Privacy policy

Privacy policy – Hockenheimring GmbH

AS OF: June 2024

Preamble

This privacy policy is intended to inform you about the type and scope of processing of your personal data (hereinafter referred to as “data”). You will be informed about the types of personal data we process and the purposes for which we do so in the context of provision of our services and your use of our web pages, mobile applications and external online presence, such as our social media profiles.

How is the privacy policy structured?

Firstly, we provide an overview of the various types of processing. You will then be informed about your rights, before we move on to explain the types of processing in detail, organised according to the possible business relationships into which you can enter with us.

I. CONTROLLER

The controller within the meaning of Art. 4(7) GDPR is

Hockenheim-Ring GmbH
Am Motodrom 1
68766 Hockenheim, Germany

Tel.: +49 (0) 6205 950-0
Fax: +49 (0) 6205 950-299
Email: info@hockenheimring.de

represented by the managing directors Jorn Teske and Jochen Nerpel

We have appointed an external data protection officer. You can reach them using the contact details below:

External data protection officer
Kerberos Compliance-Managementsysteme GmbH
Im Zollhafen 24
50678 Cologne, Germany
datenschutz@kerberos-cms.com

You also have the option of submitting data protection enquiries by email to our internal data protection coordinator.

Their contact details are as follows: datenschutz@hockenheimring.de

II. DEFINITIONS

The following key terms are used in this privacy policy:

1. Personal data

Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller (our company).

3. Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4. Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of restricting its future processing.

5. Profiling

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

6. Pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

7. Processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

8. Recipient

A recipient is a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, authorities that may receive personal data in the context of a specific investigation mandate under Union law or the law of the Member States are not considered recipients.

9. Third party

A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

10. Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

III. OVERVIEW OF PROCESSING & LEGAL BASIS

Below we provide you with an overview of the types of personal data, the categories of data subjects and the purposes of processing.

1. Types of personal data:

• Inventory data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication and process data
• Event data

2. Categories of data subjects

• Customers
• Employees
• Interested parties
• Communication partners
• Users
• Business and contractual partners
• Press partners

3. Purposes of processing

• Provision of contractual services and fulfilment of contractual obligations
• Contact enquiries and communication
• Management of and response to enquiries
• Provision of our online services and user-friendliness
• Security measures
• Office and organisational procedures
• Feedback, surveys and questionnaires
• Marketing
• Direct marketing
• Reach measurement
• Conversion measurement
• Tracking / click tracking
• Target group formation
• Information technology infrastructure

4. Relevant legal bases

Below you will find an overview of the legal bases on which the individual processing operations may be carried out. The specific legal basis is stated in the description of the processing below.

• Consent (Art. 6(1) sentence (1) point (a) GDPR) The data subject has given their consent to processing of their personal data for one or more specific purposes.
• Contract fulfilment or pre-contractual enquiries (Art. 6(1) sentence (1) point (b) GDPR) Processing is necessary for the execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1) sentence (1) point (c) GDPR) Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1) sentence (1) point (f) GDPR) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

IV. DATA TRANSFER TO THIRD PARTIES AND THIRD COUNTRIES

Your personal data will not be transferred to third parties for purposes other than those specified. We only pass on your personal data to third parties if:

1. you have given us your express consent to do so in accordance with Art. 6(1) point (a) GDPR;

2. disclosure is permitted in accordance with Art. 6(1) point (f) GDPR to protect our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data;

3. in the event that there is a legal obligation for disclosure pursuant to Art. 6(1) point (c) GDPR;

4. it is legally permissible and necessary for the processing of contractual relationships with you in accordance with Art. 6(1) point (b) GDPR.

As part of the processing operations described in this privacy policy, personal data may be transferred to the USA. Companies in the USA only have an adequate level of data protection if they have certified themselves under the EU-US Data Privacy Framework and thus the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies. We have explicitly stated this in the privacy policy for the service providers concerned. In order to protect your data in all other cases, we have concluded commissioned data processing agreements based on the standard contractual clauses of the European Commission. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent may serve as the legal basis for the transfer to third countries in accordance with Art. 49(1) point (a) GDPR. In some cases, this does not apply to data transfers to third countries for which the European Commission has issued an adequacy decision in accordance with Art. 45 GDPR.

V. RIGHTS OF DATA SUBJECTS

The GDPR provides a number of rights for data subjects affected by the processing of their data. These rights ensure that you can assert your right to self-determination as far as information is concerned.

1. Right to information Art. 15 GDPR

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you is being processed. If this is the case, you have a right to information about this personal data and to the information specified in detail in Art. 15 GDPR.

2. Right to rectification Art. 16 GDPR

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you and, where applicable, the completion of incomplete personal data (Art. 16 GDPR).

3. Right to erasure Art. 17 GDPR

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay where one of the grounds listed in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued (right to erasure).

4. Right to restriction of processing Art. 18 GDPR

You also have the right to obtain from the controller restriction of processing where one of the conditions listed in Art. 18 GDPR applies, e.g. if you have objected to processing.

5. Right to data portability Art. 20 GDPR

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, as the recipients of the personal data, as long as the processing is based on consent pursuant to Art. 6(1) point (a) GDPR or Art. 9(2) point (a) GDPR or on a contract pursuant to Art. 6(1) point(b) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to Art. 20(1) GDPR, you have the right to obtain that the personal data be transferred directly from one controller to another controller, insofar as this is technically feasible and provided that this does not adversely affect the rights and freedoms of other persons.

6. Withdrawal of consent under data protection law Art. 7(3) GDPR

You have the right to withdraw your consent to the processing of personal data at any time with effect for the future. This does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal.

7. Right to object Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1) points (e) or (f) GDPR. The controller will then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or processing is for the establishment, exercise or defence of legal claims (Art. 21 GDPR).

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of that personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for those purposes.

8. Right to lodge a complaint Art. 77 GDPR

Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR (Art. 77 GDPR). The data subject may exercise this right before a supervisory authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement. The competent supervisory authority in Baden-Württemberg is:

The State Commissioner for Data Protection and Freedom of Information
P.O. Box 10 29 32
70025 Stuttgart, Germany

or:

Lautenschlagerstraße 20
70173 Stuttgart, Germany
Telephone: 07 11/61 55 41-0
Fax: 07 11/61 55 41-15

Email: poststelle@lfdi.bwl.de

Homepage: http://www.baden-wuerttemberg.datenschutz.de

You can contact us at any time at the address given in the legal notice if you have any further questions on the subject of data protection. Our data protection coordinator is also available to help you protect your rights at datenschutz@hockenheimring.de.

VI. DATA COLLECTION WHEN VISITING THE WEBSITE

1. Provision of the online service and web hosting

When you visit our website, we store certain information about the browser and operating system you are using, the date and time of your visit, the access status (e.g. whether you were able to access a web page or received an error message), the use of website functions, the search terms you may have entered, the frequency with which you access individual web pages, the name of files accessed, the amount of data transferred, the website from which you accessed our web pages and the website you visit from our web pages, whether by clicking on links on our web pages or by entering a domain directly in the input field of the same tab (or window) of the browser through which you opened our web pages.

For security reasons, in particular to prevent and recognise attacks on our website or attempts at fraud, we also store your IP address and the name of your internet service provider for a period of seven days. We use the personal data collected when you visit our website to operate it as conveniently as possible for you and to protect our IT systems from attacks and other illegal activities.

