Below we inform you in accordance with the legal requirements – in particular the EU General Data Protection Regulation (GDPR, available here) – about the processing of personal data by our company.
Table of contents:
- General information
- Important terms
- Scope of application
- Person responsible
- Data Protection Officer
- The data processing in detail
- General information on data processing
- Accessing our services
- Rights of data subjects
- Right to object
- Right to information
- Right of rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to withdraw consent
- Right to lodge a complaint
I. General information
In this section of the privacy policy, you will find information on the scope of application, the data controller, its data protection officer and data security. We also explain in advance the meaning of important terms used in the privacy policy.
1. Important terms
Browser: Computer program for displaying websites (e.g. Chrome, Firefox, Safari)
Cookies: Text files that are placed on the user’s computer by the web server accessed via the browser used. The stored cookie information may contain both an identifier (cookie ID), which is used to recognize the user, and content information such as login status or information about websites visited. The browser sends the cookie information back to the web server on subsequent, new visits to this page with each request. Most browsers accept cookies automatically.
Third countries: Countries outside the European Union (EU)
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), available here.
Personal data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements
Services: Our offers to which this privacy policy applies (see scope of application)
Tracking: The collection of data and its evaluation with regard to the behavior of visitors to our services.
Tracking technologies: Tracking can take place both via the activity logs stored on our web servers (log files) and by means of data collection from your end device via pixels, cookies and similar tracking technologies.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pixel: Pixels are also known as tracking pixels, web beacons or web bugs. These are small, invisible graphics in HTML e-mails or on websites. When a document is opened, this small image is downloaded from a server on the Internet and the download is registered there. This allows the server operator to see if and when an e-mail has been opened or a website visited. This function is usually implemented by calling up a small program (Javascript). In this way, certain types of information can be recognized and passed on to your computer system, such as the content of cookies, the time and date of the page view and a description of the page on which the tracking pixel is located.
2. Scope of application
This privacy policy applies to the following offers
- our online offering “Privacy Policy / Blue Ocean Entertainment AG / Lissy Pony” (website), available in particular at www.lissypony.de/en,
- whenever reference is made to this Privacy Policy from one of our offerings (e.g. websites, subdomains, mobile applications, web services or integrations into third-party sites), regardless of how you access or use it.
All of these offers are also collectively referred to as “services”.
3. Controller
The person responsible for data processing – i.e. the person who decides on the purposes and means of processing personal data – in connection with the Services:
Blue Ocean Entertainment AG
P.O. Box 1223
77602 Offenburg – Germany
4. Data protection officer
Contact our data protection officer:
Via the Address given under I.3 (for the attention of the Data Protection Department) or via:
E-mail: blue-ocean-ag@datenschutzanfrage.de
Telephone: +49 781 / 639 – 6100
Fax: +49 781 / 639 – 6101
II. The data processing in detail
In this section of the data protection declaration, we inform you in detail about the processing of personal data in the context of our services. For the sake of clarity, we have organized this information according to certain functionalities of our services. During normal use of the services, different functionalities and therefore also different processing operations may be carried out consecutively or simultaneously.
1. General information on data processing
Unless otherwise stated, the following applies to all processing described below:
a) No obligation to provide & consequences of non-provision
The provision of personal data is not required by law or contract and you are not obliged to provide data. We will inform you during the input process if the provision of personal data is required for the respective service (e.g. by labeling it as a “mandatory field”). If data is required, failure to provide it will mean that the service in question cannot be provided. Otherwise, failure to provide the data may mean that we are unable to provide our services in the same form and quality.
b) Consent
In various cases, you have the option of giving us your consent to further processing in connection with the processing described below (possibly for some of the data). In this case, we will inform you separately in connection with the submission of the respective declaration of consent about all modalities and the scope of the consent and about the purposes that we pursue with this processing. The processing operations based on your consent are therefore not listed here again (Art. 13 (4) GDPR).
c) Transfer of personal data to third countries
If we transfer data to third countries, i.e. countries outside the European Union, the transfer takes place exclusively in compliance with the legally regulated admissibility requirements.
If the transfer of data to a third country does not serve to fulfill our contract with you, we do not have your consent, the transfer is not necessary for the assertion, exercise or defense of legal claims and no other exception under Art. 49 GDPR applies, we will only transfer your data to a third country if an adequacy decision pursuant to Art. 45 GDPR or suitable guarantees pursuant to Art. 46 GDPR exist.
By concluding the EU standard data protection clauses issued by the European Commission with the receiving body, we fulfill the requirements for verification with regard to suitable guarantees in accordance with Art. 46 para. 2 lit. c) GDPR, as well as with regard to an adequate level of data protection in the third country. Copies of the EU standard data protection clauses are available on the European Commission’s website, available here.
d) Hosting with external service providers
Our data processing is carried out to a large extent using so-called hosting service providers, who provide us with storage space and processing capacities in their data centers and also process personal data on our behalf in accordance with our instructions. Personal data may be transmitted to hosting service providers for all of the functionalities listed below. These service providers either process data exclusively in the EU or we have guaranteed an adequate level of data protection with the help of the EU standard data protection clauses (see c.).
e) Transmission to state authorities
We transfer personal data to state authorities (including law enforcement authorities) if this is necessary to fulfill a legal obligation to which we are subject (legal basis: Art. 6 para. 1 letter c) GDPR) or if it is necessary for the assertion, exercise or defense of legal claims (legal basis Art. 6 para. 1 letter f) GDPR).
