CER events within the "TW-Sportsoft" app
We treat all personal data confidentially. Our data protection practice is in accordance with the applicable data protection regulations. We inform you about the details of data protection below.
1.Scope and subject of data processing
TW Services GmbH & Co. KG, Entenseestr. 2 5, 90607 Rückersdorf ("TW Services") acts as controller according to applicable data protection law for the operation of the superordinate app "TW-Sportsoft". Information on data processing by TW Services can be found within the app on the start screen under the menu item "Settings".
2.Person responsible for data processing
Central European Rally Event GmbH
Ridlerstr. 35, 80339 Munich
Tel.: +49 (0)89/5195-102
3.Data processing when contacting us
In case of contacting us by e-mail or via a contact form, your e-mail address and, if provided by you, your name and message will be stored by us in order to answer your questions. We delete the data accrued in this context after the storage is no longer necessary or - in the case of statutory storage obligations - restrict the processing. If you register for our app, we process your identification data for registration and verification purposes.
The legal basis of the processing is our legitimate interest in answering your enquiries within the meaning of Art. 6 (1) 1 lit. f) GDPR. If you contact us in connection with the conclusion of a contract, the legal basis is Art. 6 (1) 1 lit. b) GDPR.
4.Data processing when using the app
In this section, we inform you about the respective data processing within the app. If we use commissioned service providers for individual functions of our offer, we will inform you in detail about the respective processes below.
4.1.Provision of the event records
Within the framework of the "TW-Sportsoft" app, we provide records for the various events of the series of events. We act as controller according to applicable data protection law with regard to the respective records, as well as regarding the data processing that occurs during the use of the event records. In this relationship, TW Services GmbH & Co KG, Entenseestr. 2 5, 90607 Rückersdorf ("TW Services") acts as a processor. This means that we have concluded a contract with TW Services for commissioned data processing within the meaning of Art. 28 GDPR, under which TW Services is bound by our instructions. You will find information on data processing by TW Services within the app on the home screen under the menu item "Settings".
4.2.Use of the event information
When accessing event information, a connection to our servers is established. When the connection is established, the data described below is collected to enable the use: IP address; date and time of the request; time zone difference to Greenwich Mean Time (GMT); content of the request (specific page); access status/HTTP status code; amount of data transferred in each case; website from which the request originates (so-called referrer); browser or used app; operating system and interface; language and version of the browser software.
The collection of this data is necessary to offer you the functions of the app and to ensure stability and security. The legal basis is therefore our legitimate interest within the meaning of Art. 6 (1) 1 lit. f) GDPR.
For the Central European Rally we use the service "Crowd Management Platform", which is offered by PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft, Friedrich-Ebert-Anlage 35-37, 60327 Frankfurt am Main ("PwC").
This service enables us to visually display and track visitor flows during the event and to take countermeasures at critical points, such as pointing out less busy spectator points in the event of traffic congestion during arrival or departure or if spectator points are overcrowded. We also use the collected data to make predictions about how visitor flows will develop or move in detail, in order to be able to redirect these visitor flows at an early stage if possible.
The collected data is stored as a Universally Unique ID (UUID), so that this data is pseudonymous for us, but direct inference to an individual person is not possible. We do not use this data to track the movements of individual people. After the event we evaluate the data statistically so that we can derive insights for improved visitor guidance and/or improved organisation of the events for future events. The data will be deleted no later than fourteen months after the event.
For these purposes, we collect location and movement data (hereinafter "mobility data"). With the help of the app, we initially collect your mobility data on the basis of GPS data. This enables us to recognise at what time you are at a location determined by spatial coordinates. For this purpose, the GPS data is compared with geodata (e.g. maps, street maps, route maps, etc.). In exceptional cases, your mobile phone determines your location data by identifying the nearest mobile phone masts. In addition, we collect your mobility data on the basis of acceleration patterns. We create these acceleration patterns using data from your mobile phone's accelerometer, gyroscope and magnetometer. This allows us to determine, for example, whether and for how long you are travelling on foot, by bicycle or in a motor vehicle.
When a Wi-Fi connection exists or, if switched on, via mobile data, your mobility data is transferred to a data centre in countries of the European Union (EU) and the European Economic Area (EEA) and stored there in a database. Your mobility data will be transferred exclusively using secure encryption methods.