We only store other personal data if you provide us with it, e.g. in the course of registration, on a contact form, in a survey or to execute a contract, and even in these cases only insofar as we are permitted to do so on the basis of your consent or in accordance with the applicable legal provisions. If you provide us with further personal data, e.g. in the course of registration, on a contact form, in a survey or to execute a contract, we use this data for the purposes specified, for customer administration purposes and – if necessary – for the purposes of processing and invoicing for any business transactions, in each case to the extent necessary for that purpose.

You are neither legally nor contractually obliged to provide your personal data. However, it may be that certain functions of our website depend on the provision of personal data. If you do not provide personal data in these cases, this may result in functions not being available or only being available to a limited extent.
In order to provide our online services efficiently, we use the services of web hosting providers. This allows our online service to be managed by their servers. This also includes the provision of infrastructure and platform services, computing capacity, storage space and necessary security services.

The data processed as part of the provision of the hosting service may include any information relating to the users of our online service that is generated during use and communication. This includes:

• IP address of the requesting computer;
• date and time of access;
• name and URL of the retrieved file;
• amount of data transferred;
• notification of whether the retrieval was successful;
• recognition data of the browser and operating system used;
• website from which access is made;
• name of your internet access provider.

We collect data every time the server is accessed (so-called server log files). This is used to analyse attacks on our website and technical errors. The following information is recorded:

• the URL you requested;
• browser type/browser version;
• operating system used;
• http response code;
• referrer URL;
• host name of the accessing computer.

The recipient of the data is our web hosting provider TMC SOLUTION, Lupinenweg 6, 73635 Rudersberg, Germany. A commissioned data processing agreement has been concluded with the service provider in accordance with Art. 28 GDPR. The applicable legal basis for the use of web hosting providers and the temporary storage of data (log files) is Art. 6(1) point (f) GDPR.

2. Use of cookies

Our web pages use so-called “cookies”. Cookies are small data packets and do not cause any damage to your end device. They are either stored temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your end device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or they are automatically deleted by your web browser. Cookies may originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable integration of certain services from third-party companies within websites (e.g. cookies for processing payment services). Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping basket function or display of videos). Other cookies can be used to analyse user behaviour or for marketing purposes.

Cookies that are required to carry out the electronic communication process, to perform certain functions that you have requested (e.g. for the shopping basket function) or to optimise the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6(1) point (f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for technically error-free and optimised provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing is carried out exclusively on the basis of this consent (Art. 6(1) point (a) GDPR in conjunction with Section 25(1) sentence (1) of the German Telecommunications Digital Services Data Protection Act (TDDDG)); consent may be withdrawn at any time.

You can set your browser so that you are informed about placement of cookies and only allow cookies in individual cases, exclude acceptance of cookies for certain cases or in general and activate automatic erasure of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

You can set your browser so that you are informed about placement of cookies and only allow cookies in individual cases, exclude acceptance of cookies for certain cases or in general and activate automatic erasure of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

The cookie settings can be managed for the respective browsers under the following links:

• Google Chrome: https://support.google.com/chrome/answer/95647?hl=en&hlrm=en
• Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences?redirect=no
• Internet Explorer: https://support.microsoft.com/en-us/windows/manage-cookies-in-microsoft-edge-view-allow-block-delete-and-use-168dab11-0753-043d-7c16-ede5947fc64d
• Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac
• Opera: https://help.opera.com/en/latest/

3. Contact (telephone, email, form)

We process your data when you contact us (e.g. by email, post or telephone) or as part of an existing business relationship. Your data is processed if this is necessary to answer and process your enquiry.

The processing takes place on the basis of our legitimate interest in accordance with Art. 6(1) point (f) GDPR. Our legitimate interest lies in processing enquiries quickly and providing effective customer service.

You can contact us via the email addresses provided or by means of the contact forms. In this case, the user’s personal data (name, email, text message) transmitted with the email or the contact form will be stored. No data is passed on to third parties in this context. The data is used exclusively for processing the conversation.

The legal basis for the processing of personal data transmitted in the course of sending an email or contact request is Art. 6(1) point (f) GDPR. If the email contact is intended to conclude a contract, e.g. in the case of a driving experience enquiry or location booking enquiry, Art. 6(1) point (b) GDPR applies to the processing.

The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent by email or form, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

If the purpose of the contact is to enter into contractual negotiations within the meaning of Section 311(2) of the German Civil Code (BGB), we are obliged to store the communication for 6 years in accordance with Section 147 of the German Fiscal Code (AO) and Section 257 of the German Commercial Code (HGB).

We only use the data for the aforementioned purposes and store it in accordance with the statutory retention period. Otherwise the data from the contact form is only used in anonymised form for statistical purposes (e.g. number of enquiries, success rate of enquiries, etc.).

4. SSL or TLS encryption

Our website uses SSL or TLS encryption when it comes to the transmission of confidential or personal content of our users. This encryption is activated, for example, when processing payment transactions and for enquiries that you send to us via our website. Please ensure that SSL and/or TLS encryption is activated for corresponding activities on your part.

The use of encryption is easy to recognise: the display in your browser line changes from “http://” to “https://”. Data encrypted via SSL or TLS cannot be read by third parties. Only transmit your confidential information if SSL or TLS encryption is activated and contact us if in doubt.

5. Google reCAPTCHA

We use Google reCAPTCHA (hereinafter reCAPTCHA) on our website. This is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

The purpose of reCAPTCHA is to check whether the data input on our websites (e.g. on a contact form) is made by a human being or by an automated program. For this purpose, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor accesses the website. To analyse this, reCAPTCHA evaluates various items of information (e.g. IP address, time spent on the website by the website visitor and mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

These processing operations are only carried out if express consent has been granted in accordance with Art. 6(1) point (a) GDPR.

Further information about Google reCAPTCHA and Google’s privacy policy can be found under the following links: https://policies.google.com/privacy?hl=en and https://www.google.com/recaptcha/intro/android.html.

6. Google Tag Manager

We use the Google Tag Manager service on this website. The operating company of Google Tag Manager is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as Google). Google Ireland Limited is part of the Google group of companies based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

This tool can be used to implement “website tags” (i.e. keywords that are integrated into HTML elements) and manage them via an interface. Google Tag Manager helps us to administer our website easily and control certain functions. Use of the tool means that your IP address is processed. The tool then triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If you have disabled a domain or cookie, this remains in place for all tracking tags that are implemented with Google Tag Manager. These processing operations are only carried out if express consent has been granted in accordance with Art. 6(1) point (a) GDPR in conjunction with Section 25(1) sentence 1 TDDDG.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

Further information about Google Tag Manager and Google’s privacy policy can be found at https://policies.google.com/privacy?hl=en.

7. Google Analytics (GA4)

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as Google). Google Ireland Limited is part of the Google group of companies based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

In this context, pseudonymised user profiles are created and cookies are used (see “Cookies”). The information generated by the cookie about your use of this website may include, but is not limited to:

• short-term recording of the IP address without permanent storage;
• location data;
• browser type/version;
• operating system used;
• referrer URL (previously visited page) and dwell time;
• time of the server request.

The pseudonymised data may be transferred by Google to a server in the USA and stored there. Google LLC, based in California, USA, and the US authorities may have access to the data stored by Google.

The information is used to analyse the use of the website, to compile reports on website activity and to provide other services relating to website activity and internet usage for the purposes of market research and needs-based design of this website. This information may also be transferred to third parties if this is required by law or if third parties process the data on our behalf. Under no circumstances will your IP address be merged with other Google data.

These processing operations are only carried out if express consent is given in accordance with Art. 6(1) point (a) GDPR in conjunction with Section 25(1) sentence 1 TDDDG.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

Further information on data processing by Google can be found under the following link: https://policies.google.com/privacy?hl=en.

