When you select the button “Credit card | Click to Pay | Apple Pay | Google Pay”, your email address (and, if applicable, other technical data such as your IP address and browser information) provided during the ordering process is automatically transmitted to VISA when the payment dialog is opened in order to check whether an existing Click to Pay account exists for your details. This also happens if you select another payment method within this option (e.g., Apple Pay, Google Pay, or classic credit card payment) later on. Details can be found in section 7.6.1.

If you purchase a ticket for a third party, we will process the personal data you provide about the third party for personalization purposes and, if necessary, to send the ticket to them. Please ensure that the third party has been informed about the data processing and that you are authorized to provide their data.

We store your purchases and all related transactions until the expiry of the statutory retention periods.

Legal basis:

Art. 6 (1) (b) GDPR (contract initiation and fulfillment) for the actual payment process; Art. 6 (1) (f) GDPR (legitimate interest) simplification of the payment process through possible automatic card display

VISA Click to Pay

You have the option of processing your payment using VISA Click to Pay. When you select the “Credit card | Click to Pay | Apple Pay | Google Pay” button, a check is performed to see whether a Click to Pay account exists for the email address you provided during the ordering process (as well as your phone number and technical data such as IP address and browser information, if applicable).

If you choose to pay using VISA Click to Pay, you enter your payment details directly with VISA. We only receive the information necessary for contract processing from VISA (e.g., name, email address, billing and, if applicable, delivery address, and confirmation of payment).

VISA processes this data on its own responsibility as an independent controller.

Further information can be found in VISA's privacy policy at https://www.visaeurope.at/legal/ visa-globale-datenschutzmitteilung.html (https://www.visaeurope.at/legal/visa-globaledatenschutzmitteilung.html).

Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation and fulfillment)

PayPal Express

You have the option of processing your payment via PayPal Express. In this case, you enter your payment details directly with PayPal. We only receive the information necessary for contract processing from PayPal (name, email address, billing address and, if applicable, delivery address, as well as confirmation of payment). PayPal processes this data on its own responsibility as an independent controller.

Further information can be found in PayPal's privacy policy at https://www.paypal.com/at/ legalhub/paypal/privacy-full (https://www.paypal.com/at/legalhub/paypal/privacy-full).

Legal basis: Art. 6 (1) (b) GDPR (contract initiation and fulfillment)

II.1.1. Description and purpose of data processing Fulfilling tax and accounting obligations related to ticket and gift voucher sales.       

Legal basis of data processing Article 6(1)(c) of the GDPR – processing is necessary for compliance with a legal obligation.The processing of invoicing-related data is in compliance with the legal obligation pursuant to Article 6(1)(c) of the GDPR. In case of data necessary for the fulfilment of taxation obligations Act CL of 2019 on the order of taxation Section 78 (3) and 202 (1) shall apply. If the data are necessary for the fulfilment of the accounting obligations, Act C of 2000 on accounting sections 168-169 shall apply.              

Scope of the processed data and their source from the data indicated in the previous point: address, billing name and address (if different from the address), name of the event, total amount of the purchase.

Data processing is mandatory.       

Period of data processing If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years.            

II.1.2. Description and purpose of data processing In case of wheelchair users, personal data related to the reduced mobility and health condition will also be collected for the purpose of assessing and managing the specific needs of wheelchair users.

Wheelchair users can enquire and purchase wheelchair and accompanying tickets directly from customer service at info@eventim.hu, where the personal data will be manually entered into the system.  

Legal basis of data processing Article 6 (1) a) and Art. 9 (2) (a) of the GDPR – consent.

II.1.3. Description and purpose of data processing Ticket return insurance

For certain events, the Data Controller may allow the Data Subject to take out a Ticket return Insurance. In this case, the data is processed by Eventim for the purpose of concluding the insurance contract and transmitted to the Insurer for this purpose.

Legal basis of data processing Article 6 (1)(b) of the GDPR-  it is necessary for the preparation and performance of a contract to which the data subject is a party             

Scope of the processed data and their source Data required for the concluding of the insurance contract: The following data provided by the ticket purchaser as the insurance user: name and e-mail address, date of purchase.Possible consequences of not providing the data: cancellation of the insurance contract.             

Period of data processing Data processed for the purpose of concluding the insurance contract will be retained for a general limitation period of 5 years from the date of the taking out the insurance, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings. For accounting purposes in accordance with the provisions of the Accounting Act 2000, C. of 2000, § 169. the retention period is 8 years.

Data processor and its processing activity Data will be transferred to the Insurance Company acting as Data Controller which concludes and performs the insurance contract and which processes the personal data in accordance with its Privacy Policy provided below : AWP P&C S.A., Hungarian Branch, Könyves Kálmán körút 48-52, 1087 Budapest, Hungary, Phone: +36 30 649 4040 E-mail: ugyfelszolgalat@mondial-assistance.at

II.1.4. Description and purpose of data processing Data processing related to ticket refund due to cancellation of the event

In certain cases (primarily in case of event cancellation), it is possible to return the tickets purchased, subject to the conditions of the event organiser, after prior verification of the data related to the purchased ticket. The purpose of the processing is to refund the ticket price to the purchaser or ticket holder   

Legal basis of data processing Article 6 (1) (b) of the GDPR – the processing of personal data related to sale of tickets is necessary for the performance of a contract (or for refund of the tickets in the event of cancellation)Data processed for identification purposes for refund: first and last name of the ticket purchaser, e-mail address. Date of ticket purchase, order number or other unique identifier of the ticket purchased and the number of tickets,

Scope of the processed data and their source Bank card details required for refund of the ticket price: name of the cardholder, bank account number to be used for crediting, expiry date of the bank card, name of the bank holding the account, IBAN and Swift code if necessary.  

Period of data processing Data processed for the purpose of enforcement of claims and rights will be retained for a general limitation period of 5 years from the (planned) date of the event, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years.           

Data processor and its processing activity Microsoft forms is the platform for filling the form for ticket refund (https://support.microsoft.com/en-gb/office/security-and-privacy-in-microsoft-forms-7e57f9ba-4aeb-4b1b-9e21-b75318532cd9), Payment service providers to be used to refund the ticket price: KPS Wallet (VUNKERS IT EXPERTS, S.L.U.,, https://www.vunkers.com/politica-de-privacidad/), Raiffeisen Bank Zrt. registered office 1133 Budapest, Váci út 116-118.) or Unicredit Bank Hungary Zrt. registered office: 1054 Budapest, Szabadság tér 5-6) - if the data required to execute the bank card credit are not available

II.1.5. Description and purpose of data processing Customer surveys

In order to continuously improve its products and services and to adapt them to the needs of ticket buyers, the Data Controller may ask its customers to participate in customer surveys and to provide feedback on the products and services sold and provided by the Data Controller and its partners. In doing so, the Data Controller uses the information provided by the Data Subject during the purchase process to contact. Survey data will be anonymised.

Legal basis of data processing Article 6(1) (f) of the GDPR -the processing of data is based on the legitimate interest of the Data Controller or third party  in developing products and services.      

Scope of the processed data and their source Data provided by the Data Subject as ticket purchaser when purchasing a ticket (name, address, e-mail).    

Period of data processing 5 years from the date of ticket purchase.

II.1.6.  Favourites management/personalised content

Our website allows you to express your interests by "liking" various categories such as artists, venues, main categories (e.g. concerts, culture, etc.) and locations. We use these favourites to show you content that may be of interest to you.

When you visit our website or use our app, we collect data such as your IP address with your consent. We combine this data with information that you provide to us during the purchase process or when you register for our newsletter. In this way, we create pseudonymised user profiles and target group segments that help us to show or send you more personalised and interesting content on our websites, in the app, in the newsletter and in other communication channels (such as online advertising on third-party sites).

We process information about your visit history and search behaviour on our website and in the app, order and shopping cart data, personal settings such as favourites and ticket alerts, and geolocation information. We also process browser and device information and pseudonymised IDs such as cookie IDs, mobile ad identifiers and hash values from email addresses and customer numbers.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

2. 2. FOR WEBSITE ACCOUNT HOLDERS AN REGISTRATION:

II.2.1. Description and purpose of data processing The purpose of data processing is the registration on the Website and the creation of a user account.     

Legal basis of data processing Article 6 (1)(a) of the GDPR - Processing of personal data related to the registration is based on the consent. Possible consequences of failure to provide data: registration is not possible. You can the password reset at any time if you forget it.

Scope of the processed data and their source During the registration, for the purpose of creating a user account, the user shall provide his or her e-mail address and a password. During the registration, the date of the registration and the IP address at the time of registration will also be collected. If the registration is created with Facebook profile, data processing pursuant to point II.6 of this Notice is also carried out. The following data must be provided when registering: title, name, address, email address and telephone number. You can voluntarily provide your company name, mobile phone number and date of birth. You can edit the data you have provided at in My EVENTIM at any time.

