PRIVACY POLICY
Our data protection information is structured modularly. They consist of a general part for all processing of personal data and processing situations (I. General) and a special part, the content of which only relates to the processing situations specified there (II., III., IV., V). In order to be able to find the parts that are relevant to you, please note the following overview of the breakdown of the data protection information:
Description ⇒ This part is for you....
I. General ⇒ always relevant.
II. Data processing when you visit the website ⇒ relevant if you use our website.
III. Additional data protection information for applicants ⇒ relevant if you apply to us.
IV. Additional data protection information for business partners ⇒ relevant if you want to work with us as a service provider, supplier or similar partner, are already or have previously been in an ongoing business relationship with us.
The person responsible within the meaning of the General Data Protection Regulation ("GDPR") and other national data protection laws as well as other data protection regulations for data processing to provide the website is:
Name of person responsible:
Tivola Games GmbH
Oeverseestraße 10-10
22769 Hamburg
Mail: mail@tivola.de
Website: www.tivola.de
We have appointed a data protection officer:
Prof. Dr. Christian RaudaLawyer and specialist lawyer for information technology
GRAEF Rechtsanwälte Digital PartG mbH
Jungfrauenthal 8
20149 Hamburg
Tel. +49.40.80 6000 9-0
Fax +49.40.80 60009-10
Mail: datenschutzbeauftragter@tivola.de
Website: www.graef.eu
I. General information on data processing
1. Scope of Processing Personal Data
We collect and use personal data of our website users and other affected persons (such as service providers, suppliers, customers) only to the extent necessary for providing our website, our content, and our services.
2. Legal Basis for Processing Personal Data
Where we obtain consent from the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis.
When processing personal data is necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary to carry out pre-contractual measures.
If the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.
If processing is necessary to protect a legitimate interest of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not override this interest, Article 6(1)(f) GDPR serves as the legal basis.
If the processing involves storing information on your terminal device or accessing information already stored on the device, § 25(1), (2) TTDSG serves as the legal basis.
3. Data Deletion and Storage Duration
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Further storage may occur if provided for by European or national legislation in EU regulations, laws, or other provisions to which the controller is subject. Blocking or deletion of data also occurs when a storage period prescribed by the aforementioned regulations expires, unless there is a need for further storage of the data for a contract conclusion or contract fulfillment.
4. General Contact
You can contact us via email, phone, or letter. Your information and attachments from the inquiry, including the contact details you provided, will be stored solely for processing the request and in case of follow-up questions. If you contact us via email, your email address and the date and time of sending will be processed. For telephone contact, the phone number will be processed. If you write to us by letter, we will process your address data and the date of receipt. In this context, there is no transfer of data to third parties.
The legal basis for processing the data is Article 6(1)(f) GDPR. Our interest in answering your inquiry outweighs your interest; as you are contacting us, responding is also in your interest, and you are aware that we need to process your data to respond to your inquiry. Connection data is collected to process and answer your inquiry and to prevent misuse of the contact options.
If the contact aims to conclude a contract, the legal basis for processing is Article 6(1)(b) GDPR.
The data will be deleted once they are no longer necessary for achieving the purpose of their collection. This is the case when the respective communication with the data subject has ended. The communication is considered ended when it can be inferred from the circumstances that the relevant facts have been conclusively clarified.
5. Recipients of Your Data
Within our company, departments have access to your data as necessary to fulfill their processing purposes. This also applies to service providers and agents employed by us. All departments and individuals working with your data are obligated to confidentiality and to handle personal data sensitively.
Outside the company, your data will only be shared if it complies with data protection regulations. This is the case when the transmission is necessary to fulfill the purposes or if we have obtained your consent for the use and sharing of the data. The following recipients may receive your data:
-
Gerwan GmbH and inmedias.it Gesellschaft für Informationstechnologie mbH: Service providers for operating our website and processing data stored or transmitted through the systems (e.g., data center services, payment processing, IT security). The legal basis for sharing is Article 6(1)(b) or (f) GDPR, unless they are processors.
-
State authorities/agencies, if necessary to fulfill a legal obligation. The legal basis for sharing is Article 6(1)(c) GDPR.
-
Individuals involved in our business operations, Jumpgate AB, auditors COUNSEL Treuhand GmbH, Wirtschaftsprüfungs- und Steuerberatungsgesellschaft, banks, insurers, legal advisors, supervisory authorities, parties involved in business acquisitions, or the formation of joint ventures. The legal basis for sharing is Article 6(1)(b) or (f) GDPR.
-
If you contact us via email, Microsoft Ireland Operations Ltd. processes the data as a processor.
-
During website visits, other recipients may be considered, listed under "II." in the relevant sections.
6. Data Sources
We primarily receive your personal data directly from you and may additionally use public sources (websites, contact directories, etc.) for initial contact.