8. YouTube

Some subpages of our website contain links to the YouTube service. In general, we are not responsible for the content of linked websites. In the event that you follow a link to YouTube, however, we would like to point out that YouTube stores the data of its users (e.g. personal information, IP address) in accordance with its own data usage guidelines and uses it for business purposes. The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.

We also directly embed videos stored on YouTube on some pages of our website. As a result of this integration, content from the YouTube website is displayed in part of the browser window. When you call up a (sub)page of our website on which YouTube videos are integrated, a connection to the YouTube servers is established and the content is displayed on the website by notifying your browser.

The integration of YouTube content only takes place in “extended data protection mode”. YouTube provides this itself and thus ensures that YouTube does not initially store any cookies on your device. However, when the relevant pages are accessed, the IP address and, if applicable, other data are transmitted and thus, in particular, information about which of our websites you have visited. However, this information cannot be assigned to you unless you have logged in to YouTube or another Google service before accessing the page or are permanently logged in. When you start playing an embedded video by clicking on it, YouTube only stores cookies which do not contain any personally identifiable data in extended data protection mode, unless you are currently logged in to a Google service. These cookies can be prevented by appropriate browser settings and extensions.

Requesting the video also constitutes your consent to placement of the corresponding cookie (Art. 6(1) sentence 1 point (a) GDPR).

This US company is certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

You can consult YouTube’s privacy policy at https://policies.google.com/privacy?hl=en&gl=en.

9. Google Maps API

We use Google Maps (API) on our website. The operating company of Google Maps is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Maps is a web service for displaying interactive (land) maps in order to visualise geographical information. By using this service, we can show you our location, for example, making it easier for you to find us.

Information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there as soon as you access those pages on which the Google Maps map is integrated, provided that you have given your consent within the meaning of Art. 6(1) point (a) GDPR. In addition, Google Maps loads Google Web Fonts, Google Photos and Google stats. The provider of the services is also Google Ireland Limited. When you access a page that integrates Google Maps, your browser loads the web fonts and photos required to display Google Maps to your browser cache. The browser you are using also establishes a connection with Google’s servers for this purpose. As a result, Google is aware that our website has been accessed via your IP address. This occurs regardless of whether Google provides a user account through which you are logged in or no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish the data to be assigned to your Google profile, you must log out of your Google user account. Google stores your data (even for users who are not logged in) as user profiles and analyses them. You have the right to object to the creation of these user profiles, in which case you must contact Google to exercise this right.

If you do not agree to future transmission of your data to Google when using Google Maps, you also have the option of completely deactivating the Google Maps web service by switching off the JavaScript application in your browser. Google Maps and therefore the map display on this website cannot be used in this case. These processing operations are only carried out if express consent has been granted in accordance with Art. 6(1) point (a) GDPR.

Google’s terms of use: https://policies.google.com/terms?hl=en&gl=en Terms of use for Google Maps: https://www.google.com/intl/en/help/terms_maps/.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

You can consult the data protection provisions for Google Maps (under “Google Privacy Policy”) at: https://policies.google.com/privacy?hl=en&gl=en.

10. consentmanager

We use the consent management platform “Consentmanager” of consentmanager AB, Haltegelvägen 1b, 72348 Västeras, Sweden. This service enables us to obtain and manage the consent of website users for data processing. Consentmanager collects data generated by end users who use our website. When an end user gives consent, Consentmanager automatically logs the following data:

• browser information;
• date and time of access;
• device information;
• the URL of the page visited;
• banner language;
• consent ID;

the consent status of the end user, which serves as proof of consent.

The consent status is also stored in the end-user’s browser so that the website can automatically read and follow the end-user’s consent on all subsequent page requests and future end-user sessions for up to 12 months. The consent data (consent and withdrawal of consent) is stored for three years. The retention period corresponds to the regular limitation period in accordance with Section 195 BGB. The data is then erased immediately.

The functionality of the website cannot be guaranteed without the processing described above. The user has no right to object as long as there is a legal obligation to obtain the user’s consent for certain data processing operations (Art. 7(1), 6(1) sentence (1) point (c) GDPR).

Consentmanager is the recipient of your personal data and acts as a commissioned processor for us. The data processing takes place exclusively in the European Union.

Detailed information about the use of Consentmanager can be found at https://www.consentmanager.net/privacy/.

11. Push notifications through Signalize

If you activate push notifications for this website through the “Signalize” service of the provider etracker GmbH (Erste Brunnenstraße 1, 20459 Hamburg, Germany), a function of your internet browser or mobile operating system is used to provide you with notifications. Only anonymous data is stored for sending messages, which does not allow any conclusions to be drawn about a specific person. This data is only processed in order to deliver the notifications you have subscribed to and to adjust notification-related settings.

We ask for your consent to store this data. The legal basis for data processing in this case is Art. 6(1) point (a) GDPR. You can object to receiving notifications at any time via the settings of your browser or mobile device.

In order to make the content of the push notifications relevant to you, we use preferences collected by means of an anonymous user profile using cookies and merge your notification ID with the user profile of the website solely for the purpose of sending personalised messages. The tracking technology is also used to analyse the notifications statistically on our behalf. This makes it possible to determine whether a notification has been delivered and whether it has been clicked on. The data generated in this way is processed and stored on our behalf by etracker GmbH exclusively in Germany and is therefore subject to strict German and European data protection laws and standards.

Data processing for the purpose of controlling the invitation to use the notification service and for statistical analysis of registration or rejection is based on our legitimate interest pursuant to Art. 6(1) point (f) GDPR in making the notification service user-friendly and effective. As the privacy of our visitors is very important to us, data that may be linked to an individual person, such as an IP address, login or device identifiers, is anonymised as soon as possible. This excludes the possibility of direct personal connections. The data is not used for any other purpose, merged with other data or passed on to third parties.

You can object to the data processing described above at any time by clicking on the slider. Objection does not entail any disadvantageous consequences. If no slider is displayed, data collection is already prevented by other blocking measures.

You can view eTracker’s privacy policy at https://www.etracker.com/en/data-privacy-statement/.

12. Google Ads Remarketing

We use Google Ads Remarketing from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as Google). Google Ireland Limited is part of the Google group of companies based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

With Google Ads Remarketing, we can assign people who interact with our online service to specific target groups in order to show them interest-based advertising in the Google advertising network (remarketing or retargeting). Furthermore, the advertising target groups created with Google Ads Remarketing can be linked to Google’s cross-device functions. In this way, interest-based, personalised advertising that has been adapted to you depending on your previous usage and surfing behaviour on one end device (e.g. mobile phone) can also be displayed on another end device (e.g. tablet or PC). If you have a Google account, you can object to personalised advertising by clicking on the following link:
https://www.google.com/settings/ads/onweb/.

The use of this service is based on your consent in accordance with Art. 6(1) point (a) GDPR in conjunction with Section 25(1) sentence (1) TDDDG. Consent may be withdrawn at any time.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

Further information and the data protection provisions can be found in Google’s privacy policy at https://policies.google.com/privacy?hl=en&gl=en.

13. Google AdSense

We have integrated Google AdSense on this website. The operating company of the Google AdSense component is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter Google). Google Ireland Limited is part of the Google group of companies based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google AdSense is an online service that enables advertising to be placed on third-party websites. Google AdSense is based on an algorithm that selects the ads displayed on third-party sites to match the content of the respective third-party site. Google AdSense allows interest-based targeting of internet users, which is achieved by generating individual user profiles.