Period of data processing Personal data related to registration will be processed until the termination of registration, but at latest within the the general limitation period of  five (5) years after the last order for the enforcement of claims and rights. In case of enforcing the rights and legitimate claims after the termination of the registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be kept until the final conclusion of these proceedings.

We generate a customer number that is also linked to your customer account. You can log in to our web shop at any time using your login details. With your customer account, you can purchase tickets and find out about upcoming events and leisure activities, for example.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation and fulfilment)

Registration and login (Keycloak)

You can register and create a customer account in our web shop or via our mobile app. This allows you to purchase tickets, save events and artists as favourites, find out about upcoming events, participate in exclusive pre-sales and manage your newsletter settings.

Registration is carried out via a central authentication system (Keycloak). Authentication is carried out by default using your email address and a password of your choice. The following information is required when registering: title, name, address, email address and telephone number. You can voluntarily provide additional information such as your date of birth, company or mobile number. A customer number is also generated and assigned to your account.

Instead of a traditional registration, you also have the option of logging in via an existing social media account (e.g. Facebook) (single sign-on). This gives us access to your profile data stored with this provider (public information, first name, last name, email address). The data is transferred on the basis of your consent during the respective login process.

You can activate a permanent login using the ‘stay logged in’ function. This involves storing a cookie on your device that keeps you logged in on the same device for up to six months. This option is voluntary and requires your express consent. For security-related actions – such as purchasing/downloading tickets or changing contact details – additional authentication by reentering your password is required.

You can view and edit your login details and personal information at any time in the ‘My Eventim’ area.

Legal basis:

Art. 6 para. 1 lit. a GDPR (consent) – for permanent login (‘stay logged in’ function) and the transfer of personal data when logging in via social media providers.

Art. 6 para. 1 lit. b GDPR (contract initiation and fulfilment) – creation and use of the customer account.

Art. 6 para. 1 lit. f GDPR (legitimate interest) – to safeguard our legitimate interest in secure, user-friendly authentication and efficient management and support of customer accounts.

Data processor and its processing activity System operator: CTS EVENTIM AG & Co. KgaA, Hosting provider: CTS EVENTIM Solutions GmbH, registered seat: Contrescarpe 75 A, 28195 Bremen, Germany, e-mail: info@eventim.de

II.2.2. Description and purpose of data processing The purpose of profiling is to carry out market research, including customer analysis, customer segmentation and running statistics. Furthermore, Data Controller can use this information for the purpose to identify the preferences and interests of the Data Subject to tailor the experience of the Website for the Data Subject and optimize the service.           

Legal basis of data processing Article 6 (1)(f) of the GDPR – legitimate interest.The Data Controller has legitimate business, economic interest to know the opinion of the users about the Website, the users’ purchases and habits via the Website, their preferences and other personal characteristics related to the services in order to develop the system in such a way which meets the users’ expectations and answers real market needs.            

Scope of the processed data and their source If the Data Subject creates a user account or identifies him/herself for the Data Controller in another way (for instance purchasing a ticket on the Website) it is possible that the Data Controller connects all data collected in relation to the Data Subject, like the data collected when the Data Subject browsed the Website, newsletter tracking data, names, e-mail address, phone number, postal address, Facebook profile data, Google account information, demographic data related to the Data Subject, information on the interests and preferences of the Data Subject, online and offline transaction information, and any contact made with customer service.  

Period of data processing Personal data related to registration shall be processed until the termination of the registration, but at latest within a general limitation period of five (5) years from the last order for the purpose of enforcing the claim and right. In case of enforcing the rights and legitimate claims after the termination of the registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be kept until the final conclusion of these proceedings. The Data Subject is entitled to object to the profiling at any time. In such case, the Data Controller may not control the personal data for such purpose.

Data processor and its processing activity Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04E5W5, Ireland

3. 3. FOR THE WEBSITE VISITORS:

II.3.1.. Data processing when using our website

Informational use of the website

When you use the website for informational purposes only, we only collect the personal data that your browser transmits to our server (server log files). When you visit our website, we collect the data that is technically necessary for us to display our website to you and to ensure stability and security:

IP address

Date and time of the request

Time zone difference to Coordinated Universal Time (UTC)

Content of the request (specific page)

Access status/HTTP status code

Website from which the request originates

Browser

Operating system and its interface

Language and version of the browser software

This data is not merged with personal data sources. We reserve the right to check this data retrospectively if we become aware of specific indications of illegal use and to pass the data on to the law enforcement authorities in the event of a hack attack. No further disclosure to third parties will be made.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

II.3.2.Cookies

Cookies keep unique identifier of computers or device and profile information. Cookies are not capable of identifying the visitors of the Websites; however, they are capable of identifying and recognizing the device used by the visitor when visiting the Websites. These cookies may be placed on the computer or device used for visiting the Website by the visitors of the Website during visiting the Websites.
When you visit our website, cookies are stored on your device. Cookies are small text files that are assigned to the browser you are using and stored on your hard drive. They enable us or third-party providers to collect certain information. Cookies cannot execute programs or transfer viruses to your computer.

The information contained in the cookies is used, for example, to determine whether you are logged in, what data you have already entered, or to recognise you as a user when a connection between our web server and your browser is established.

We distinguish between technical cookies, which are used exclusively to ensure the operation of a website, and cookies that require consent, which are set by us or third-party providers for the purposes of statistical analysis, tracking or advertising/marketing.

CTS Eventim Hungary Kft. participates in the IAB Europe Transparency & Consent Framework (TCF) Version 2.2 and complies with its specifications and guidelines. We use a Consent Management Platform (CMP) with the identification number 31 for this purpose. The TCF records the consents you have given in the form of a so-called TC string and passes them on to participating third-party providers (vendors) so that they can take your consent decisions into account.

Further information on the CMP can be found in section 12 Consent Management of this privacy policy.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest; for technical cookies), Art. 6 para. 1 lit. a GDPR (consent; for all other cookies)

Data processing for Google services

We use services provided by Google Ireland Limited ("Google"), a company registered and operating under Irish law with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland, on our website.

Further information can be found in Google's privacy policy at https://policies.google.com/ privacy?hl=de (https://policies.google.com/privacy?hl=de).

The integration of Google leads to the reloading of additional Google services on our website, such as Google DoubleClick, Google APIs, Google Video, Google Photos, Google Static and Google Fonts.

Google Hosted Libraries

We use the Google Hosted Libraries Content Delivery Network (CDN) on our website.

The CDN service allows web content such as JavaScript libraries to be delivered quickly and securely. Proxy servers store the files locally, thereby improving access speed during download. Using the Google Hosted Libraries CDN helps us to optimise the loading speed of our website.

The CDN service processes the IP address of visitors to our website. According to Google, the IP address is only used to deliver and secure the files and is not merged with other Google services.

For more information on terms of use and data protection, please visit https://

developers.google.com/speed/libraries/terms?hl=de (https://developers.google.com/speed/ libraries/terms?hl=de)

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

Google AdSense

Our website uses Google AdSense, a service for integrating advertising. Google AdSense enables us to generate revenue by placing advertisements on our website. The advertisements are automatically selected by Google based on the content of our website and the interests of visitors.

When you use Google AdSense, various data is collected, including cookies, web beacons and usage data. Web beacons are invisible graphics that also collect information about how you use our website. Usage data includes information about the web pages you visit, the ads you click on, your IP address, your browser type and your language settings.

The collected data is used to measure the effectiveness of advertisements, optimise ad content and compile reports on website activity. This information may also be combined with other data that Google has collected about you.

You can prevent these cookies from being stored on your PC by adjusting your Internet browser settings accordingly. However, this may mean that you will no longer be able to use the content of this website to the same extent. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Google Ads Conversion Tracking

This website uses Google Conversion Tracking. Google Ads places a cookie on your computer if you have reached our website via a Google ad. These cookies expire after 30 days and are not used for personal identification. The information collected using the conversion cookie is used to compile conversion statistics for us. We learn the total number of users who clicked on our ad and were redirected to our page with a conversion tracking tag. However, we do not receive any information that can be used to personally identify users. If you do not wish to participate in the tracking process, you can also refuse the necessary cookie by changing your browser settings to disable the automatic setting of cookies in general. You can also disable cookies for conversion tracking by setting your browser to block cookies from the domain "www.googleadservices.com".

If you use SSL search, Google's encrypted search function, the search terms are usually not sent as part of the URL in the referral URL. However, there are some exceptions to this, for example if you use certain less common browsers. For more information about SSL search, please visit: https://support.google.com/websearch/answer/173733?hl=de (https:// support.google.com/websearch/answer/173733?hl=de).

