Collection and Use of Personal Data
This privacy notice informs you about the collection of personal data when you use our website. Personal data means any information that identifies you or can be used to identify you, e.g. name, address, email addresses, user behaviour.
The controller pursuant to Article 4 (7) General Data Protection Regulation (GDPR) is
Berghain OstGut GmbH
Rüdersdorfer Straße 70
Our Data Protection Officer can be contacted at firstname.lastname@example.org or by writing to us and addressing your letter c/o “The Data Protection Officer“.
If, to provide individual functions of our offer, we make use of any contracted service providers or if we wish to use your data for advertising purposes, we will inform you in detail about the respective processes below. We will also specify criteria for how long we store your data.
You are entitled to the following rights towards us regarding your personal data:
- Right to information,
- Right to rectification or deletion,
- Right to restriction of processing,
- Right to object to the processing,
- Right to data portability.
To exercise your rights, you can contact the controller or the Data Protection Officer, using the above contact details.
You also have the right to complain to the data protection supervisory authorities about our processing of your personal data.
Objection against the processing of your data or withdrawal of consent
If you have consented to the processing of your data, you may withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Where we base the processing of your personal data on the balancing of interests, you may object to such processing. This is the case if said processing is not required for fulfilling a contract to which you are a party, but for other purposes, details of which we will provide in the description of those processes below. When exercising such an objection, we ask you to give the reasons why we should not process your personal data in the manner we intend. In the event of your justified objection, we will examine the situation and either cease to process your data, or adjust data processing, or point out to you our compelling legitimate grounds for continuing to process your data.
Obligation to provide personal data
You are not obliged to provide the personal data collected on this website. There is no legal, contractual or other obligation, nor is the provision of your personal data required to conclude a contract. Insofar as the data collection is required for a faultless display of this website, data are collected automatically during buildup of the website or after you have provided your consent.
Contacting us or subscribing to our newsletter is usually not possible without providing the minimum data.
To place orders in our online shop, the corresponding mandatory details are required for the conclusion of the purchase contract and the execution of the payment. A purchase is not possible without this information.
Collection of personal data when you visit our website
When you visit our website for information purposes only, i.e. if you do not register or otherwise provide information to us, we only collect the personal data that your browser transmits to our server. When you visit our website we will collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (the legal basis being Article 6(1) 1 lit. f GDPR):
- IP address
- Date and time of the request
- Content of the request (specific page)
- Access status/HTTP status code
- Website transmitting the request
- Bytes downloaded
- Operating system and interface
- Language and version of the browser software.
The above data will be stored in a so-called log file for the duration of 7 days, after which it will be deleted. Data, the further retention of which is required for evidentiary purposes, is exempt from deletion until the respective incident has been finally clarified.
This website is hosted by an external hosting provider. The personal data collected on this website are stored on the hosting provider's servers. We use Hetzner Online GmbH as a hosting provider. To ensure data processing compliant with data protection laws, we have concluded a data processing agreement according to Article 28 GDPR with our hosting provider.
Videos and photos are delivered via the content delivery network of Bunny.net. Bunny.net is a service of the EU provider "BunnyWay d.o.o." based in Slovenia. Our image files are stored both on servers in the EU and the US. Depending on a visitor’s location, image data are retrieved either from data centres used by "bunny.net" in the EU or the USA. If a user is located in the EU, data will usually be retrieved from a German or EU data centre. We have concluded a data processing agreement according to Article 28 GDPR with "BunnyWay d.o.o.".
We have commissioned an agency – A Color Bright – with the development and administration of our website. A Color Bright thus has access to the above-mentioned technical data. To ensure data processing compliant with data protection laws, we have concluded a data processing agreement according to Article 28 GDPR with A Color Bright.
In addition to the aforementioned data, cookies are stored on your computer when you visit our website. Cookies are small text files that your browser stores on your hard drive which transmit certain information back to the party that has set the cookie (in this case, us). Cookies cannot run programs or transfer viruses to your computer. Insofar as these cookies are not absolutely necessary for the operation of this website, they will only be stored after you have consented in the displayed cookie banner. In the case of this website, this is only relevant in the online shop.