The purpose of the Google AdSense component is to integrate ads into our website. Google AdSense places a cookie on your end device. By setting the cookie, Google is able to analyse your use of our website. Each time you access one of the individual pages of this website which is operated by us and on which a Google AdSense component has been integrated, the internet browser in your IT system is automatically prompted by the respective Google AdSense component to transmit data to Google for the purpose of online advertising and billing of commission. As part of this technical process, Google obtains knowledge of personal data, such as your IP address, which Google uses, among other things, to trace the origin of visitors and clicks and subsequently to enable payment of commission.

Google AdSense also uses so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in web pages to enable log file recording and log file analysis, which allows statistical evaluation to be carried out. Google can use the embedded tracking pixel to recognise whether and when a website was opened from your end device and which links you clicked on. Tracking pixels are used, among other things, to analyse the flow of visitors to a website. Via Google AdSense, personal data and information, which also includes your IP address and is necessary for recording and billing of the displayed adverts, is transferred to Google in the USA. This personal data is stored and processed in the United States of America.

These processing operations are only carried out if express consent is given in accordance with Art. 6(1) point (a) GDPR in conjunction with Section 25(1) sentence (1) TDDDG. The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures. You can view the data protection provisions and further information about Google AdSense at

https://adsense.google.com/start/ & https://www.google.com/policies/technologies/ads/

14. DoubleClick by Google

This website contains DoubleClick components. DoubleClick is a trademark of Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland), under which special online marketing solutions are marketed to advertising agencies and publishers. Google Ireland Limited is part of the Google group of companies based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

DoubleClick by Google transmits data to the DoubleClick server with every impression and with clicks and other activities. Each of these data transfers triggers a cookie request to your browser. If the browser accepts this request, DoubleClick places a cookie on your IT system. The purpose of the cookie is to optimise and display advertising. The cookie is used, among other things, to place and display user-relevant advertising and to create reports on advertising campaigns and to improve them. The cookie is also used to avoid multiple display of the same advert.

DoubleClick uses a cookie ID that is required for the technical process. The cookie ID is required, for example, to display an advert in a browser. DoubleClick can also use the cookie ID to record which adverts have already been displayed in a browser in order to avoid duplication. The cookie ID also enables DoubleClick to record conversions. A DoubleClick cookie does not contain any personal data. However, a DoubleClick cookie may contain additional campaign identifiers. A campaign identifier is used to identify the campaigns with which you have already been in contact.

Each time you access one of the individual pages of this website which is operated by us and on which a DoubleClick component has been integrated, the internet browser in your IT system is prompted by the respective DoubleClick component to transmit data to Google for the purpose of online advertising and payment of commission. As part of this technical process, Google obtains knowledge of data that Google also uses to create commission statements. Among other things, Google can track the links on our website on which you have clicked.

These processing operations are only carried out if express consent is given in accordance with Art. 6(1) point (a) GDPR in conjunction with Section 25(1) sentence 1 TDDDG.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

You can view the data protection provisions of DoubleClick by Google at https://policies.google.com/.

15. Meta Pixel (formerly Facebook Pixel)

This website uses “Meta Pixel” of Meta Platforms Ltd, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter “Meta”). Parent company: Meta Platforms, Inc, 1 Hacker Way, Menlo Park, CA 94025, USA. This US company is certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

If express consent is given in accordance with Art. 6(1) point (a) GDPR in conjunction with Art. 25(1) sentence (1) TDDDG, the behaviour of users can be tracked after they have seen or clicked on a Facebook ad. The pixel reports to Meta which actions you have performed on our website, together with data that may identify you (including information on the app/browser, language setting, time, IP address, advertising ID). The data collected is anonymous for us and therefore does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by Meta, with the result that a connection to the respective user profile is possible and Meta can use the data for its own advertising purposes in accordance with the Facebook Data Usage Policy (https://www.facebook.com/about/privacy/). This enables Meta and its partners to place adverts on and outside of Facebook. A cookie may also be stored on your computer for these purposes. This process is used to evaluate the effectiveness of Facebook ads for statistical and market research purposes and can help to optimise future advertising campaigns.

We do not receive any data about you or other users of Meta, but only statistics that show us how users have used our services on other Meta platforms (Facebook, Instagram), aggregated for all users over a certain period of time. This helps us to analyse which of our ads were successful and which were not.

When transferring the data collected by the pixel, we deal with Meta Platforms Ireland as a so-called “joint controller”, in accordance with Art. 26 GDPR. We have concluded a separate agreement for this purpose (see: https://www.facebook.com/legal/controller_addendum). Facebook is solely responsible for further processing. If you exercise your rights to information, erasure, etc. (see “Your rights”), Meta is responsible for implementation of your rights in its capacity as the joint controller.

16. eTracker

Our website uses the analytics service etracker. The provider is etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany.

Data processing is carried out on the basis of our legitimate interest in accordance with Art. 6(1) point (f) GDPR. Our concern within the meaning of the GDPR (legitimate interest) is the optimisation of our online service and our website. As the privacy of our visitors is very important to us, data that may be linked to an individual person, such as an IP address, login or device identifiers, is anonymised or pseudonymised as soon as possible. The data is not used for any other purpose, merged with other data or passed on to third parties.

The data may be used to create user profiles under a pseudonym. Cookies can be used for this purpose. The data collected using etracker technologies is not used to identify visitors to our website without separate consent and is not merged with personal data about the bearer of the pseudonym. etracker cookies remain on your end device until you erase them. These processing operations are only carried out if express consent is given in accordance with Art. 6(1) point (a) GDPR. You can object to the collection and storage of data at any time with effect for the future via the cookie banner that appears. Objection does not entail any disadvantageous consequences.

You can view eTracker’s privacy policy at https://www.etracker.com/en/data-privacy-statement/.

We have concluded a commissioned data processing agreement with etracker and fully implement the strict requirements of the German data protection authorities when using etracker.

17. Online meetings and conference calls via Microsoft Teams

We use the tool “Microsoft Teams” (“MS Teams”) to carry out our communication both in written form (chat) and in the form of telephone conferences, online meetings and video conferences. The operating company of the service is Microsoft Ireland Operations (“Microsoft”), Ltd, 70 Sir John Rogerson’s Quay, Dublin, Ireland. Microsoft Ireland Operations, Ltd. is part of the Microsoft group of companies based at One Microsoft Way, Redmond, Washington, USA.

We use “Microsoft Teams” to conduct online meetings. If we want to record online meetings, we will inform you in advance and – if necessary – ask for your consent.

Hockenheim-Ring GmbH is responsible for data processing that is directly related to the organisation of online meetings. If you access the “Microsoft Teams” website, the provider of “Microsoft Teams” is responsible for data processing. However, accessing the website is only necessary for the use of “Microsoft Teams” in order to download the “Microsoft Teams” software. If you do not want to or cannot use the “Microsoft Teams” app, you can also use “Microsoft Teams” via your browser. The service will then also be provided via the “Microsoft Teams” website. Various types of data are processed when using “Microsoft Teams”. The scope of the data also depends on what data you provide before or during your participation in an online meeting. The following personal data is subject to processing:

• user details: e.g. display name, email address, profile picture (optional), preferred language;
• meeting metadata: e.g. date, time, meeting ID, telephone numbers, location;
• text, audio and video data: if you use the chat function, the text entries you make are processed in order to display them in the online meeting. In order to enable video display and audio reproduction, the data from the microphone of your end device and from any video camera in your end device is processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the “Microsoft Teams” applications. If it is necessary for the purposes of minuting the results of an online meeting, we will log the chat content.