Search queries or information in the referrer URL may also be viewed via Google Analytics or an Application Programming Interface (API). In addition, advertisers may receive information about the exact search terms that triggered a click on an ad.

For more details, please refer to Google's FAQ: https://policies.google.com/faq?hl=en (https:// policies.google.com/faq?hl=en)

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Google Ads Customer Match

We also use the Google Customer Match feature as part of Google Ads. This involves us transferring certain information, such as your email address, to Google in order to display personalised advertising to you in Google Search, YouTube, your Gmail inbox and the Google Display Network.

Google compares the information provided with its own user accounts in order to display suitable ads for existing or similar target groups (so-called custom audiences). The data transmitted is encrypted by Google and is not stored permanently.

Customer Match is only used if you have previously consented to the processing of your personal data for marketing purposes by Google via our cookie banner.

Further information about Google Customer Match can be found at: https://support.google.com/ google-ads/answer/6379332?hl=en (https://support.google.com/google-ads/answer/6379332? hl=en)

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Google Analytics

We use Google Analytics on our website, a tool that helps us understand how our website is used. With Google Analytics, we can see how many people visit our site and how long they stay.

This website uses the "IP anonymisation" function (i.e. Google Analytics has been extended by the code "gat._anonymizeIp();" to ensure anonymous collection of IP addresses (so-called IP masking)). This means that your IP address will be truncated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the United States and truncated there.

Google uses the information collected to analyse your use of the website, to compile reports on website activity and to provide other services relating to website activity.

Your IP address transmitted by your browser to Google Analytics will not be merged with other data from Google. However, Google may transfer this information to third parties if required by law or if third parties process this data on behalf of Google.

You can prevent cookies from being stored on your computer by selecting the appropriate settings in your browser. However, please note that in this case you may not be able to use all the functions of our website to their full extent.

Further information on terms of use and data protection can be found at https:// www.google.com/analytics/terms/de.html (https://www.google.com/analytics/terms/de.html) or at https://support.google.com/analytics/answer/6004245?hl=en (https://support.google.com/ analytics/answer/6004245?hl=en).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Google Signals

Google Signals may be used on our website as an extension to Google Analytics to create cross-device reports. If you have enabled the "personalised ads" feature and your devices are linked to your Google account, Google may analyse your usage behaviour across devices and create database models, including cross-device conversions, subject to your consent to the use of Google Analytics in accordance with Art. 6 para. 1 lit. a GDPR. We do not receive any personal data from Google, only statistics.

If you wish to stop cross-device analysis, you can disable the "Personalised advertising" feature in your Google account settings. To do this, please follow the instructions on this page:

https://support.google.com/ads/answer/2662922?hl=en (https://support.google.com/ads/ answer/2662922?hl=en).

Further information about Google Signals can be found at the following link: https:// support.google.com/analytics/answer/7532985?hl=en (https://support.google.com/analytics/ answer/7532985?hl=en).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Google Doubleclick

The website uses the online marketing tool DoubleClick. The Google advertising network and certain Google services may be used to support AdWords customers and publishers in placing and managing ads on the web. DoubleClick uses cookies to serve ads relevant to users, improve campaign performance reports, or prevent a user from seeing the same ads multiple times. Google uses a cookie ID to record which ads are displayed in which browser and can thus prevent them from being displayed multiple times. In addition, DoubleClick can use cookie IDs to record so-called conversions that are related to ad requests. This is the case, for example, when a user sees a DoubleClick ad and later visits the advertiser's website with the same browser and makes a purchase there. According to Google, DoubleClick cookies do not contain any personal information. Due to the marketing tools used, your browser automatically establishes a direct connection to Google's server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our level of knowledge: Through the integration of DoubleClick, Google receives information that you have accessed the corresponding part of our website or clicked on one of our advertisements. If you are registered with a Google service, Google can associate the visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may obtain and store your IP address.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Google

We use Google Maps on this website. This allows us to display interactive maps directly on the website and enables you to conveniently use the map function. When you visit the website, Google receives information that you have accessed the corresponding subpage of our website. In addition, the data already mentioned under "Informative use of the website" is transmitted. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly associated with your account. If you do not want your data to be associated with your Google profile, you must log out before activating the button. Google stores your data as usage profiles and uses them for advertising, market research and/or the needs-based design of its website. Such evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right. Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the provider's privacy policy.

The integration of Google Maps leads to the reloading of other Google services on our website, such as Google Static, Google APIs and Google Fonts.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Google Photos

For a user-friendly experience, we use the cloud-based storage service Google Photos. When you access images on our website, your browser establishes a connection to Google's servers. For this purpose, your IP address is transmitted to Google. In order to display the images correctly, the necessary pages are loaded into your browser cache.

You can find more detailed information here: https://www.google.com/photos/ (https:// www.google.com/photos/)

You can find the privacy policy and terms of use here: https://policies.google.com/ (https:// policies.google.com/)

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Google reCAPTCHA

We use the Google service reCAPTCHA to determine whether a human or a computer is making a particular entry in our contact or newsletter form. Google uses the following data to check whether you are a human or a computer: IP address of the device used, the website you visit on our site and on which the Captcha is integrated, the date and duration of the visit, the recognition data of the browser and operating system type used, Google account if you are logged in to Google, mouse movements on the reCAPTCHA fields, and tasks in which you must identify images.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

More detailed information is available here: https://cloud.google.com/security/products/ recaptcha (https://cloud.google.com/security/products/recaptcha)

Google Tag Manager

We use Google Tag Manager to recognise your user behaviour. Google Tag Manager is a solution that allows marketers to manage website tags via an interface. The tool itself processes the following personal data: IP address of the user. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. Google Tag Manager can set cookies, at least in the administrator's preview and debug mode, but also outside of this mode. If deactivation has been carried out at domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.

For more detailed information, please visit: https://www.google.com/intl/de/tagmanager/faq.html (https://www.google.com/intl/de/tagmanager/faq.html).

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

Data processing when using LinkedIn

Our website uses functions of the social media network LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Dublin.

Each time you visit one of our web pages that contains LinkedIn functions, a connection to LinkedIn servers is established. LinkedIn is informed that you have visited our website with your IP address. If you click on the LinkedIn buttons and are logged into your LinkedIn account, LinkedIn is able to associate your visit to our website with you and your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the data transmitted or its use by LinkedIn.

Further information can be found in LinkedIn's privacy policy at: https://www.linkedin.com/legal/ privacy-policy (https://www.linkedin.com/legal/privacy-policy).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

LinkedIn Insight Tag/Analytics

The LinkedIn Insight Tag enables the collection of data about visits to our website, including URL, referrer URL, IP address, device and browser characteristics, timestamps and page views. This data is encrypted, anonymised within seven days and the anonymised data is deleted within 90 days. LinkedIn does not share any personal data with us, but only provides aggregated reports on the website audience and ad performance.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

LinkedIn Ads

Our website uses the LinkedIn Ads retargeting service for website visitors so that we can use this data to display targeted advertising outside our website without identifying the member.

LinkedIn members can control the use of their personal data for advertising purposes in their account settings. Non-members can manage LinkedIn Ads on the following website: https:// www.linkedin.com/help/linkedin/answer/a1342443 (https://www.linkedin.com/help/linkedin/ answer/a1342443).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

OTHER COOKIES

1. Akamai

We use the services of the provider Akamai Technologies GmbH, Parkring 20-22, 85748 Garching, Germany, to identify and defend against threats (bot defence, DDoS attacks) and to increase the loading speed of our website. Akamai processes the IP address of your device. Akamai uses this information to prevent technical threats to our website and to ensure high availability of our website.

Further information can be found in Akamai's privacy policy at https://www.akamai.com/legal (https://www.akamai.com/legal).

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

2. Consent management

In order to obtain consent for the use of cookies and services requiring consent on our website in accordance with data protection regulations, we use the tool provided by the consent manager provider consentmanager AB, Håltegelvägen 1b, 72348 Västerås, Sweden, website www.consentmanager.de.

The consent tool collects, logs and stores the settings of the website visitor. In order to ensure that the selected settings can be clearly assigned to the respective website visitor, certain user information (including the IP address) is collected, transmitted and stored by the consent tool.

For further information, please refer to the privacy policy of consentmanager AB: https:// www.consentmanager.de/datenschutz/ (https://www.consentmanager.de/datenschutz) Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

3. Meta Pixel

Our website uses the so-called meta pixel, provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, to analyse and optimise advertisements on our online offering.

