The following list shows which organisations (“data recipients”) receive your data in which cases. You can read about the specific data in the corresponding sections of this data protection notice. Transfer of your data may sometimes occur due to contractual or legal requirements. In other cases, we use selected vicarious agents and service providers who work for us as com-missioned data processors (in accordance with Art. 28 GDPR) and may obtain access to your data in the required scope. Commissioned data processors are subject to numerous contractual obligations and may, in particular, process your personal data only on our instructions and solely for the fulfilment of the orders received from us.
Data Recipients in Non-EU Countries
- Banks, payment service providers
- Auditors from our holders and external funding sources
- Data protection officer
- Service providers for customer surveys
- Service providers for distribution of our newsletter
- Service providers for mass file destruction
- Service providers for optimisation of our web shop and websites
- Service providers for printing, letter shops
- Recipient’s e-mail provider
- Tax authorities
- Courts, lawyers, contractual partners, consultants, business partners, law enforcement authorities, opposing lawyers, state or federal criminal police (for legal disputes or actual suspicious cases)
- IT service providers
- Tax counsellors
- Service providers for telecommunication
- Financial auditors
- Customs authorities
You can purchase our tickets, programme booklets, subscriptions and souvenirs from countries beyond the EU (= so-called third countries) as well. When doing so, your data will be transferred to this country. The transfer of your data is necessary to perform the contract with you (art. 49 (I) b) GDPR). It is transferred for processing your purchase and the shipment and in order to communicate with you. We point out to the fact that the data protection level in third countries without an adequacy decision of the EU commission can deviate from that of the European Union. According to the EU commission, there is an adequate level of data protection in the following third countries: Andorra, Argentina, the Faroes, Guernsey, Isle of Man, Israel, Japan, Jersey, Canada (limited), New Zealand, Switzerland, South Korea, Uruguay, United Kingdom (cited 4/8/2022).
Our IT service providers have affiliates or subprocessors that can access your data from outside the EU or the European Economic Area (EEA). The level of data protection in third countries without an adequacy decision from the EU commission may differ from the European level of data protection. The EU Commission determines which non-EU/EEA countries ('third countries') have an adequate level of data protection. There is an adequacy decision with the issue no. C(2019) 304 for the transfer of personal data to our IT service provider's subprocessor in Japan. Our IT service providers are responsible for using EU standard contractual clauses in accordance with Commission Decision No. (EU) 2021/914 for transfer of personal data to other third countries. A model of these EU standard contractual clauses can be found on the websites of the EU Commissioner for Justice and in the Official Journal of the EU.