The following list shows which organisations (“data recipients”) receive your data in which cases. You can read about the specific data in the corresponding sections of this data protection notice. Transfer of your data may sometimes occur due to contractual or legal requirements. In other cases, we use selected vicarious agents and service providers who work for us as com-missioned data processors (in accordance with Art. 28 GDPR) and may obtain access to your data in the required scope. Commissioned data processors are subject to numerous contractual obligations and may, in particular, process your personal data only on our instructions and solely for the fulfilment of the orders received from us.
Data Recipients in Non-EU Countries
- Banks, payment service providers
- Auditors from our holders and external funding sources
- Data protection officer
- Service providers for customer surveys
- Service providers for distribution of our newsletter
- Service providers for mass file destruction
- Service providers for optimisation of our web shop and websites
- Service providers for printing, letter shops
- Recipient’s e-mail provider
- Tax authorities
- Courts, lawyers, contractual partners, consultants, business partners, law enforcement authorities, opposing lawyers, state or federal criminal police (for legal disputes or actual suspicious cases)
- IT service providers
- Tax counsellors
- Service providers for telecommunication
- Financial auditors
- Customs authorities
You can purchase our tickets, programme booklets, subscriptions and souvenirs from countries beyond the EU (= so-called third countries) as well. When doing so, your data will be transferred to this country. The transfer of your data is necessary to perform the contract with you (art. 49 (I) b) GDPR). It is transferred for processing your purchase and the shipment and in order to communicate with you. We point out to the fact that the data protection level in third countries without an adequacy decision of the EU commission can deviate from that of the European Union. According to the EU commission, there is an adequate level of data protection in the following third countries: Andorra, Argentina, the Faroes, Guernsey, Isle of Man, Israel, Japan, Jersey, Canada (limited), New Zealand, Switzerland, South Korea, Uruguay, United Kingdom (cited 4/8/2022).
Our IT service providers have affiliates or subcontractors outside the EU who can access your data. The EU Commission determines which non-EU / EEA countries (third countries) have an adequate level of data protection. The transfer uses the EU standard contractual clauses according to Commission Decisions 2010/87/EU and (EU) 2021/914, the model of which can be found on the websites of the European Commissioner for Justice and in the Official Journal of the EU.