Meta Ireland can use pixels to identify website visitors as a target group for displaying

advertisements (known as Meta Ads). Accordingly, we use them to display the ads we place on Meta platforms (Facebook and Instagram) only to those Meta Ireland users who have also shown an interest in our online offering or who have certain characteristics (e.g. interest in certain artists or events, which are determined based on the websites visited) that we transmit to Meta Ireland (so-called "custom audiences"). This is to ensure that our ads are relevant to the user's interests and are not annoying. With the help of pixels, we can also track the effectiveness of Meta ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta ad (so-called "conversion").

Your actions are stored in one or more cookies. These cookies enable Meta Ireland to match your user data (such as your IP address and user ID) with the data in your Meta account. The data collected is anonymous to us and cannot be viewed by us and is only used for advertising purposes. If you wish to prevent the link to your Meta account, you can log out before taking any action.

For more information, please refer to the data policy of Facebook/Meta Ireland at https://dede.facebook.com/policy.php (https://de-de.facebook.com/policy.php).

Specific information about Facebook pixels can be found at https://de-de.facebook.com/ business/help/651294705016616 (https://de-de.facebook.com/business/ help/651294705016616).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

4. Microsoft Advertising (formerly Bing Ads)

We use Microsoft Advertising on our website, a service provided by Microsoft Ireland Operations Limited ("Microsoft"), a company registered and operating under Irish law with its registered office at One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

Microsoft Advertising (formerly Bing Ads) enables us to place targeted ads in Bing search results and other Microsoft websites to reach potential customers. Microsoft Advertising uses various technologies, including cookies and web beacons, to collect data about user behaviour and measure the effectiveness of advertising campaigns.

When using Microsoft Advertising, personal data such as IP addresses, browser information, search queries, device types and click behaviour may be collected and processed. This data is used to deliver personalised ads to users who may be interested in our products or services. Microsoft Advertising does not allow us to collect directly identifiable information such as user names or addresses.

For further information, please refer to Microsoft's privacy policy at https:// privacy.microsoft.com/de-de/privacystatement (https://privacy.microsoft.com/de-de/ privacystatement).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

5. Fastly CDN

We use the Content Delivery Network ("CDN") of the service provider Fastly Inc., 475 Brannan

St. #300, San Francisco, CA 94107, USA ("Fastly") on our website. A Content Delivery Network is an online service that is used to deliver large media files (e.g. graphics, page content or scripts) via a network of regionally distributed servers connected via the Internet. Using Fastly's Content Delivery Network helps us to optimise the loading speed of our website.

For more information, please refer to Fastly's privacy policy at https://www.fastly.com/de/ privacy/ (https://www.fastly.com/de/privacy/).

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

6. Jotform

We use Jotform, a service provided by Jotform Ltd. 6 Albert Mews, Albert Road, London,

United Kingdom, N4 3RD, to collect and process personal data on our website via forms. Jotform is an online form generator that allows us to create and manage forms for collecting data. Through the use of Jotform, personal data such as name, email address, telephone number and other information may be collected.

Further information on data processing by Jotform can be found in Jotform's privacy policy: https://www.jotform.com/privacy/ (https://www.jotform.com/privacy/).

Legal basis: Art. 6 para. 1 lit. A GDPR (consent)

7. iTunes Link Maker

We use the iTunes Link Maker service provided by Apple Inc., 1, Cupertino, CA, 95014, USA (hereinafter "Apple") on our website. With the help of iTunes Link Maker, we can link audio samples to iTunes. This allows you to get a feel for events and artists by listening to excerpts from selected music tracks.

A JavaScript code from Apple is embedded on our website for the use of Apple Link Maker. If you have JavaScript enabled in your browser and have not installed a JavaScript blocker, your browser may transmit personal data to iTunes Link Maker. The integration of Apple leads to the reloading of Apple Music APIs.

By using this service, personal data is transferred to the USA or such transfer cannot be ruled out! For more information, please refer to the "7.3 " section of this statement.

Further information on data use by Apple can be found here: https://www.apple.com/legal/ privacy/de-ww/ (https://www.apple.com/legal/privacy/de-ww/).

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

8. Mixpanel

We use the Mixpanel analysis service provided by Mixpanel Inc. (San Francisco, CA 94107, USA) on our website. Mixpanel enables us to analyse user behaviour on our website in order to continuously improve our services. For this purpose, cookies are used to analyse how visitors use the website.

Further information on data use by Mixpanel can be found in Mixpanel's privacy policy: https:// mixpanel.com/legal/privacy-policy (https://mixpanel.com/legal/privacy-policy). Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

9. New Relic

We have integrated the website analysis service New Relic, provided by New Relic Inc., 188 Spear Street, Suite 1200, San Francisco, CA 94105, USA, into our website. This enables us to improve the performance of our website by recording and evaluating the loading speed of the website.

When using this service, cookies are set which result in a connection being established between the website user's browser and New Relic's servers when our website is accessed. This enables New Relic to recognise that a website user has accessed the website. In this context, personal data such as the IP address is transmitted to New Relic.

For more information, please refer to New Relic's privacy policy at https://newrelic.com/ termsandconditions/services-notices (https://newrelic.com/termsandconditions/servicesnotices).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

10. Sentry

Our website uses the error management tool "Sentry" from Sentry Inc., 132 Hawthorne St., San Francisco, USA. The Sentry service enables analysis of program errors and the stability of web, mobile and server applications. The event and metadata stored by Sentry are deleted after 90 days by default.

Further information can be found in Sentry's privacy policy: https://sentry.io/privacy/ (https:// sentry.io/privacy/).

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

11. Sleeknote

We use Sleeknote, a tool from Sleeknote ApS, Søren Frichs Vej 42B, 8230 Åbyhøj, Denmark. Sleeknote enables us to display pop-ups on our website to highlight additional options or marketing campaigns and improve the user experience.

In addition to the technically necessary cookies (_sn_n and SNS), analysis and marketing cookies (_sn_a and _sn_m) are also set with your consent. These collect information about the use of pop-ups and visitor behavior and are used for statistical analysis and optimization of our pop-ups as well as for improving our marketing measures. Data such as interactions with the pop-ups, browser used, device type, or language settings may be processed. Individual users are not identified; the evaluation serves exclusively to improve our offerings and target our communications.

Further information can be found in Sleeknote's privacy policy at https://www.sleeknote.com/ privacy-policy (https://www.sleeknote.com/privacy-policy).

Legal basis: Art. 6 (1) (a) GDPR (consent)

12. Stay 22

We cooperate with the affiliate network of the service provider Stay 22, Technologies Inc., 917 Mont-Royal Ave E. Montreal QC H2J 1X3, Canada, and use a hotel map plugin from this provider on our website. If you follow the affiliate links contained in the hotel map and subsequently take advantage of the offers, we may receive an affiliate commission from Stay22. In order to track whether you have taken advantage of the offers, it is necessary for the third-party provider to know that you have followed an affiliate link used on our website. We use cookies or similar recognition technologies for this purpose.

For more information, please refer to Stay 22's privacy policy at https://www.stay22.com/ privacy (https://www.stay22.com/privacy).

The integration of Stay22 leads to the reloading of Stadia Maps, a service provided by Stadia Maps, Ltd. Co., 6650 Rivers Ave, Charleston, South Carolina 29406, USA, on our website. In order to use the functions of Stay 22 via Stadia Maps, it is necessary to collect your IP address.

By using this service, personal data is transferred to the USA or such transfer cannot be ruled out! For more information, please refer to section 7.3 of this statement.

For more information, please refer to the English privacy policy of Stadia Maps https:// stadiamaps.com/privacy/ (https://stadiamaps.com/privacy/).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

13. TikTok Pixel

We use TikTok Pixel, provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, to analyse the behaviour of visitors to our website and to optimise our advertising campaigns on TikTok. TikTok Pixel collects data about ads that users have clicked on or actions taken on the website. This data includes the time of the actions, the IP address to determine the geographical location, information about the user's device and browser, and cookies to measure, optimise and target advertising campaigns. Both first-party and third-party cookies are used for this purpose. In addition, page metadata, structured microdata, page performance data and clicks on buttons are collected.

The data collected by TikTok Pixel helps us measure and improve the effectiveness of our TikTok advertising campaigns. This information enables us to create custom audiences for personalised marketing measures and optimise ad delivery on TikTok. This allows us to ensure that our ads are shown to the most relevant audiences, which increases the likelihood of conversions.

As part of our TikTok advertising campaigns, we also use TikTok's Custom Audiences feature. In doing so, we transfer certain information, such as your email address, to TikTok Technology Limited. TikTok matches the information provided with existing TikTok user accounts in order to display relevant ads to existing or similar target groups (so-called ‘Custom Audiences’). The data transmitted is processed in encrypted form and is not stored permanently.

TikTok Custom Audiences is only used if you have previously consented to the processing of your personal data for marketing purposes by TikTok via our cookie banner.