Your data is erased once it is no longer required or on request or objection.

Insofar as personal data of employees of Hockenheim-Ring GmbH is processed, Section 26 of the German Federal Data Protection Act (BDSG) is the legal basis for data processing. If, in connection with the use of “Microsoft Teams”, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component of the use of “Microsoft Teams”, Art. 6(1) point (f) GDPR is the legal basis for data processing. In these cases, our interest lies in effective organisation of online meetings. Otherwise, the legal basis for data processing when conducting online meetings is Art. 6(1) point (b) GDPR, insofar as the meetings are conducted within the framework of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6(1) point (f) GDPR. Here, too, our interest lies in effective organisation of online meetings.

Personal data that is processed in connection with participation in online meetings is not passed on to third parties unless it is explicitly intended to be passed on. The provider of “Microsoft Teams” necessarily gains knowledge of the above data, insofar as this is provided for in our commissioned data processing agreement with “Microsoft Teams”. Data processing outside the European Union (EU) does not take place, as we have limited our storage location to data centres in the European Union. However, we cannot rule out the possibility that data is routed via internet servers located outside the EU. The so-called standard contractual clauses, which can be viewed under the following link, offer guarantees for international data transfer: https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67
For more information on data processing, please refer to Microsoft’s privacy policy at https://privacy.microsoft.com/en-gb/privacystatement.

VII. DATA PROCESSING FOR CONTRACT EXECUTION

1. Registration, login and user account

You have the option of registering on our website by providing personal data for the ticket and fan shop and media areas.

Which personal data is transmitted to us is determined by the input screen used for registration. The personal data you enter is collected and stored exclusively for internal use by us and for our own purposes.

When you register on our website, the IP address assigned by your internet service provider (ISP), the date and the time of registration are also stored. Storage of this data takes place in the context of the fact that this is the only way to prevent misuse of our services and, if necessary, to facilitate investigation of criminal offences committed (Art. 6(1) point (f) GDPR). In this respect, storage of this data is necessary for our security. As a matter of principle, this data is not passed on to third parties. This does not apply if we are legally obliged to disclose the data or if the disclosure serves the purpose of criminal prosecution.

Your registration also enables us to offer you content and services which, due to their nature, can only be offered to registered users. Registered persons are free to change the personal data provided during registration at any time or to have it completely erased from our database.

We will provide you with information about the personal data stored about you at any time on request. Furthermore, we will rectify or erase personal data at your request, insofar as this does not conflict with any statutory retention obligations.

Your data is processed in the interest of convenient and easy use of our website. This constitutes a legitimate interest within the meaning of Art. 6(1) point (f) GDPR.

2. Data processing when opening a customer account in the fan shop and for contract execution

In accordance with Art. 6(1) point (b) GDPR, personal data is collected and processed if you provide it to us for the execution of a contract or when opening a customer account. The data collected can be seen from the relevant input forms. Your customer account can be cancelled at any time, for example by sending a message to the address of the controller specified above. We store and use the data provided by you to execute the contract. On completion of the contract or erasure of your customer account, your data is blocked, taking into account retention periods under tax and commercial law, and is erased on expiry of these periods, unless you have expressly consented to further use of your data or the right to a legally permitted further use of the data has been reserved by us, the details of which can be found below.

Data processing for order processing

The personal data collected by us is passed on to the transport company commissioned with delivery as part of execution of the contract, insofar as this is necessary for the delivery of the goods. We pass on your payment data to the authorised credit institution in the context of payment processing, insofar as this is necessary for payment processing. If payment service providers are used, we provide explicit information about this below. The legal basis for the transfer of data is Art. 6(1) point (b) GDPR.

Conclusion of contracts for online shop, retailers and dispatch of goods

We only transfer personal data to third parties if this is necessary in the context of contract execution, for example to the companies entrusted with the delivery of the goods or the credit institution commissioned with payment processing. Further transmission of the data does not take place or only takes place if you have expressly consented to such transmission. Your data is not passed on to third parties without your express consent, for example for marketing purposes. The basis for data processing is Art. 6(1) point (b) GDPR, which permits the processing of data for execution of a contract or pre-contractual measures.

3. Booking a room at the Hotel Motodrom

You have the option of making bookings for the Hotel Motodrom. This will take you to a separate booking website. Here we collect data including your first name, surname, address, contact details, billing address, method of payment and information about your day of arrival and departure.

The mandatory information required for order and contract processing is specifically marked as such; further information is provided voluntarily. We process your data for order processing. In particular, we forward payment data to your chosen payment service provider. Personal data is also passed on to internal departments (e.g. hotel service staff) and commissioned processors in accordance with Art. 28 GDPR. Any further data transfer only takes place if this is necessary for execution of the contract.

Neither offers nor bookings can be made without this information. The processing is based on Art. 6(1) point (b) GDPR for the implementation of pre-contractual measures or execution of the contract.

Accommodation providers, in particular hotels, are obliged under Section 30 of the Federal Registration Act (BMG) to collect the following data from the guest on the day of arrival and to have the guest sign the registration form by hand:

• date of arrival and expected departure;
• surname, first name, date of birth, nationality, address;
• number of fellow guests and their nationality in the cases of Section 29(2) sentences 2 and 3 BMG, serial number of the recognised and valid passport or alternative passport document for foreign persons;
• As applicable, further data for the collection of tourism and spa charges.

We are obliged to collect, process and pass on this data within the framework of the BMG. The legal basis for the processing results from Art. 6(1) point (c) GDPR.

We erase this data or restrict its processing as soon as is permitted under the provisions of the BMG and provided that no consent has been given on your part (Art. 6(1) point (a) GDPR) and no other legitimate interest in the continued processing exists on our part.

Under mandatory commercial and tax regulations, we are obliged to store your address, payment and order data for a period of ten years. Two years after termination of the contract, we restrict processing and reduce it to compliance with existing legal obligations.

4. Provision of contractual and pre-contractual services

We process your data as part of the provision of contractual and pre-contractual services:

• inventory data (e.g. name, address);
• contact data (e.g. email, telephone number);
• payment data (e.g. bank details, invoices);
• contract data (e.g. subject matter of the contract);
• vehicle data (e.g. registration number, vehicle type).

Processing may be necessary in advance of a contract in order to determine the contents of the contract and agree on a service. Processing is necessary for the fulfilment of our contractual obligations. This includes in particular the provision of the agreed service and remedy in the event of any warranty or other service disruptions. The contractual services include:

• purchase of a ticket via our ticket shop;
• purchase of a merchandise item from our fan shop;
• hire of the race track;
• hire of an area during an event;
• booking rooms for your event;
• issuing of access and entry authorisations.

The data is deleted on expiry of statutory warranty and similar obligations. In principle, this is the case after 3 years, unless there is another legal retention obligation. There is a legal obligation to retain tax-related documents, trading books, inventories, opening balance sheets, annual financial statements, the work instructions required to understand these documents, other organisational documents and accounting records. The retention period for these documents is ten years. There is also an obligation to retain commercial and business letters for six years.

The data collected for the provision of the service is only passed on if the services of a third party are required for the processing and the data is required for the service. We also pass on the data if we are legally obliged to do so. Third parties who may receive data include:

• post and courier services;
• catering companies;
• organisers;
• law enforcement authorities;
• banks and credit institutions.

The applicable legal bases for the specified processing operations are Art. 6(1) point (b) GDPR (contract execution and pre-contractual enquiries) and Art. 6(1) point (c) GDPR (legal obligation to store the data).