For the aforementioned purposes, the following data are collected and processed in a pseudonymised form: Universally Unique ID (UUID); version of the respective operating system; version of the app; time of localisation and time of sending the data point to the data centre (time stamp); geo-position and accuracy of the geo-position (GPS); geographic orientation (compass direction); movement speed as well as gyro sensor/gyroscope values of the terminal device; magnetometer values of the terminal device .
We have concluded a contract with PwC for commissioned data processing within the meaning of Art. 28 GDPR. Therefore, PwC is bound by our instructions when using the Crowd Management Platform and we remain legally and factually responsible for the processing of personal data.
The legal basis for the data processing is your consent within the meaning of Art. 6 (1) 1 lit. a) GDPR, which you provide to us with regard to the individual events within the "TW Sportsoft" app. You can withdraw your consent at any time with effect for the future, whereby data collection and/or processing that has taken place until the withdrawal remains lawful. You can manage your consent in relation to the individual events on the start screen of the app under the menu item "Settings". Furthermore, you can prevent further transfer of location data by deactivating access to the location data for the app in the settings of the operating system. However, this does not constitute an effective withdrawal towards us because we do not get informed about the settings in the operating system of your device.
Personal data will be deleted or blocked as soon as the purpose of the storage no longer applies or if you request the deletion. The data will also be deleted if a storage period prescribed by the aforementioned standard expires, unless there is a need to continue the storage of the data for the conclusion or fulfilment of a contract or if you have given your consent in this regard.
6.Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller:
6.1.Right of access by the data subject
You may request confirmation from the controller as to whether personal data relating to you is being processed by us.
Where this is the case, you can request access to the personal data and the following information from the controller:
the purposes of processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
the envisaged period of the storage of the personal data relating to you or, if specific information is not possible, the criteria used to determine that period;
the existence of of the right to request from the controller rectification or erasure of personal data concerning you, or restriction of processing by the controller or to object to such processing;
the right to lodge a complaint with a supervisory authority;
any available information on the source of the personal data if the personal data is not collected from the data subject.
6.2.Right of rectification
You have a right of rectification and/or completion against the controller if the processed personal data concerning you are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.
6.3.Right to restriction of processing
You may request the restriction of the processing of personal data concerning you under the following conditions:
if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;
the controller no longer needs the personal data for the purposes of processing, but you need it for the establishment, exercise or defence of legal claims, or
if you have objected to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.
Where the processing of personal data relating to you has been restricted, those data may be processed, with the exception of their storage, only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
6.4.Right to erasure
6.4.1.Obligation to erase
You may request the controller to erase the personal data concerning you without delay and the controller has the obligation to erase this data without delay if one of the following reasons applies:
The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
You withdraw your consent on which the processing was based according to Art. 6 (1) 1 lit. a) or Art. 9 (2) lit. a) GDPR and there is no other legal basis for the processing.
You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
The personal data concerning you has been unlawfully processed.
The erasure of the personal data concerning you is necessary for compliance with a legal obligation in Union or Member State law to which the controller is subject.
The personal data concerning you was collected in relation to the offer of information society services offered pursuant to Art. 8 (1) GDPR.
6.4.2.Information to third parties
If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17 (1) of the GDPR, the controller, taking account of available technology and the cost of implementation, shall take reasonable measures to inform data controllers which are processing the personal data that you, as the data subject, have requested that they erase any links to, or copies or replications of, those personal data.
The right to erasure does not exist to the extent that processing is necessary
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with Art. 9 (2) lit. h) and lit. i) and Art. 9 (3) GDPR;
for the establishment, exercise or defence of legal claims.
6.5.Right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right against the controller to be informed about these recipients.
6.6.Right to data portability
You have the right to receive the personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to whom the personal data has been provided, where
the processing is based on consent pursuant to Art. 6 (1) 1 lit. a) GDPR or Art. 9 (2) lit. a) GDPR or on a contract pursuant to Art. 6(1) 1 lit. b) GDPR and
the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, where technically feasible. This must not affect the freedoms and rights of other persons.
6.7.Right of withdrawal of consent under data protection law
You have the right to withdraw your consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.
6.8.Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision is necessary for entering into, or performance of, a contract between you and the controller, is authorised by Union or Member State law to which the controller is subject, and which lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or is made with your explicit consent.
However, these decisions must not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) lit.a) or lit. g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.
6.9.Right to object
You have the right to object on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) 1 lit. e) or f) GDPR; including profiling based on those provisions.
The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to processing of personal data concerning you for such marketing; which includes profiling to the extent that is related to such direct marketing. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.
6.10.Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.