The use of this service cannot exclude the transfer of personal data to China! – For more information, please refer to section 7.3 of this declaration.

By consenting to the processing of (advertising and marketing) cookies, you expressly agree to the possible transfer of data to a third country. You can delete cookies stored on your PC at any time by deleting the temporary Internet files.

For further information, please refer to the data policy of TikTok Ireland at https:// www.tiktok.com/legal/page/eea/privacy-policy/de-DE (https://www.tiktok.com/legal/page/eea/ privacy-policy/de-DE).

Specific information about TikTok pixels can be found at https://ads.tiktok.com/help/article/ using-cookies-with-tiktok-pixel (https://ads.tiktok.com/help/article/using-cookies-with-tiktokpixel).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

14. Vimeo

We use plugins from the provider Vimeo on our website. Vimeo is operated by Vimeo, LLC, headquartered at 555 West 18th Street, New York, New York 10011.

When you visit a website that has such a plugin, a connection to the Vimeo servers is established and the plugin is displayed. The Vimeo server is then informed which website you have visited. This information is assigned to your personal user account if you are logged in as a member of Vimeo. By clicking on the plugin, e.g. the play button at the beginning of a video, this information is also assigned to the respective user account. If you do not agree to this assignment, you can prevent it. To do so, please log out of your account before visiting our website and delete the corresponding cookies.

Further information on data processing and information on data protection by Vimeo can be found at https://vimeo.com/privacy (https://vimeo.com/privacy).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

15. YouTube

We have integrated YouTube videos into our website, which are stored on http:// www.YouTube.com (http://www.YouTube.com). YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. YouTube uses cookies to collect data and analyse statistics. YouTube is informed which pages you visit. If you are logged in to YouTube, your data will be assigned directly to your account. YouTube uses your data for advertising and market research purposes.

The integration of YouTube leads to the reloading of Google services on our website, such as Google Doubleclick, Google APIs, Google Video, Google Photos, Google Static, Google Fonts and YouTubeAPIs (YouTube images).

Further information on data protection at YouTube can be found in the provider's privacy policy at: https://www.google.de/intl/de/policies/privacy/ (https://www.google.de/intl/de/policies/ privacy/)

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

16. acceleraid (ADTELLIGENCE)

To provide and optimize the search and filter function on our Easter campaign landing page, we use a tool from ADTELLIGENCE GmbH, Elisabethstraße 1, 68165 Mannheim, Germany. The service makes it possible to display content dynamically and improve user-friendliness. Certain interactions (e.g. the use of search or filter options) and technical information (e.g. device type, browser, date of visit) are evaluated pseudonymously. The IP address of website visitors is stored in abbreviated form (the last two blocks are removed). In addition, page views in the checkout process are analyzed in order to better understand the use of the campaign page. No changes are made to the content of the pages and no personal data (such as name or address) is processed. The processing takes place exclusively for the technical provision and optimization of the user interface. There is no processing for advertising or tracking purposes.

Further information can be found in the privacy policy of ADTELLIGENCE GmbH at: https:// www.acceleraid.ai/datenschutz-mit-der-adtelligence-software (https://www.acceleraid.ai/ datenschutz-mit-der-adtelligence-software/

17 Mixpanel

. We use the product analytics tool Mixpanel to analyse and improve the use of our websites

and apps. Mixpanel Inc. supports us in better understanding user behaviour, replaying

pseudonymised sessions, conducting A/B tests and feature experiments, connecting data with

our internal systems, and analysing key figures in relation to business performance. The

following information is processed using cookies and similar technologies:

- Technical data about your device and browser

- Usage interaction with the website and app (e.g., clicks, navigation, feature usage)

- Session flows and derived statistics

- Pseudonymised identifiers (e.g., hashed email address)

The processing is carried out exclusively on the basis of consent within the meaning of Art. 6

Para 1 Sentence 1 lit. a) GDPR. As Mixpanel is based in the USA, data is transferred there.

An adequate level of protection is ensured by the partner’s certification under the EU-US Data

Privacy Framework and additional technical and organisational measures. Further information

can be found here: https://mixpanel.com/legal/privacy-policy/

You can prevent the collection of information by preventing the storage of cookies by selecting

the appropriate settings in your browser software of by deactivating tracking in the cookie

settings.

II.3.3._. Data processing in the context of marketing measures

Joint controllers: We, CTS Eventim Hungary Kft. and Entertainment Digital GmbH, Hohe Bleichen 11, 20354 Hamburg, Germany (‘EDGE’), are jointly responsible for the processing of your personal data in the context of marketing measures on our websites, third-party websites and in social networks in accordance with Art. 26 GDPR.

Categories of personal data The following types of personal data are regularly processed under the joint controllership: Hashed email addresse, Information from (opt-in) marketing cookies, Location data, Mobile phone advertising identifiers, Data from ticket purchases (e.g. artist, venue, date of purchase)

Data subjects The following groups of people are affected by the data processing: Customers (ticket purchasers) of EVENTIM, Users of EVENTIM websites, apps, social media channels and newsletters

Collection of data subjects

Your personal data is primarily collected by CTS Eventim Hungary Kft. as soon as you use our websites or apps, register for our newsletter or carry out a transaction, such as a ticket purchase. CTS Eventim Hungary Kft. is responsible for ensuring compliance with all relevant data protection regulations and ensures that only the data required for the respective processing is collected. CTS Eventim Hungary Kft. is also the primary point of contact for your rights with regard to the collection of your data.

Data transfer to EDGE

If your data is required for marketing measures by EDGE, a controlled provision is made by CTS Eventim Hungary Kft. to EDGE. This transfer only takes place within the framework of the joint responsibility and in compliance with the contract concluded between the jointly responsible parties. CTS Eventim Hungary Kft. remains the primary point of contact for your rights in this step as well.

Data processing for targeting purposes

EDGE takes the data received and processes it for targeted marketing measures (‘targeting’). This includes adapting and segmenting the data for specific target groups on third-party websites and in social networks in order to display relevant content. EDGE is responsible for this step of the processing and is available to answer any questions you may have about this processing and to help you exercise your rights.

Evaluation of campaigns

The evaluation of the campaigns carried out is carried out by EDGE, which checks the effectiveness of the marketing measures on the basis of the analysed data. EDGE is responsible for ensuring that the evaluation is carried out in compliance with data protection regulations and that the data is used only for the intended purpose. In this step, too, EDGE is the primary point of contact for your data subject rights.

Legal basis

The legal basis for the processing of your personal data in the context of marketing measures is your express consent in accordance with Art. 6 (1) point a GDPR. You give this consent by agreeing to the use of marketing and statistical cookies on our websites. The consent allows CTS Eventim Hungary Kft. and EDGE to process your personal data for marketing purposes, including targeted addressing, segmentation into specific target groups, and analysis and evaluation of marketing campaigns.

You have the option at any time to revoke your consent via the cookie settings with effect for the future.

Duration of storage

Your personal data will only be stored for as long as necessary for the purposes for which it was collected. In the case of marketing data, the data is generally stored for the duration of your consent. As soon as you revoke your consent via the cookie settings, the data concerned will be deleted or anonymised immediately, provided that this does not conflict with any statutory storage requirements.

Your rights

If we are obliged to fulfil the rights of data subjects (see 1.8), you can contact us CTS Eventim Hungary Kft. (info@eventim.hu) 0as well as EDGE.

II.3.4. Description and purpose of data processing technical cookies: To ensure and provide the content related services on the Website and the services offered to be provided by the Data Controller on the Website (for instance to enable the Data Controller to filter the unlawful use or unlawful content from the Website).

Legal basis of data processing Article 6(1)(f) of the GDPR – legitimate interest. The legitimate interest: to ensure the provision of the service and to enable the Data Controller to filter the unlawful use or unlawful content from the Website.

Scope of the processed data and their source The cookies carry the unique identification number of the computer or device used for visiting the Website, the time and date of visiting the Website, the browsing time spent on the Website, the way of using the Website and the history of finding the Website.

Period of data processing Personal data is processed until the end of visiting the Website or until the objection.