5. Fan shop

You can purchase various Hockenheim Ring merchandising items from our fan shop. In this case, we process the data that we collect via the input screen of the fan shop for contract processing. The legal basis for the processing of personal data is Art. 6(1) point (b) GDPR (contract execution).

The retention period for these documents is ten years. There is also an obligation to retain commercial and business letters for six years. We are legally obliged under Section 147 AO and Section 257 HGB to retain accounting records for this period.

6. Ticket shop

You can purchase various tickets for the events at the Hockenheim Ring via our ticket shop. In this case, we process the data that we collect via the input screen of the ticket shop for the purpose of executing the contract. The legal basis for the processing of personal data is Art. 6(1) point (b) GDPR (contract execution).

The retention period for these documents is ten years. There is also an obligation to retain commercial and business letters for six years. We are legally obliged under Section 147 AO and Section 257 HGB to retain accounting records for this period.

7. Booking of driving experiences

For the purpose of processing bookings for driving experiences at the Hockenheim-Ring, we process personal data, the data provided by you when registering to receive information about the driving experience and the data entered by you or a passenger in the logbook (driver, time and duration of the driving experience).

We process your personal data for the purposes of booking and handling the driving experience in which you take part as a participant, guest or accompanying person, and for documenting the event and investigating and following up possible traffic, administrative or criminal offences. This processing is carried out for the implementation of pre-contractual measures and execution of the contract with you (Art. 6(1) point (b) GDPR) and the latter also for fulfilment of legal obligations to which Hockenheim-Ring GmbH is subject.

When providing the specific services, we may use processors who support us in delivering the driving experience. In addition, we transmit your personal data to the instructors for the event you have booked. In the event of traffic offences, we pass on your personal data to the responsible authorities. Data is not transferred to third countries (i.e. countries that are neither members of the European Union nor of the European Economic Area).

We store your data for the duration of the event and beyond that for the duration of the relevant statutory retention obligations (up to 10 years). In addition, the storage period is also assessed in accordance with the statutory limitation periods (up to 30 years, usual limitation period 3 years).

8. Track hire

Hockenheim-Ring GmbH, Am Motodrom 1, 68766 Hockenheim processes personal data as the controller in connection with your rental of the racetrack and execution of the contract in accordance with Art. 6(1) point (b) GDPR. This relates to the following data and categories:

• company, contact person;
• master data (e.g. address), contact data (e.g. email);
• invoice data (e.g. address; VAT reg. no. if applicable);
• data relating to requirements (e.g. track variant, additional area, pit facilities, paddock, rooms, other);
• vehicle data (e.g. vehicle type; engine type);
• driving times (e.g. break times);
• event data (e.g. content, purpose).

Your personal data is stored until expiry of the statutory retention periods and transmitted to internal departments for the purpose of contract execution. Any further disclosure of data to third parties takes place only if we are legally obliged to do so, including in defence of claims (e.g. in the event of damage to commissioned lawyers and insurance companies).

As part of our legitimate interest in accordance with Art. 6(1) point (f) GDPR in conjunction with Section 7 of the German Act against Unfair Competition (UWG), we also process names and contact details in accordance with the legal requirements for the purposes of direct marketing and satisfaction surveys. Our legitimate interest lies in advertising our company and improving our services. You can object to this use at any time in accordance with Art. 21 GDPR. To do so, please contact the controller either by post or by email to datenschutz@hockenheimring.de.

9. Payment service providers

External payment service providers are used to execute contracts for the purchase of vouchers, tickets, fan merchandise and for completion of booking procedures, in accordance with Art. 6(1) point (b) GDPR. Likewise, our legitimate interest pursuant to Art. 6(1) point (f) GDPR lies in offering our visitors a variety of secure payment options.

Your personal data is only passed on to the extent necessary for execution of the contract. In particular, we pass on the payment details required for payment processing to the credit institution commissioned with the payment or to the payment and invoicing service provider commissioned by us.

Further information about relevant data protection provisions is available from:

• PayPal (Europe) S.à.r.l. & Cie. S.C.A.
  22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg
  Privacy policy: https://www.paypal.com/uk/legalhub/privacy-full
• Klarna AB
  Sveavägen 46, 111 34 Stockholm, Sweden
  Privacy policy: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/en_gb/privacy
• Paydirekt GmbH
  Stephanstr. 14-16, 60313 Frankfurt am Main, Germany
  Privacy policy: https://www.paydirekt.de/agb/index.html
• SOFORT GmbH
  Theresienhöhe 12, 80339 Munich, Germany
  Privacy policy: https://www.klarna.com/de/datenschutz/

The data required for payment processing is transmitted securely via the “SSL” procedure and used exclusively for payment processing. We delete the data collected in this context as soon as storage is no longer required, or restrict processing if there are statutory retention obligations.

10. Application management / job exchange

You have the opportunity to apply for a job with our company. The application documents you submit are processed by us for the purpose of handling the application procedure. The applicable legal basis for this processing is Art. 6(1) point (a) GDPR (in particular Section 26(1) sentence 1 BDSG) in combination with Art. 6(1) point (b) GDPR for the decision on the establishment of an employment relationship.

The data required for the application process includes your personal data with contact information and a description of your education, work experience and skills. You also have the option of providing us with documents such as references or cover letters.

If an employment contract is concluded with an applicant, the data transmitted is stored for the purpose of processing the employment relationship in compliance with the statutory provisions pursuant to Section 26(1) BDSG.

If we no longer intend to consider your application in the subsequent process, we erase the data transmitted to us on completion of the application process. Exceptions may be legal provisions, such as the German General Equal Treatment Act (AGG), which require a longer storage period of up to six months or until the conclusion of legal proceedings. The legal basis in this case is Art. 6(1) point (f) GDPR. Our legitimate interest lies in our legal defence.

If you expressly consent to your data being stored for a longer period, e.g. for inclusion in a database of applicants or interested parties, the data is processed further on the basis of your consent and stored for a period of 12 months. The legal basis is then Art. 6(1) point (a) GDPR. You can, of course, withdraw your consent at any time in accordance with Art. 7(3) GDPR by notifying us of your withdrawal with effect for the future.

We expressly draw your attention to the fact that applications, in particular CVs, references and other data you submit to us, may contain particularly sensitive information about mental and physical health, racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union or political party. If you send us such information in your application, you expressly agree that we may collect, process and use this data for the purpose of handling your application. Processing of this data is carried out in accordance with Art. 6(1) point (f) GDPR and Section 26 BDSG, other relevant legal provisions and our privacy policy.

VIII. DATA PROCESSING FOR MARKETING PURPOSES

Irrespective of any consent given to the processing of your personal data for marketing purposes, we and our appropriately commissioned and controlled service providers (e.g. letter shops) process your name, address and email address for further customer retention and reactivation measures. This includes distribution of further information about products and services that may be of interest by post or email (Art. 6(1) point (f) GDPR). In doing so, our intention is to draw the attention of existing and potential customers to further interesting offers and achieve long-term customer loyalty.

1. Newsletter distribution via Brevo (previously Sendinblue)

This website uses Brevo to distribute newsletters. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. Brevo is a service that can be used to organise and analyse the distribution of newsletters, among other things. The data you enter for the purpose of subscribing to the newsletter is stored on Sendinblue’s servers in Germany.

We only distribute newsletters and emails with marketing information with the express consent of the recipient. Our newsletters contain information about products, promotions, events and news. Your email address is required to subscribe to the newsletter. We ask you to provide your first and last name as an option. This information is only used to personalise the newsletter. We also process the following information (personal data) about you:

• email address;
• date and time;
• IP address;
• action type;
• metadata of the action.