f) Storage duration
The “Storage period” section indicates how long we use the data for the respective processing purpose. After expiry of this period, the data will no longer be processed by us, but will be deleted at regular intervals, unless continued processing and storage is provided for by law (in particular because it is necessary to fulfill a legal obligation or to assert, exercise or defend legal claims) or you give us further consent.
g) Functional duration of cookies
Some of the data processing described in the following sections is carried out using cookies. The information stored in a cookie can only be accessed via the Internet by the operator of the web server that originally set the cookie. Access by third parties in this way is not possible. Cookies have different functional durations. Some cookies are only active during a browser session and are then deleted, others function for longer periods, but usually for less than a year. A cookie is deleted by the browser at the end of its functional life. You can manage cookies using the browser functions (usually under “Options” or “Settings”). In this way, the storage of cookies can be deactivated, made dependent on your consent in individual cases or otherwise restricted. You can also delete cookies at any time.
h) Designation of data categories
In the following sections, the following summarizing category designations are used for certain types of data:
Access data: Date and time of the visit to our service; the page from which the accessing system reached our site; pages accessed during use; session identification data (session ID); also the following information of the accessing computer system: internet protocol address (IP address) used, browser type and version, device type, operating system and similar technical information.
i) Data collection from public sources
We collect personal data from publicly accessible sources. Publicly accessible sources include, in particular, publicly accessible websites, all public directories that are available to the general public (telephone number and similar directories) and public registers, even if they may require a login (e.g. commercial register).
We process all categories of data that are stored in publicly accessible sources. This may include, for example, personal master data, address data, contact data, payment data, order data and all other categories of data, such as interests, preferences, affinities and similar.
The data is collected for the purpose of fulfilling the principle of correctness in accordance with Art. 5 para. 1 letter d) GDPR, if necessary for the purpose of contract execution in accordance with Art. 6 para. 1 letter b) GDPR, if necessary for the purpose of law enforcement and debt collection in accordance with Art. 6 para. 1 letters b) and f) GDPR, as well as for the purpose of direct advertising that is as interest-oriented as possible in accordance with Art. 6 para. 1 letter f) GDPR in conjunction with Recital 46 GDPR.
2. Accessing our services
Below we describe how your personal data is processed when you access our services (e.g. loading and viewing the website, opening and navigating within the mobile device app). In addition, we use technically or legally necessary auxiliary tools that do not collect any data themselves (such as a tag manager), but only serve the security of the website, the administration and operation of other tools or the administration of consents given by you (Consent Management Platform). In particular, we would like to point out that the transmission of access data to external content providers (see under b.) is unavoidable due to the technical functioning of information transmission on the Internet. The third-party providers themselves are responsible for the data protection-compliant operation of the IT systems they use. The decision on the storage period of the data is the responsibility of the service providers.
a) Purpose of data processing and legal basis and, where applicable, legitimate interests, storage period
Data category: Access dato
Intended purpose:
Connection establishment; presentation of the contents of the service; detection of attacks on our site based on unusual activities; error diagnosis
Legal basis:
Art. 6 para. 1 letter f) GDPR
Legitimate interest pursued by us:
Proper functioning of the services; security of data and business processes; prevention of misuse; prevention of damage caused by interference with information systems
Storage duration: 4 weeks
b) Recipients of the personal data
Recipient category:
External content providers who provide content (e.g. images, videos, embedded posts from social networks, advertising banners, fonts, update information, shortened links) required to display the service
Data concerned: Access data
Legal basis:
Art. 6 para. 1 letter f) GDPR
Legitimate interest pursued by us:
Proper functioning of the services; (accelerated) display of content
Recipient category: IT security service provider
Data concerned: Access data
Legal basis:
Art. 6 para. 1 letter f) GDPR
Legitimate interest pursued by us:
Prevention of attacks by exploiting security gaps / vulnerabilities
III. Rights of data subjects
1. Right to object
If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
You also have the right to object, on grounds relating to your particular situation, at any time with future effect to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
You can exercise your right to object free of charge. You can reach us via the contact details listed under I.4.
2. Right to information
You have the right to request confirmation from us as to whether personal data concerning you is being processed and, if so, to request information about this personal data and the other information listed in Art. 15 GDPR.
3. Right to rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you (Art. 16 GDPR). Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data – also by means of a supplementary declaration.
4. Right to erasure (“right to be forgotten”)
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds specified in Art. 17 (1) GDPR applies and the processing is not necessary for one of the purposes specified in Art. 17 (3) GDPR.
5. Right to restriction of processing
You are entitled to request a restriction on the processing of your personal data if one of the conditions set out in Art. 18 para. 1 letters a) to d) GDPR is met.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, subject to the conditions set out in Art. 20 (1) GDPR. When exercising the right to data portability, you have the right to have the personal data transmitted directly from us to another controller, insofar as this is technically feasible.
7. Right to withdraw consent
If the processing is based on your consent, you have the right to withdraw your consent at any time. This does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
8. Right to lodge a complaint
You have the right to lodge a complaint with the supervisory authority responsible for our company. The supervisory authority responsible for our company is
Der Landesbeauftragte für den Datenschutz Baden-Württemberg, P.O. Box 10 29 32, 70025 Stuttgart, https://www.baden-wuerttemberg.datenschutz.de/
Status: 08.04.2024