2. How can you disable placing cookies on your computer or device?

Website visitors can disable placing cookies on their computer or device by adequate browser settings. Further, the visitors of the Website can choose on the “Cookie settings/policies” site of the Website whether the functional, analytical, tracking or third party cookies may be enabled in the course of browsing the Website. The changes can be amended anytime on the ”Cookie settings/policies” site.
However, it should be noted that disabling cookies on the computer or device may result that the user experience will be compromised; in such case, the visitor of the Website may not reach certain elements of the Website in the form as if the placing of cookies had been enabled.
When disabling functional cookies, the Website visitor does not allow among others that we send him or her reminders about the products placed in the shopping cart, or that the Websites remember his or her language preferences etc.
When disabling analytical cookies, the Website visitor does not allow among others that we analyse his or her activity on the Websites in order to display tailored content on the Website, or contact him or her with personalised offers at the contact points provided by him or her (if he or she provided such data, e.g. in the course of registration).
When disabling Google Ads tracking cookies, the Website visitor does not allow cookies to be placed on his computer in connection with advertisements, especially when clicking on advertisements.
When disabling third party cookies, the Website visitor does not allow that third parties, in particular social media sites (e.g. Facebook, Google+ or Twitter) place cookies on his or her computer or device used for visiting the Website.

Consent management

In order to obtain data protection-compliant consent for using cookies and services requiring consent on our website, we use the tool of the consent manager provider consentmanager AB, Håltegelvägen 1b, 72348 Västerås, Sweden, website: www.consentmanager.de.

The consent tool records, logs, and saves the website visitor's settings. To ensure that the selected settings can be clearly assigned to the respective website visitor, certain user information (including the IP address) is collected, transmitted, and stored by the consent tool.

For further information, please refer to the privacy policy of consentmanager AB: https://www.consentmanager.de/datenschutz/

Legal basis: Article 6 para. 1 point f of the GDPR (legitimate interest of the Data controller)

4. 4. PROCESSING OF DATA RELATED TO SENDING NEWSLETTERS AND DIRECT MARKETING :

II.4.1. News & information subscription on all channels You have the option of subscribing to receive personalised information and offers via various channels.

For this purpose, we process your email address and telephone number as well as, if available, information from your customer account (e.g. previous purchases, interests).

To ensure that the registration actually comes from you, we use the double opt-in procedure. After registering, you will receive a confirmation email with a link. Only when you click on this confirmation link will your registration be activated and your data added to the distribution list. This ensures that no one can use your data without your consent and that you have expressly agreed to receive the information.

If you have consented to receiving personalised information via various channels, we also use third-party services such as Meta, Google, TikTok or similar platforms to display advertising. To do this, we may use your email address or other characteristics (e.g. previous purchases, interests) to create target groups (custom audiences) and display content that matches your interests. Advertising via these platforms only takes place if you have additionally consented to the use of the relevant third-party services via our cookie banner. You can find more details in the sections on the external services used.

You can unsubscribe from receiving news and information on all channels at any time via the unsubscribe link in our messages or by sending an email to us  (mailto: info@eventim.hu).

If you have a customer account, you can alternatively log in to ‘My EVENTIM with your user name to view and change your newsletter settings.

After you unsubscribe, we will no longer use your data to send you personalised information. If there is no business relationship between us and no legal retention obligations apply, your data will be deleted three weeks after you unsubscribe.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Data processor and its processing activity For the purpose of sending newsletter and promotion e-mails: Optivo GmbH (seat: Wallstrasse 16, 10179 Berlin, Germany; contact information: +49 30 7680 780), Google Ireland Limited, (Gordon House, Barrow Street, Dublin 4, D04E5W5, Ireland), Facebook (Meta Ireland Platforms Limited, seat: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, contact  or data protection issues: https://www.facebook.com/policy.php

II.4.1.2   Newsletter subscription

You have the option of subscribing to various newsletters (category newsletter, B2B newsletter, offer mailings, info mailings). We process your email address for the purpose of sending these newsletters.

To ensure that the registration comes from you, we use the so-called double opt-in procedure. After registering, you will receive a confirmation email with a link. Only when you click on this confirmation link will your registration be activated and your address added to the mailing list. In this way, we ensure that no one uses your email address without your consent and that you have expressly agreed to receive the newsletter.

You can unsubscribe from the selected newsletter at any time by clicking on the unsubscribe link at the end of each newsletter or by sending an email to Eventim (mailto:info@eventim.hu). If you have a customer account, you can alternatively log in with your username at "My EVENTIM" to view and change your delivery settings. Here, too, you can unsubscribe from all newsletters at any time.

After you unsubscribe, we will no longer use your data to send you newsletters. If there is no business relationship between us and no legal retention obligations apply, your data will be deleted three weeks after you unsubscribe.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

II.4.2. Description and purpose of data processing  data processing for direct marketing purposes (individual offers)

Once the data subject has purchased a ticket, the controller may send occasionally individual emails or special offers for a specific group to the data subject about similar events, services and services, promotions (in some cases by post) and birthday emails. These emails are sent to the address provided at the time of ticket purchase.

Legal basis of data processing Article 6(1)(f) of the GDPR -the processing of data is based on the legitimate interest of the Data Controller or third party. The legitimate interest of the Data Controller is to inform Data Subjects about changes in products and services, to advertise the products and services and to carry out marketing activities.

Scope of the processed data and their source Data provided by the Data Subject when purchasing a ticket (name, e-mail, address).

Period of data processing From the date of purchase of the ticket until 5 years after the event, but no later than the date of the objection of the Data subjects concerned.

II.4.4 Shopping cart abandonment email

If you have started an order process in our web shop but have not completed it, we will send you a reminder email to the email address stored in your customer account. For this purpose, we process your data in order to identify uncompleted shopping carts. The following data is processed: email address, first name and surname. Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

II.4.5. Registration for ticket alerts

You have the option of subscribing to our ticket alert for artists of your choice. For this purpose, we process your email address.

To ensure that the registration comes from you, we use the double opt-in procedure. After registering, you will receive a confirmation email with a link. Only when you click on this confirmation link will your registration be activated and your address added to the mailing list. In this way, we ensure that no one uses your email address unintentionally and that your consent to receive the ticket alert is expressly given.

You can unsubscribe from the ticket alert at any time by clicking on the unsubscribe link in the respective email. If you have a customer account, you can log in to My EVENTIM with your username and view and change all your settings. Here you can unsubscribe from the ticket alert at any time. Once you have unsubscribed, we will no longer use your data to send you ticket alerts. If we have no business relationship with you and are not subject to any legal retention obligations, your data will be deleted after you unsubscribe from the ticket alert.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

II.4.6.  Registration for ticket alerst & news

You have the option of registering for our ticket alerts and for personalised information and offers (news). The ticket alert informs you about artists you have selected individually. The news includes information about events, promotions, products and partner offers. For this purpose, we process your email address and telephone number as well as, if available, information from your customer account (e.g. previous purchases, interests).

To ensure that the registration actually comes from you, we use the double opt-in procedure. After registering, you will receive a confirmation email with a link. Only when you click on this confirmation link will your registration be activated and your data added to the distribution list. In this way, we ensure that no one uses your data unintentionally and that we have your express consent to send you the ticket alert and news.

If you have consented to receiving the ticket alert and news, we also use third-party services such as Meta, Google, TikTok or similar platforms to display advertising. To do this, we may use your email address or other characteristics (e.g. previous purchases, interests) to create target groups and display content that matches your interests. Advertising via these platforms will only take place if you have additionally consented to the use of the relevant third-party services via our cookie banner. You can find more details in the sections on the external services used.

You can unsubscribe from the ticket alert and news at any time using the unsubscribe link in the respective emails or by sending an email to us (mailto:info@eventim.hu).

If you have a customer account, you can alternatively log in with your user name at ‘My EVENTIM to view and change your settings. Here you can also unsubscribe from the ticket alert and/or news at any time.

Once you have unsubscribed, we will no longer use your data to send you ticket alerts or news. If we have no business relationship with you and there are no legal storage obligations, your data will be deleted three weeks after you unsubscribe.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

II.4.4. Description and purpose of data processing  Targeted online marketing ads via Facebook and Google

Identification of individual advertising audiences based on a customer list[1] and identification of "Other advertising audiences[2]"

Legal basis of data processing Based on the explicit consent of the data subject pursuant to Article 6(1)(a) of the GDPR.

Scope of the processed data and their source E-mail address of previous customers or registrants. Possible consequences of not providing data: ads cannot be displayed

Period of data processing The processing lasts until consent is withdrawn or at latest until the data/registration is deleted.  The data subject has the right to object to the processing at any time.

Data processor and its processing activity    Facebook (Meta Ireland Platforms Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland), Privacy policy concerning to data processing: www.facebook.com/legal/terms/dataprocessing, Google (Google Ireland Limited, Gordon House Barrow Street Dublin 4, D04E5W5 Ireland Privacy policy concerning to data processing: https://www.google.com/analytics/terms/dpa/dataprocessingamendment_20200816.html

II.4.7. Description and purpose of data processing  Fan report

The Data Controller provides the opportunity for data subjects to share their opinions on the Website about the events they have participated in.

Legal basis of data processing Article 6 (1) (a) of the GDPR – consent. The data processing is based on the explicit consent of the data subject.