In order to be able to map the proof of consent and cancellation in a legally compliant manner, we keep the following data about registration for, changes to, confirmation and cancellation of the newsletter for each user profile, which is generated by the double opt-in procedure using a confirmed email address:

• date and time;
• IP address;
• online IDs.

Your consent is obtained for processing of the data as part of the online registration process and reference is made to this privacy policy. Online registration for our newsletter takes place in a double opt-in procedure, i.e. after online registration you will receive a confirmation email in which you are asked to confirm your registration. This process is necessary so that no-one can log in with another person’s email address.

If you register for our newsletter in any other way (e.g. through competitions), you will not be sent a confirmation email. In this case, you confirm with your signature that you wish to receive a newsletter.

We also analyse the success and reach of our newsletter (campaigns). For example, we analyse in particular whether you open a newsletter and how you otherwise use the newsletter. For this purpose, the newsletters contain a so-called web beacon, i.e. a pixel-sized file that is retrieved by the server of the distribution service provider when the newsletter is opened. As part of this retrieval, technical information about your browser and system, your IP address and the time of retrieval is collected. The purpose of this collection is technical improvement of the service. In addition, data is collected to determine whether and when the newsletter was opened and which links were clicked. This allows us to determine which links have been clicked on particularly frequently. We can also identify whether certain previously defined actions have been carried out after opening/clicking (conversion rate). For example, we can recognise whether you have made a purchase after clicking on the newsletter. If you do not wish to be analysed by Brevo, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message. You can also unsubscribe from the newsletter directly on the website.

The legal basis for the processing of personal data required for technical provision of the newsletter to you and for processing of cookie and measurement data is your consent in accordance with Art. 6(1) point (a) GDPR. The legal basis for the processing of other personal data is our legitimate interest pursuant to Art. 6(1) point (f) GDPR. We have a legitimate interest in being able to prove that you have given your consent.

You can cancel our newsletter at any time, i.e. withdraw your consent. You will find a link to unsubscribe from the newsletter at the end of each newsletter. You can also prevent storage of cookies by setting your web browser accordingly. In addition, you can prevent storage and transmission of personal data by deactivating Java Script in your web browser or installing a Java Script blocker (e.g. https://noscript.net or https://www.ghostery.com). We would like to point out that these measures may mean that not all functions of our website are available.

The data you provide us with for the purpose of subscribing to the newsletter is stored by us until you unsubscribe from the newsletter and is erased from both our servers and those of Brevo when you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. email addresses for the member area) remains unaffected by this.

Detailed information about the functions of Brevo can be found at the following link: https://www.brevo.com/features/.
You can view Brevo’s privacy policy at https://www.brevo.com/legal/privacypolicy/.

2. Newsletter distribution via MailPoet

This website uses MailPoet to send out newsletters. The provider is Wysija SARL, 6 rue Dieudé, 13006, Marseille, France (hereinafter MailPoet). MailPoet is a service that can be used to organise and analyse distribution of newsletters, among other things. The data you enter for the purpose of subscribing to the newsletter is stored on our servers but used for distribution by MailPoet’s servers, with the result that MailPoet processes your newsletter-related data (MailPoet Sending Service). Details can be found here: https://account.mailpoet.com/.

With the help of MailPoet, we are able to analyse our newsletter campaigns. For example, we can see whether a newsletter message has been opened and which links, if any, have been clicked on. In this way, we can determine which links are particularly popular. We can also identify whether certain previously defined actions have been carried out after opening/clicking (conversion rate). For example, we can recognise whether you have made a purchase after clicking on the newsletter.

MailPoet also allows us to subdivide (“cluster”) newsletter recipients according to various categories. Newsletter recipients can be categorised by age or place of residence, for example. In this way, the newsletters can be customised for the respective target groups more effectively. If you do not wish to be analysed by MailPoet, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message.

The data processing is based on your consent in accordance with Art. 6(1) point (a) GDPR. You can withdraw this consent at any time with effect for the future.

The data you provide us with for the purpose of subscribing to the newsletter is stored by us until you unsubscribe from the newsletter and deleted from the newsletter distribution list when you unsubscribe from the newsletter or when the purpose no longer applies.

When you unsubscribe from the newsletter distribution list, we may store your email address on a blacklist to prevent future mailshots. The data on the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending out newsletters (legitimate interest within the meaning of Art. 6(1) point (f) GDPR). Storage on the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

We have concluded a commissioned data processing agreement in accordance with Art. 28 GDPR with the above provider. This is a contract prescribed by data protection law which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Detailed information about the functions of MailPoet can be found under the following link: https://account.mailpoet.com/ and https://www.mailpoet.com/mailpoet-features/.
You can find MailPoet’s privacy policy at https://www.mailpoet.com/privacy-notice/.

3. Existing customer marketing

We process the personal data of our existing customers for the purpose of carrying out advertising campaigns by email. The following personal data is processed:

• surname; first name (purpose: personalisation of mailshots);
• title (purpose: personalisation of mailshots);
• company (purpose: personalisation of mailshots);
• preferences (purpose: interest-based communication);
• email address (purpose: delivery of mailshots).

You are an existing customer if you have previously purchased at least one product or service. We inform you about new products and services at regular intervals. We make sure that you only receive information that is in your interest.

In this sense, existing customer marketing for our own goods or services that are similar to products or services already purchased is permitted. The marketing may relate to products or services that meet the needs of the customer, the same or similar typical purpose. In addition to recommendations for goods that are the same as or similar to those you have purchased, you also receive emails with advice, promotions and percentage discounts and services related to those products.

The legal basis for marketing for existing customers is Art. 6(1) sentence (1) point (f) GDPR in conjunction with Section 7(3) UWG. We have a legitimate interest in ensuring that our customers receive the best possible support. Our aim in carrying out marketing for existing customers is to send you advertising based solely on your actual or perceived needs.

If external service providers are used for processing (e.g. shipping service providers), the companies concerned only have access to your data to the extent necessary for the fulfilment of their respective tasks and functions. Your personal data will no longer be used for marketing purposes if you have not made use of our products and/or services for a period of 4 years or have lodged an objection to it.

You can object to data processing for the aforementioned purposes at any time free of charge with effect for the future, without incurring any costs other than the transmission costs at the basic rates. All you need to do is send an email to datenschutz@hockenheimring.de.

If you object, your contact details will be blocked for further marketing data processing. We would like to point out that this objection does not include distribution of print media, unless you explicitly object to processing for print advertising. In exceptional cases, marketing materials may temporarily
still be distributed after receipt of your objection. This is for technical reasons relating to the necessary lead time for marketing materials and does not mean that we will not act on your objection.

4. Customer satisfaction surveys

We also conduct customer satisfaction surveys as part of our existing customer marketing. After receiving a service, you will be sent an email inviting you to take part in a customer satisfaction survey.

We process your data for the purposes of market research and to measure customer satisfaction with our events. Participation in the survey is voluntary. Your data is anonymised before processing and the evaluation will only take place in aggregated form so that it is not possible to draw conclusions about your identity. The data is also only stored in anonymised and aggregated form.

No link is established to your customer data, such as your address or email address. The legal basis for processing of your data is your consent in accordance with Art. 6(1) point (a) GDPR. It is necessary to store the results and answers of the participants in order to ensure that it is possible to follow up the survey results.