Storage of those cookies which are required for this website to properly function, is based on § 25 (2) Nr. 2 TTDSG. All other cookies will only be stored once you have consented to their use, the legal basis in these cases being § 25 (1) TTDSG in connection with Article 6 (1) a GDPR. You can revoke your consent at any time using the link in the footer.
This website uses the following types of cookies; the scope and functionality of which are explained below:
- Transient cookies
- Persistent cookies
Transient cookies are automatically deleted when you close your browser. They include, in particular, session cookies. They store a so-called session ID, which allows separate requests of your browser to be assigned to the same session. This will enable us to recoginse your computer when you return to our website. Session cookies also include the cookies that we use to ensure the correct display of our website on the device used by you. Session cookies will be deleted when you log out or close the browser.
Persistent cookies will automatically be deleted after a specified period of time, which may vary depending on the cookie. You may delete cookies at any time in the security settings of your browser.
The following is an overview of cookies used on this website with details of purposes, storage period and provider:
Cookies which are required for this website to function:
Name / Provider / Purpose / Duration
- csrftoken / Berghain / Security against attacks ("Cross Site Request Forgery protection"). This cookie is only set for admins who are logged into the backend. / 364 days
- sessionid / Berghain / Is used to log into the backend and is also only used by logged-in admins. / Session
- django_language / Berghain / Required / to deliver the website in the user's preferred language / 1 week
Name / Provider / Purpose / Duration
- _ab / Shopify / Used in connection with access to admin. / 2 years
- _secure_session_id / Shopify / Used to track a user's session through the multi-step checkout process and keep their order, payment and shipping details connected. / 24 hours
- _shopify_country / Shopify / For shops where pricing currency/country set from GeoIP, that cookie stores the country we've detected. This cookie helps avoid doing GeoIP lookups after the first request. / session
- _shopify_m / Shopify / Used for managing customer privacy settings. / 1 year
- _shopify_tm / Shopify / Used for managing customer privacy settings. / 30 minutes
- _shopify_tw / Shopify / Used for managing customer privacy settings. / 2 weeks
- _storefront_u / Shopify / Used to facilitate updating customer account information / 1 minute
- _tracking_consent / Shopify / Used to store a user's preferences if a merchant has set up privacy rules in the visitor's region. / 1 year
- c / Shopify / Used / in connection with checkout. / 1 year
- Warenkorb / Shopify / Used in connection with shopping cart. / 2 weeks
- cart_currency / Shopify / Set after a checkout is completed to ensure that new carts are in the same currency as the last checkout. / 2 weeks
- cart_sig / Shopify / A hash of the contents of a cart. This is used to verify the integrity of the cart and to ensure performance of some cart operations. / 2 weeks
- cart_ts / Shopify / Used in connection with checkout. / 2 weeks
- cart_ver / Shopify / Used in connection with shopping cart. / 2 weeks
- Checkout / Shopify / Used in connection with checkout. / 4 weeks
- checkout_token / Shopify / Used in connection with checkout. / 1 year
- dynamic_checkout_shown_on_cart / Shopify / Used in connection with checkout. / 30 minutes
- hide_shopify_pay_for_checkout / Shopify / Used in connection with checkout. / session
- keep_alive / Shopify / Used in connection with buyer localization. / 2 weeks
- master_device_id / Shopify / Used in connection with merchant login. / 2 years
- previous_step / Shopify / Used in connection with checkout. / 1 year
- remember_me / Shopify / Used in connection with checkout. / 1 year
- shopify_pay / Shopify / Used in connection with checkout. / 1 year
- shopify_pay_redirect / Shopify / Used in connection with checkout. / 30 minutes, 3 weeks or 1 year, depending on value
- storefront_digest / Shopify / Stores a digest of the storefront password, allowing merchants to preview their storefront while it's password protected. / 2 years
- tracked_start_checkout / Shopify / Used in connection with checkout. / 1 year
- checkout_one_experiment / Shopify / Used in connection with checkout. / session
- checkout_session_lookup / Shopify / Used in connection with checkout. / 3 weeks
- checkout_session_token_<<id>> / Shopify / Used in connection with checkout. / 3 weeks
Name / Provider / Purpose / Duration
- _landing_page / Shopify / Track landing pages. / 2 weeks or session
- _orig_referrer / Shopify / Track landing pages. / 2 weeks or session