Scope of the processed data and their source e-mail address, name, text of the opinion. Possible consequences of non-providing data: the opinion cannot be published

Period of data processing If the Data Controller publishes the opinion as a report, the data processing period shall be 2 years from the date of publication of the opinion. If the opinion is not published, the Data Controller shall delete the data without delay.

From a comparison of the listed personal data, we draw conclusions regarding the consumption habits of the persons concerned, as well as their expected shopping preferences and interests. We use these conclusions in order to be able to develop offers tailored to the individual concerned, and to be able to send the offers to the appropriate target group.

Legal basis of data processing In the case of subscribing to the newsletter and alerts Article 6 (1) (a) of the GDPR – consent. The data processing is based on the explicit consent of the data subject.In the case of individual offers, profiling is based on Article 6 (1) (f) of the GDPR, -  on the legitimate interest of the Data controller or a third party

Scope of the processed data and their source In the case of subscribing to the newsletter and alerts the data provided when subscribing to the newsletter and notifications

In the case of individual offers, the data provided when purchasing the ticket (name, address, e-mail address and, from the data of the purchases, the event to be visited with the purchased ticket) will be used for the individual offer. Possible consequences of not providing data: it is not possible to personalize offers.

Period of data processing In the case of subscribing to the newsletter and alerts The data processing lasts until the consent is withdrawn, i.e. until unsubscription. in the case of a legitimate interest, until the Data subject objects.The data subject has the right to object to profiling at any time. In case of an objection, the Data Controller may no longer process the personal data for this purpose.

5. 5. FOR INQUIRERS, COMPLAINANTS:
   
   

II.5.1. Description and purpose of data processing Personal data are processed by the Data Controller with the aim to handle related to complaints, questions, comments and problems arising in connection with ordered products or services.
Legal basis of data processing Article 6(1) ( c ) – to comply with a legal obligation to which the Data Controller is subject, for feedback, opinions, questions: Article 6(1)(a) GDPR consent. The Data Controller allows the Data Subjects to make a complaint via email (info@eventim.hu) or by post at the address of 1139 Budapest, Váci út 91/A 3.em.  The processing of personal data for the investigation, settlement and handling of complaints is the legitimate interest of the Data Controller and the data subjects, as the processing of such data is necessary for the enforcement of consumer protection and civil law rights and interests in connection with the purchase and use of services on the Website.   In the course of complaint handling, the complainant shall provide personal data related to his or her previous purchase, his or her first and last name, address or invoice address, phone number, delivery name and address, if different from the above, e-mail address and order number (if applicable).

Scope of the processed data and their source In the case of a complaint via phonecall, the following personal data are added to the scope of the processed data: caller ID, date and time of the call, audio recording of the telephone conversation and other personal data provided during the conversation. The Data Controller informs the Data subjects that, in the event that the complaint is made by telephone, the Data Controller will record the audio of the call after having informed the data subject about that. Possible consequences of not providing the above information: failure to respond to telephone calls and opinions

Period of data processing The complaints  and responses will be retained for three  (3) years from the time of the complaint, for enforcing the rights and legitimate interests of the Data Controller and of the Data Subject (or if the limitation period for enforcing rights is longer, then until the end of that period). If the complaint is made via email and the complainant is not registered on the Website, the e-mail address of the complainant will be erased on the ninetieth (90th) day from the resolution of the issue, with the exception of unique cases when the legitimate interest of the Data Controller justifies the longer retention of the personal data, in which case erasure will be made when this legitimate interest ceases to exist. The Data Controller shall keep the audio recording of the complaint made via phonecall for a period of three (3) months from the date of the recording.    

6. 6. FOR SIGNING IN WITH SOCIAL MEDIA ACCOUNT AND PRIZE GAMES:

II.6.1. Description and purpose of data processing    The Data Controller processes personal data in the course of its activities on social networking sites, for the purpose of sharing or "liking" certain content, products, promotions or the website itself.

Legal basis of data processing         Article 6(1)(f) of the GDPR – legitimate interest of Data controller.

We operate the following social media pages: X (Twitter), Instagram, TikTok, LinkedIn, Xing and Facebook. When you visit our social media presence, personal data, including the IP address of the respective provider, is processed and cookies are used for data collection. Please refer to the privacy policy of the respective service for details on exactly what information is transmitted. There you will also find information on how to contact us and how to restrict the processing of this data.

Furthermore, we would like to point out that you use the respective services and their functions at your own risk. This applies in particular to the use of interactive functions (e.g. sharing, commenting or rating).

The providers of social media services have provided us with corresponding agreements – in most cases, these are agreements on joint responsibility for data processing. The use of social media is based on our legitimate business interest.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

II.6.1. Description and purpose of data processing From time to time the Data Controller publishes prize games on the interfaces defined by it.Data processing takes place on the interface announcing by each prize game, For the purpose of managing these prize games,.

We occasionally organise competitions that are open to everyone. In order to participate in these competitions, we require certain information from you: first and last name, address and email address. This data will be used exclusively for the purpose of the competition. If we have no business relationship with you and are not subject to any legal storage obligations, the data collected will be deleted or anonymised after the competition has ended and the prizes have been sent out.

The current rules are available at the Website, or at following link: https://blog.eventim.hu/jatekszabalyzat/.

Legal basis of data processing Article 6 (1)(a) of the GDPR – consent. The consent of the players participating in the prize game. The legal basis for the delivery of the prize and the identification of the winner is the performance of a contract based on Article 6(1)(b) of the GDPR. In the case of the fulfilment of a tax or contribution obligation in connection with the prize, the legal basis is the fulfilment of a legal obligation pursuant to Article 6(1)(c) GDPR.

Scope of the processed data and their source The Data Controller collects and controls surname, first name and e-mail address of participants of the game.Possible consequences of not providing the data: it is not possible to participate in the prize draw. In the case of a prize game announced on Facebook, the name of the winners will be published on the Facebook page. The Data Controller may process the tax identification number, address, mother's name, place and date of birth of the data subject in connection with the fulfilment of tax and accounting obligations in relation to the prize.

Period of data processing Facebook's data management is governed by: Meta Platforms Ireland Ltd. ("Meta") - more information about the data retention periods applied by Meta at the following link: https://www.facebook.com/legal/terms/businesstools. The Controller will delete the personal data of the participants in the game after the game has ended and the prizes have been delivered, or until the consent is withdrawn, if earlier. If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid. (Article 78(3) and 202(1) of Act CL of 2017 on the Rules of Taxation. In the case of accounting documents: 8 years (Article 168-169 of the Act C of 2000 on Accounting). In practice, this is the case if the data form part of the documents supporting the accounts.

Data processor and its processing activity   If using Facebook: Facebook (Meta Ireland Platforms Limited (head office: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2) Ireland, contact for data protection issues: https://www.facebook.com/policy.php, Delivery (in the case of prizes in phisical form): GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (seat: 2351 Alsónémedi, Európa u. 2.; contact information: info@gls-hungary.com; phone number: +36 1 802 0265; https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat),United Parcel Service Deutschland S.à r.l. & Co. OHG (seat: Görlitzer Straße 1, 41460 Neuss, Germany)

II.6.2. Description and purpose of data processing The Data Controller operates a fan page within website under https://www.facebook.com which can be found on https://www.facebook.com/Eventim.HU/ (the “Facebook fan page”). Facebook collects the personal data of the visitors of this Facebook fan page by using cookies and it generates anonym statistical data from them.       

Legal basis of data processing Article 6(1)(a) of the GDPR – consent. Processing of personal data related to social media sites is based on the voluntary consent of the Data Subject. Facebook shares the above data with the Data Controller as anonym statistical data to enable the Data Collector as the administrator of the Facebook fan page to publish more targeted, relevant information for the page’s visitors. Facebook applies pop-up windows to notify the visitors of the page on the use of cookies and to the collection of the above personal data. Data Controller as the administrator of the Facebook fan page recommends to become familiar with the Facebook’s “Cookies & Other Storage Technologies” policy (available here: https://www.facebook.com/policies/cookies/) and the Facebook Data Policy (available here: https://www.facebook.com/about/privacy) prior to using on the Facebook fan page.          

Scope of the processed data and their source Personal data collected on the Facebook fan page are as follows: demographic data (age, sex, marital status, profession); data concerning the interests of the visitors (buying habits, product and service preferences), geographical data. Possible consequences of failure to provide data: comments and visitor comments are not possible.        

Data processor and its processing activity Meta Platforms Ireland Ltd. ("Meta") - For more information about Meta's data retention periods, please visit: https://www.facebook.com/legal/terms/businesstools. The Data Controller and Meta, the operator of the Facebook social networking site, are joint controllers within the meaning of Article 26 of the GDPR when using the Page Plugin, as the administrators acting on behalf of the Data Controller and Meta jointly determine the purposes and means of the processing. The parties' obligations regarding the joint processing of data are set out in the Joint Controller Agreement ("Controller Addendum"), available here: https://www.facebook.com/legal/controller_addendum and https://www.facebook.com//legal/terms/businesstools_jointprocessing.