If we receive your data from other third parties (e.g., recommendations from other partners), we will inform you about these data sources during the initial contact.
7. Rights of the Data Subject
If personal data relating to you is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
a) Right to Access
You can request confirmation from the controller as to whether personal data concerning you is being processed.
If such processing is taking place, you can request information from the controller about the following:
(1)
The purposes for which the personal data is being processed;
(2)
The categories of personal data being processed;
(3)
The recipients or categories of recipients to whom the personal data concerning you has been disclosed or is still being disclosed;
(4)
The planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
(5)
The existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
(6)
The existence of a right to lodge a complaint with a supervisory authority;
(7)
All available information on the origin of the data, if the personal data is not collected from the data subject;
(8)
The existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject.
You have the right to request information about whether personal data concerning you is transferred to a third country or to an international organization. In this context, you can request to be informed about the appropriate safeguards pursuant to Article 46 GDPR in connection with the transfer.
b) Right to Rectification
You have the right to obtain rectification and/or completion from the controller if the personal data concerning you that is being processed is incorrect or incomplete. The controller must carry out the rectification without undue delay.
c) Right to Restriction of Processing
Under the following conditions, you can request the restriction of processing of personal data concerning you:
(1)
If you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2)
The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of its use instead;
(3)
The controller no longer needs the personal data for the purposes of processing, but you need it for the establishment, exercise, or defense of legal claims; or
(4)
If you have objected to processing pursuant to Article 21(1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.
If the processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If the restriction of processing is applied according to the aforementioned conditions, you will be informed by the controller before the restriction is lifted.
d) Right to Erasure
You can request the controller to erase the personal data concerning you without undue delay, and the controller is obliged to erase this data without undue delay if one of the following reasons applies:
(a)
The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
(b)
You withdraw your consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal ground for the processing.
(c)
You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
(d)
The personal data concerning you has been unlawfully processed.
(e)
The erasure of personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
Information to Third Parties
If the controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who are processing the personal data that you have requested the erasure by such controllers of any links to, or copies or replications of, that personal data.
Exceptions
The right to erasure does not apply to the extent that processing is necessary:
(a)
For exercising the right of freedom of expression and information;
(b)
to fulfill a legal obligation requiring processing under Union or Member State law to which the controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c)
for reasons of public interest in the field of public health in accordance with Article 9 Paragraph 2 Letters h and i and Article 9 Paragraph 3 GDPR;
(d)
for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89 Para. 1 GDPR, insofar as the law referred to in section a) is likely to make the achievement of the objectives of this processing impossible or seriously impair it, or
(e)
to assert, exercise or defend legal claims.
e) Right to information
If you have asserted the right to rectification, deletion or restriction of processing against the person responsible, the person responsible is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or deletion of the data or restriction
f) Right to data portability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided
(1)
the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract in accordance with Article 6 (1) (b) GDPR and
(2)
the processing takes place using automated procedures.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, to the extent that this is technically feasible. The freedoms and rights of other people must not be impaired by this. The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
g) Right to object
You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is carried out on the basis of Article 6 (1) (e) or (f) of the GDPR; This also applies to profiling based on these provisions. The person responsible will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If the personal data concerning you is processed for the purpose of direct advertising, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; This also applies to profiling insofar as it is connected to such direct advertising. If you object to processing for direct advertising purposes, your personal data will no longer be processed for these purposes. In connection with the use of information society services - regardless of Directive 2002/58/EC - you have the opportunity to exercise your right to object using automated procedures that use technical specifications.
h) Right to revoke the declaration of consent under data protection law
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out based on the consent before its revocation.
i) Automated decision-making in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
(1)
is necessary for the conclusion or fulfillment of a contract between you and the person responsible,
(2)
is permitted by Union or Member State law to which the controller is subject and such law contains appropriate measures to safeguard your rights and freedoms and your legitimate interests or
(3)
with your express consent.
However, these decisions may not be based on special categories of personal data according to Article 9 Paragraph 1 GDPR, unless Article 9 Paragraph 2 Letters a or g applies and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests. With regard to the cases mentioned in (1) and (3), the controller shall take appropriate measures to protect the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to express one's own point of view and heard to challenge the decision.
j) Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of your personal data is contrary to violates the GDPR. The supervisory authority to which the complaint was submitted will inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.
II. Data processing when visiting the website www.tivola.de
1. Provision of the Website and Creation of Log Files
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is temporarily collected:
1.
Information about the browser type and version used, as well as the language
2.
The user's operating system
3.
The user's internet service provider
4.
The user's IP address
5.
Date and time of access
6.
The amount of data transferred
7.
A message indicating whether the access was successful
8.
The GMT time zone difference
9.