- _s / Shopify / Shopify analytics. / 30 minutes or session
- _shopify_d / Shopify / Shopify analytics. / session
- _shopify_fs / Shopify / Shopify analytics. / 30 minutes or session
- _shopify_s / Shopify / Shopify analytics. / 30 minutes or session
- _shopify_sa_p / Shopify / Shopify analytics relating to marketing & referrals. / 30 minutes or session
- _shopify_sa_t / Shopify / Shopify analytics relating to marketing & referrals. / 30 minutes or session
- _shopify_y / Shopify / Shopify analytics. / 1 year or session
- _y / Shopify / Shopify analytics. / 1 year or session
- _shopify_evids / Shopify / Shopify analytics. / session
- _shopify_ga / Shopify | Google / Shopify and Google analytics. / session
Contacting us via email
When you contact us by email, we will store the data you provide (your email address and – where applicable – your name, telephone number and your message) in order to answer your query. Once storage is no longer required, we will delete all data collected with regard to your query or will restrict processing if statutory retention obligations exist.
We process these data to respond to your request. Said processing is based on a contractual basis (Article 6 (1) b GDPR) where this relates to questions about your purchase of our products. With regards to general customer service and answering your queries, said processing takes place for the purposes of our legitimate interests (Article 6 (1) f GDPR), as it enables us to provide you with satisfactory customer service.
You may purchase online tickets for our concerts or other events on our website, without entering the online shop described below. We require your email address to deliver the ticket to you. For technical reasons, the server will assign you a session ID for the duration of your purchase. When you close the browser window, this session ID will be deleted.
To complete your purchase, we will redirect you to Paypal so that you can make your payment there. Paypal is a service provided by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. You can view the Paypal privacy notice here:
We will store your email address, the ticket ID, confirmation details of your payment provided by Paypal and the time stamp of the purchase until the date of the event to enable us to to carry out the admission and for any queries from your side. These data will be deleted a week after the event, unless such data as we are required by law to store for tax purposes.
You may consent to receiving our newsletters. The newsletter "Berghain News" contains information about events at Berghain and is sent out at irregular intervals. The newsletter Ostgut Ton News contains information on new label releases and is sent out at irregular intervals.
We use Mailjet to send our newsletters. Mailjet is a service provided by Mailgun Technologies, Inc, 112 E Pecan St #1135, TX 78205 San Antonio, US. When you call up the registration form for our newsletters and consent, we will transfer the data you have provided to Mailjet. The obligation of Mailjet to handle your data according to the GDPR and to take suitable technical and organisational measures for data security has been specified in a data processing agreement. Mailjet generally processes your data on servers in the EU. Notwithstanding this commitment, data may be transferred to countries outside the EU, such as the USA or India, within the Mailgun Group or to sub providers used by Mailjet for support purposes. Countries such as the USA and India do not have a level of data protection equivalent to the EU. They are therefore also referred to as so-called "unsafe third countries". In particular, there is currently no adequacy decision by the European Commission for these countries. Security authorities in these countries may have access to personal data processed by Mailjet and affiliated companies and subcontractors without you being able to seek redress. We have concluded the so-called standard data protection clauses approved by the European Commission in accordance with Art. 46 DSGVO in the variant Controller-Processor (Module 2) for these cases with Mailgun Technologies. You can download the text of the standard data protection clauses here:
We use the so-called double opt-in procedure for our newsletter subscription. This means that we will send you a confirmation email after receiving your registration. In this email we will ask you to confirm that you do in fact want to receive our newsletter. If you do not confirm your subscription, your email address will not be added to our list. In addition, we will store the IP addresses used for and the time and date of your registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data. Our legitimate interests result from the aforementioned purpose. The legal basis is Article 6 (1) f GDPR.