II.6.3.  Fan reports

You have the option of submitting a review of a venue or event you have attended on our website. We provide a special form for this purpose. In addition to your review, you must also provide your email address to complete the fan report. This is necessary to verify the fan report and prevent misuse. Your email address will not be published and will be used exclusively for internal purposes.

Your anonymous review will be published on our website after review to provide useful information to other users. Your reviews help us to continuously improve the quality of our events and venues.

We use the services of Bazaarvoice Inc, 10901 Stonelake Blvd, Austin, TX, USA, to collect fan reviews and display them on our website. Bazaarvoice enables us to collect, moderate and display reviews and reports from our users.

For more information, please refer to the privacy policy of Bazaarvoice Inc. at https:// www.bazaarvoice.com/de/legal/datenschutzrichtlinie/ (https://www.bazaarvoice.com/de/legal/ datenschutzrichtlinie/).

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

7. 
   7. FOR THOSE WHO SEND E-MAIL TO THE CORPORATE E-MAIL ADDRESS, OR OTHER PLATFORMS

II.7.1. Description and purpose of data processing , contact, review and reply to unexpected messages sent to the corporate email address info@eventim.hu.       

Legal basis of data processing Article 6(1)(f) of the GDPR – interests of the Data controller

Scope of the processed data and their source Data Controller may receive e-mails, like spam messages, unexpected e-mails, or job applications at the corporate inbox; in which case the Data Controller controls personal data such as the sender’s e-mail address, name, other voluntarily provided personal data based on the voluntary consent of the person sending the e-mail. Possible consequences of not providing the data: it is not possible to contact with Data subject.

Period of data processing Depending on the content of the unsolicited e-mail, after the processing we will delet all of data, or the data processing may last until the consent is withdrawn, or it will be erased without further delay (if the e-mail carries unlawful content or if it was sent in error).    

II.7.2. Contact

If you contact us by email, telephone, contact form or via social media, we will store the data you provide in order to respond to your enquiry. Once processing has been completed, we will delete the data or restrict its processing in accordance with the applicable statutory retention obligations.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)

8. 8. PROCESSING OF CONTACT DATA

Description and purpose of data processing The purpose of the data processing is to enable the Data Controller to contact and maintain direct contact with its partners, their employees, contact persons - i.e. the data Subject - in the course of its business activities.

Legal basis of data processing Pursuant to Article 6 (1) (f) of the GDPR, the legal basis for processing is the legitimate interest of the Data Controller or third party.

Scope of the processed data and their source The Data Controller processes the data of the Data Subjects for the purposes of maintaining contact with the contracting partner. Scope of Data Subjects: name, position, e-mail address, telephone number. Source of the Data: the Data Subject or the Company's business partner, the contracting party. The Company presumes that its Clients and Business Partners have appropriate authorisation or consent from the Data Subject in relation to the provided data originating from the natural person or have given them information about the provision of their personal data.     

Period of data processing the period necessary for the purposes of processing, which may in some cases correspond to the term of a contractual relationship, but not longer than the period until the withdrawal of consent or the period for the exercise of any right of recourse (5 years from the performance of the contract (limitation period)

II.10. DATA MANAGEMENT RELATED TO THE WHISTLEBLOWING REPORTING SYSTEM

Description and purpose of data processing We have created an online portal for reporting violation. The whistleblowing system allows you to contact us and report compliance and legal violations without fear of reprisals. Provided that this is legally permissible, violations can be reported without providing personal data. We process personal data to the extent that it is communicated to us to verify a report made through the reporting center and to investigate suspected compliance and violations. We may have additional questions. For this purpose, we communicate through this whistleblowing system. In principle, it is possible to use the abuse reporting system - if this is legally permitted - without providing personal data. In the case of anonymous communication, your IP address and current location are never stored. After submitting the report, the reporter receives access data for the online portal's mailbox, thus allowing them to continue communication with us in a protected manner.However, as part of the whistleblowing reporting process, personal data may be voluntarily disclosed, in particular data relating to identity, first and last name, country of residence, telephone number or email address.

During anonymous communication with us, your IP address and current location are never stored. After submitting the report, the reporter will receive access data to the mailbox of the online portal so that he can continue to communicate with us in a protected manner. In order to achieve the stated purpose, it may also be necessary to transfer personal data to external bodies, such as law firms, criminal or competition authorities within or outside the European Union.

Legal basis of data processing point c) of Article 6 (1) of the GDPR

Scope of the processed data and their source: We process the data that the notifier provides us in connection with the notification.

In addition, we also process the data of the persons named by the person reporting the abuse during the reporting of violations (e.g. the name or position of the person who caused the violation, the name or position of the persons also affected by the violation, a description of the behavior or actions of the person concerned in relation to the reported violation of duty, which may contribute to the for their identification).

Period of data processing We store personal data only as long as it is necessary to process the report of the person reporting abuse, or as long as we have a legitimate interest in storing their personal data. Data may also be stored if this is required by national or European legislation in order to fulfill legal obligations, such as retention obligations. We do not collect or store any personal data that is not necessary to process whistleblower reports. If necessary, it will be deleted immediately. After the investigation is completed, all reports and related data are archived for 5 years. After this period, we guarantee the irreparable deletion or anonymization of all data. In addition, the data is stored as long as it is necessary for official or court proceedings that have already been initiated. Data subject rights under Articles 13–21 of the GDPR (e.g., the right to information, access, erasure, or objection) apply to the person concerned by the report only to a limited extent based on legislation, provided that such restriction is necessary for the protection of the reporter or the investigation of the report.

The data controller of the whistleblowing system The whistleblowing online portal is operated by CTS EVENTIM AG &Co. We use it together with KGaA, Contrescarpe 75a, 28195 Bremen, Germany. In this case, we are the joint data controllers of the processing of personal data. If we are obliged to fulfill the rights of the data subjects, the data subjects can contact us directly via our contact details and compliance@eventim.de . at address.

Data processor: Deloitte

Data transfer: In order to fulfill the aforementioned purposes, it may become necessary to transfer personal data to external parties, such as law firms, criminal or competition authorities, both within and outside the European Union.

II.11. DATA PROCESSING RELATED TO THE COMPLIANCE SYSTEM

Description and purpose of data processing EVENTIM Compliance operates an independent, impartial and confidential Compliance reporting system. Employees and third parties, including customers and suppliers, have the opportunity to report potential violations through confidential reporting channels and thus contribute to their clarification.

Legal basis of data processing point c) of Article 6 (1) of the GDPR

Scope of the processed data and their source: the data provided by the Notifier. In principle, it is possible to use the abuse reporting system - if this is legally permitted - without providing personal data. However, as part of the abuse reporting process, personal data may be voluntarily disclosed, in particular data relating to identity, first and last name, country of residence, telephone number or email address.

Period of data processing We store personal data only as long as it is necessary to process the report of the person reporting Compliance case, or as long as we have a legitimate interest in storing their personal data. Data may also be stored if this is required by national or European legislation in order to fulfill legal obligations, such as retention obligations. We do not collect or store any personal data that is not necessary to process Compliance reports. If necessary, it will be deleted immediately. After the investigation is completed, all reports and related data are archived for 5 years. After this period, we guarantee the irreparable deletion or anonymization of all data. In addition, the data is stored as long as it is necessary for official or court proceedings that have already been initiated.

The data controller of the online Compliance reporting portal We use the Compliance system together with the company is CTS Eventim Austria GmbH Compliance Mariahilferstraße 41-43, A-1060 Wien, Österreich. In this case, we are the joint data controllers of the processing of personal data. If we are obliged to fulfill the rights of the data subjects, the data subjects can contact us or at the following e-mail address compliance@eventim.at

• III. DATA PROCESSORS

Transfer to processors: We work with processors and transfer personal data to them in order to provide our services efficiently. These include companies that handle contract fulfilment, payments, account management, newsletter distribution and IT services, for example. Other transfers:

The Data Controller may share (besides its own competent staff) the personal data with the below companies as data processors for the below purposes:

-Operation of software and IT framework related to ticketing

CTS EVENTIM AG & Co. KgaA

- Delivery:
GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (seat: H-2351 Alsónémedi, Európa u. 2., Hungary; contact information: info@gls-hungary.com, phone number: +36 1 802 0265; https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat), Deutsche Post AG (seat: Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany; contact information: +49 228 18 20; https://www.deutschepost.de/de/f/footer/datenschutz.html)