Websites from which the user's system reaches our website
10.
Websites accessed by the user's system via our website
The data is stored in the log files of our system. This data is only needed for the analysis of any disruptions and is deleted within seven days at the latest. The legal basis for the temporary storage of the data and log files is Art. 6 para. 1 lit. f GDPR. The temporary storage of the IP address by the system is necessary to allow delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the website. Additionally, the data helps us optimize the website and ensure the security of our information technology systems. The data is not evaluated for marketing purposes, and no conclusions about your person are drawn. The collection of data for providing the website and storing the data in log files is essential for the operation of the website. Therefore, the user has no possibility to object.
2. Use of Cookies
We use so-called session or flash cookies on our website and in our applications. Cookies are text files stored in or by the internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified the next time the website is accessed. Some functions of our website cannot be offered without the use of cookies. These may include, in particular, session cookies (which store language settings), purely counting cookies (which prevent website overload), or flash cookies (which serve the playback of media content). For these, it is necessary that the browser is recognized even after a page change. The user data collected through technically necessary cookies is not used to identify the user or create user profiles. The legal basis for processing personal data using technically necessary cookies is § 25 para. 2 TTDSG and Art. 6 para. 1 lit. f) GDPR. Due to the technical necessity, there is no possibility of revocation. If we use cookies that are not technically necessary, you will find the relevant information in the subsequent information about the individual services.
3. Social Media Links
We maintain online presences in social networks and platforms to communicate with customers, prospects, and users active on those networks and to inform customers, prospects, and users about our services.
Our website therefore links to the websites of Facebook and Instagram, both operated by Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Unless otherwise described in this privacy notice, no data is exchanged with Facebook or Instagram through our website.
We have set a link to the platform YouTube, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("YouTube"). We use the "enhanced privacy mode" option provided by YouTube. When you access one of our pages with a corresponding video, content from YouTube is retrieved. If you are logged in with your YouTube account, YouTube can associate your browsing behavior with other data. The use of YouTube videos is in the interest of a clear presentation of our services. The Google privacy policy applies: https://policies.google.com/privacy?hl=en
We have also set a link to the page of Twitter, operated by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA ("Twitter"). When accessing the respective netw
4. Contact via Email
If you contact us by email, Microsoft Ireland Operations Ltd. processes the data as a data processor.
III. Additional data protection information for applicants
We collect and process personal data from applicants for the purpose of processing the application process. The legal basis is the overriding legitimate interests of the applicants and us in an exchange for the purpose of initiating an employment relationship (Art. 6 Para. 1 lit. f GDPR). Processing can also take place electronically. This is particularly the case if an applicant submits relevant application documents electronically, for example by email. If we conclude an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with legal regulations. The legal basis is then Article 6 Paragraph 1 b) GDPR in conjunction with Article 88 GDPR and Section 26 BDSG and, in the case of processing sensitive data in accordance with Article 9 GDPR, your consent; Art. 6 Paragraph 1 Letter a) GDPR. If we do not conclude an employment contract with the applicant, the application documents will be automatically deleted after the rejection decision has been announced, provided that deletion does not conflict with any other legitimate interests of the person responsible for processing. Other legitimate interests in this sense include, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).
IV. Additional data protection information for business partners
1. Purposes of processing and legal basis
Which of your data will be processed in detail depends on the services commissioned or agreed upon. We only use personal information for the purpose for which it was provided to us. These are, for example, personal details (name, address and other contact details, birthday and place). In addition, this may also include order data (e.g. payment order), data from the fulfillment of our contractual obligations (e.g. sales data in payment transactions), information about your financial situation (e.g. creditworthiness data), advertising and sales data as well as other data comparable to the categories mentioned.
a) Fulfillment of contractual obligations (Art. 6 Para. 1 lit. b GDPR)
We process your data primarily for the purpose of establishing and implementing our procurement and maintenance processes and thus purchase/work/service contracts. In addition, your data will sometimes be processed as part of additional contractual obligations or pre-contractual agreements.
b) Legitimate interests of the company (Art. 6 Para. 1 lit. f GDPR)
We also process your data based on our legitimate interests, which we specify here as follows:
-
Contact and communications management
-
Profitability controls
-
Contract/Project Management
Ensuring the operation of information and telecommunications systems
.
c) Legal requirements and obligations (Art. 6 Para. 1 lit c GDPR)
As a company, we are bound by various legal obligations that must be adhered to based on applicable laws and regulations. We process your data for the purpose of complying with tax and commercial law regulations, which we specify here as an example as follows:
-
Financial accounting
-
Business correspondence
d) Consent of the data subjects (Art. 6 Para. 1 lit. a GDPR)
If we have obtained your consent to process your data for specific purposes, we will base the lawfulness of the processing on this consent.
August 2023