Once you have verified your email address, we will store this and, if provided, your name, for the purpose of sending you the newsletter. The legal basis is Article 6 (1) a GDPR.
With your consent we will track your user behaviour in relation to our newsletter. This means that we can track whether you open the newsletter emails we send and how often and on which links you have clicked in the newsletter emails we send. We do this to optimize the content of the newsletter and to provide you with information and offers which may be of interest to you. This is a legitimate interest, the legal basis is Article 6 (1) f GDPR.
You may withdraw your consent and cancel your subscription of our newsletter at any time. Simply click on the appropriate link provided in every newsletter email, write to us at email@example.com or by send a message to the contact details provided in the legal notice (imprint).
We review our mailing list regularly with a view to whether storage of the email addresses contained is still required. As such, we will delete undeliverable or unsubscribed email addresses. We will delete your consent, email address and all associated user data within 3 years if you revoke your consent. This additional storage period is based on our legitimate interest to prove that consent was given at the time of sending for any future legal disputes and thus on the basis of Art. 6 (1) f GDPR.
Use of our webshop
To complete purchases in our web shop, we will require such personal data as is necessary for the completion of your order and thus the conclusion of our contract with you. Mandatory information required for the execution of this contract is marked separately, any further information may be provided voluntarily. Specifically, we collect the following data
- Last name
- First name
- Delivery address
- Invoice address
- Payment details
- Phone (optional)
- Company name (optional)
We will process the data provided by you to fulfil your order, the legal basis for this being Article 6 (1) b GDPR.
We may also process the information you provide to inform you about other interesting products we offer or to send you emails containing technical information.
We are obliged by law to store your address, payment and order details for a period of ten years.
Our webshop uses the Shopify platform, which is provided by Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. We have concluded a data processing agreement according to Article 28 GDPR with Shopify, regulating how Shopify may process your personal data.
Only upon your visit to the webshop area on our website, will a connection to Shopify’s servers be established. Cookies used by Shopify will only be stored when you use the respective services. Additionally, we have configured our webshop to ensure that any communication while you browse our webshop pages will happen directly between our web server and the Shopify server. This means that no user data (order data, products viewed or added to the shopping cart) will initially be transmitted to Shopify. Your data will be transmitted once you begin the checkout.
Shopify will process your data primarily on servers in the US and has committed to do so in accordance with data protection laws in a data processing agreement. Shopify may use sub providers to process your personal data, such as Google Analytics and Cloudflare. The legal basis for the transfer of your personal data to Shopify servers in the US is Article 49 (1) b GDPR, as it is required to conclude your purchase or for pre-contractual measures. The EU Commission holds that there is no adequate level of data protection in the US, which may result in access to your personal data by US authorities. You as a EU citizen may not have access to legal remedy or appeals.
Apart from the data specified above, Shopify will process the following data for us:
- Information on orders placed
- If you contact the Shopify support by phone, Shopify will process your phone number, audio contents and information provided by you during the call, as well as information to verify your identity, so as to handle your support request
- If you contact the Shopify support via chat, Shopify will process information provided by you, such as your name, email-address, the chat protocol and any other details, as well as information to verify your identity, so as to handle your support request
The legal basis is Article 6 (1) b GDPR, insofar as it concerns online shop functions such as shopping cart, checkout, navigation and order fulfilment or questions you may have about your orders.
In any other cases, the legal basis is our legitimate interest in the secure and unobstructed provision of our webshop, and thus Article 6 (1) f GDPR.
For any cookies stored because they are required for the proper functioning of our webshop, the legal basis is § 25 (2) no. 2 TTDSG. To the extent that information is stored in cookies only with your consent, the legal basis is § 25 (1) TTDSG in conjuction with Article 6 (1) a GDPR. You may revoke your consent at any time via the link in the footer of our webshop.
