique ID assigned by Facebook to the advertiser's website and mobile app. Mobile ad ID - the iOS IDFA or Android ad ID. Metadata from the request - mobile OS type and version, SDK version, app name, app version, device opt-out setting, user agent string, and client IP address. The SDK also collects the following device metrics: Time zone, device operating system, device model, vendor, screen size, processor cores, total storage space, free storage space.


Appearances on social media channels

The responsible party informs that it keeps independent online presences accessible in social media channels for the purposes of advertising and communication with customers. In these online presences, the customer's data may be processed outside the European Union, resulting in an increased risk of data protection violation. The operators of the social media channels, insofar as they are based in the USA, have for the most part subjected themselves to the EU standard contractual clauses.
These online presences are kept accessible in the technical environment of the respective social media operator. The social media operators then use the customer's visit to the online presence for their own purposes, in particular to play out (interest-based) advertising. The social media operators use the visit to place "cookies" on the customer's end device, to read existing cookies/identifiers, to infer the customer's interests from usage behavior and thus to enrich the usage profile created for the customer or identifier. The aim is to display interest-based advertising to the customer, which may also be displayed on websites of third parties visited at a later date.
The processing of the customer's personal data is based on the overriding legitimate interests of the controller in the advertising measures and customer communication, which is protected by the freedom of acquisition (Art 6 StGG, Art 12 GG) and freedom of communication (ins. Art 10 ECHR, which also protects advertising measures) under convention and constitutional law. If the customers are users of the social media channels, the data processing may also be covered by the customer's consent.
The data controller informs that it has no access to the customer's data. The controller therefore recommends that the customer contact the respective social media channel directly in the event of assertion of their rights to information, correction, deletion, restriction, objection and data portability. Users of social media channels can also make changes themselves in the area of their privacy settings. The responsible party will support the customer in doing so, should this be necessary.
The customer can find further information at:

Storage period

Legal basis contractual relationship: The data is processed by the responsible party on the basis of the above-mentioned legal basis in principle until 40 months after termination of the contract (= 36 months of possible contractual claims for damages + max. 4 months of service of a lawsuit) and then deleted (in any case the personal reference). Insofar as there is a legal obligation to retain data, personal data processing of billing-relevant data shall in any case continue until the end of the legal retention obligation (currently in principle 10 years after the end of the fiscal year of the occurrence).

Rights of the data subject

  • Art 15 DSGVO "Information" The customer has the right to request information about whether and to what extent personal data of him are processed.
  • Art 16 DSGVO "Correction" The customer has the right to demand the correction of incorrect personal data or its completion without delay.
  • Art 17 GDPR "Deletion" The customer has the right to request that the personal data be deleted without undue delay, provided that the grounds set out in Art 17 (1) GDPR are met.
  • Art 18 GDPR "Restriction" The customer has the right to request that the processing of personal data be restricted, provided that the grounds referred to in Art 18(1) GDPR are met.
  • Art 21 DSGVO "Objection" The customer has the right to object to the processing of his personal data on the basis of overriding legitimate interest.
  • Art 20 DSGVO "Data portability" The customer has the right to receive his disclosed personal data in a structured, common and machine-readable format.

Right of appeal

Art 77 DSGVO § 24 DSG Every customer has the right to lodge a complaint with the supervisory authority if he or she believes that the processing of personal data concerning him or her violates this Regulation.

Supervisory authority

Classic Card: Berlin Data Protection Authority, Berlin Commissioner for Data Protection and Information Security, Friedrichstraße 219, 10969 Berlin,