Shopify is the controller according to Article 4 GDPR when it comes to any processing of personal data for the use of those Shopify services aimed at Shopify users directly. Information about these purposes and how Shopify will process your personal data can be found in the Shopify privacy notice:
To prevent unauthorized access to your personal data - especially payment data - the tramsmission of your order is encrypted using TLS technology.
You have the following options when it comes to payment: Paypal Express, Paypal, credit card. Payments by credit card are processed by Shopify, with Shopify using your data only on our behalf. If you pay via Paypal or Paypal Express, we will forward you to Paypal to finalise your order. You may then initiate payment on Paypal’s web portal. Paypal is responsible for the processing of your personal data for purposes of payment, fraud prevention or credit checks. Please address any questions to Paypal directly:
Paypal and Paypal Express are services provided by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. The Paypal privacy notice can be found here:
Your orders will be shipped by Hermes or DHL. So that we can deliver your purchase, we will share your name and delivery address with the respective shipping provider.
To protect your privacy, no external content is integrated on our website. Videos (insofar as they are not embedded using the above content delivery network), sound players etcetera are integrated using external links. To play this content, you will be redirected to the websites of the respective providers, who are responsible for the provision of these websites.
We maintain company profiles on the following social networks - as detailed below – so as to facilitate communication with users and interested parties and to provide further information or content: Facebook, Twitter, Instagram, YouTube, Ello, SoundCloud, MixCloud, Bandcamp.
Please note that user personal data may be processed outside the European Union. This can result in risks for the users, for instance enforcing the users' rights might be more difficult.
If you leave us messages or comment on these profiles, we will process your personal data to communicate with you. This represents a legitimate interest; the legal basis is Article. 6 (1) f GDPR. No further storage of communication data takes place outside these networks on our part.
The terms and conditions of the providers of these platforms apply. Be aware that we cannot provide further information as to any personal data processed by these providers during your visit to the above networks. We kindly ask you to refer directly to the information provided by these platforms and have included links to privacy policies or other relevant information below.
Also, should you have any access requests or would like to assert your data subject rights, we would like to point out that these can most effectively be asserted with the providers. Only they have access to their users’ data and can take appropriate measures and provide information directly. Should you nevertheless require assistance, you may of course contact us.
Details of the provider: Instagram is a service provided by Meta Platforms Ireland Ltd („Meta“), 4, Grand Canal Quay, Grand Canal Bridge, Dublin 2, Ireland.
Information about Facebook Fanpages
Facebook Fanpages are provided by Meta Platforms Ireland Ltd („Meta“), 4, Grand Canal Quay, Grand Canal Bridge, Dublin 2, Ireland. We are jointly responsible with Meta for the collection of the personal data of visitors to our Facebook page – but not for any further processing by Meta. We have concluded a joint control agreement with Meta, which is available here:
Meta has agreed to take care of data subjects’ rights. Users may, for example, send information or deletion requests directly to Meta. However, your rights as data subjects (especially to information, deletion, objection and complaints to the competent supervisory authority) are not restricted in any way by our agreements with Meta.
See "Things you and others do and provide" in the Facebook Data Policy Statement to find out more about the personal data included, such as information about the types of content users view or interact with, or the actions they take:
As for information collected about user’s devices, see "Device Information" - this may include IP addresses, operating system, browser type, language settings or cookie information. Meta also collects and uses information to provide analytics services, called "page insights", to page operators to help them understand how people interact with their pages and with content associated with them. Information by Meta on the "Insights" pages can be found here:
Details of the provider: Twitter is a service provided by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland.
Details of the provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Details of the provider: SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany.
Details of the provider: MixCloud Limited, 447 - 453 Hackney Road, London, E2 9DY, Great Britain.
Details of the provider: Bandcamp LLC, 48 Gold St San Francisco, CA, 94133-5103, US.
Details of the provider: Talenthouse Ltd, Templeman House C1 The Point Office Park, Weaver Road, Lincoln, Lincolnshire, LN6 3Q, Great Britain.
End of Privacy Notice