We do not store your data for longer than we need it for the relevant processing purposes. When the data is no longer required, it is erased unless its retention is necessary. Reasons for this may include the following:

• fulfilment of retention obligations under commercial and tax law;
• obtaining evidence for legal disputes.

There are no plans to transfer your personal data to a third country or an international organisation.

5. Presence on social networks

We are represented with our own pages on social networks so that we can communicate with you and inform you about our services. When you visit one of our social media pages, we act as a joint controller with the provider of the respective social media platform with responsibility for the processing operations triggered by your visit, within the meaning of Art. 26 GDPR. We are not the original provider of these pages, but only use them within the scope of the opportunities offered to us by the respective providers.

As a precautionary measure, we would therefore like to point out that your data may also be processed outside the European Union or the European Economic Area. Use may therefore be associated with data protection risks for you, as it may be more difficult to protect your rights, e.g. to information, erasure, objection, etc., and processing on social networks is often carried out directly for marketing purposes or to analyse user behaviour by the providers without our control. If user profiles are created by the provider, cookies are often used or the user behaviour is assigned to your own social network member profile. These processing operations involving personal data are carried out in accordance with Art. 6(1) point (f) GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in communicating with you in a timely manner or informing you about our services. If, as a user, you have to give your consent to data processing to the respective providers, the legal basis is Art. 6(1) point (a) GDPR:

As we do not have access to the providers’ databases, we would like to point out that it is best to assert your rights (e.g. to information, rectification, erasure, etc.) directly with the respective provider. Further information about processing of your data on social networks is provided by the social network providers we use, as listed below:

• Instagram

(Joint) controller for data processing in Germany:

Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Privacy policy (data policy): https://instagram.com/legal/privacy/

• Facebook

(Joint) controller for data processing in Europe:

Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Privacy policy (data policy): https://www.facebook.com/about/privacy

• YouTube

(Joint) controller for data processing in Europe:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy policy: https://policies.google.com/privacy

• LinkedIn

(Joint) controller for data processing in Europe:

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Privacy policy: https://www.linkedin.com/legal/privacy-policy

6. WhatsApp company channel

For the operation of our WhatsApp channel, we use the services of WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“WhatsApp”). We would like to point out that you use this WhatsApp channel and its functions on your own responsibility. This applies in particular to the use of the interactive sharing function.

WhatsApp channels are one-way information channels on WhatsApp that are separate from the messenger service (chat function). The creation of a channel serves to optimise the exchange of news and information with our subscribers (Art. 6(1) point (f) GDPR). When subscribing, no personal information is seen or stored, not even the subscriber’s name or telephone number. This ensures that subscribers remain anonymous at all times. It is only possible to view and react to channel status messages and to follow certain channels as a subscriber. Non-subscribers (“viewers”) can also view channel status messages. Here too, the identity of the person responding remains anonymous to Hockenheim-Ring GmbH.

We cannot track which user data WhatsApp collects. We also have no access to the data collected or your profile data. Information about data collection and further processing by WhatsApp can be found in WhatsApp’s privacy policy: https://www.whatsapp.com/legal/channels-privacy-policy-eea?lang=en_GB

The legal basis for the processing of your personal data by WhatsApp itself is your consent in accordance with Art. 6(1) point (a) GDPR. You have given your consent by “subscribing” to the WhatsApp channel. You can withdraw your consent at any time by cancelling your subscription.

IX. DATA PROCESSING WHEN VISITING THE HOCKENHEIM RING

1. Video surveillance

The Hockenheim Ring site is under video surveillance. The surveillance is carried out on the basis of our legitimate interest pursuant to Art. 6(1) point (f) GDPR. Our legitimate interest lies in the prevention and investigation of criminal offences, the protection of property and monitoring of visitor flows at major events.

Appropriate signs are placed in the areas covered by video surveillance. Furthermore, the technical and organisational measures implemented (e.g. password protection, access regulations, dual control principle, etc.) ensure an appropriate level of protection for personal data. The effectiveness of these measures is monitored at regular intervals. In the case of recording, the data is stored for a maximum of 72 hours and only analysed using the dual control principle in the event of criminal incidents. Data is only stored for longer if this is necessary for the enforcement of legal claims or the prosecution of criminal offences in specific individual cases.

In addition to the authorised managers, the IT department and the responsible maintenance company have access to the recordings, whereby a commissioned data processing agreement in accordance with Art. 28 GDPR forms the legal basis for access. Data is only transferred to third parties (e.g. the police) if this is necessary to investigate criminal offences.

2. Photography and filming at events

We process photographs and film recordings and, if applicable, names and first names at open events, e.g. concerts, campaigns, festivals, competitions, etc. The photographs and films are taken during the events, usually by our employees. In some cases, we also engage external photographers whom we commission in accordance with data protection law and prohibit from using the images for their own purposes.

We use the photo and film recordings to report on our events. The pictures of the open events may be published:

• on our website;
• in flyers;
• in the annual report;
• in internal presentations;
• on social networks (e.g. Instagram, Facebook).

The legal basis for the production of overview and group photos of events that do not specifically depict portrait images of individual persons or children is our legitimate interest in reporting on our activities in accordance with Art. 6(1) point (f) GDPR. The legal basis for the publication of the photographs and film recordings is our legitimate interest pursuant to Art. 6(1) point (f) GDPR in conjunction with Sections 22 and 23 of the German Act on the Protection of Copyright in Works of Art and Photographs (KunstUrhG). You have the right to object to this processing in accordance with Art. 21 GDPR. Please contact our staff directly or send an email to datenschutz@hockenheimring.de.

The processing of individual photos and/or videos (collection, storage and publication) only takes place with the express consent of the data subject, i.e. in accordance with Art. 6(1) point (a) GDPR. You have the right to withdraw your consent to the processing of personal data at any time with effect for the future. This does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal. Please contact our staff directly or send an email to datenschutz@hockenheimring.de.

We only publish photographs and film recordings of you without your consent if this is in our overriding legitimate interest in documenting and reporting on our activities, which is the case with recordings in which individual persons are only “accessories” or in cases where we publish overview or group pictures of the events in which you have participated. Your data is viewed internally by the relevant departments for the aforementioned purposes. If we have utilised the services of external photographers, we receive the photo files from them. Our data processing takes place in Germany and in the EU; data is not transferred to a third country or an international organisation.

The photographs and film recordings are stored indefinitely, as this is the only way we can achieve permanent documentation of our activities, also in our historical interest. There is no obligation to provide your data, i.e. you do not have to allow us to photograph and/or film you. If you do not wish to be photographed and/or recorded, please inform the photographer immediately.

3. Hotline

We offer a hotline during major events so that we can respond quickly to problems relating to the events. Personal data is also processed in this context. The following personal data is processed:

• date and time of the call;
• your name;
• your telephone number;
• the reason for the call.

We use this data to process your request and to contact you again in the event of queries or when your request has been dealt with. At the end of the event, we analyse the calls to identify common problems and strive for improvements at future events. For this purpose, we analyse the reason for the call independently of you and without any reference to you personally. The data is processed exclusively by employees of Hockenheim-Ring GmbH. As a rule, the data is not passed on to third parties.

The legal basis for the processing is our legitimate interest within the meaning of Art. 6(1) point (f) GDPR. Our interest lies in giving you the opportunity to contact us, being able to offer a quick solution to problems and being able to identify measures that should ensure a smoother process in future events.

In exceptional cases and for the prevention or investigation of criminal offences, we pass on the information from your call to the relevant police station. You will be informed of this before we pass on your data. Your data is not used for any other purposes. Your data is erased immediately after the evaluation, at the latest after 4 weeks.

You have the right to object to this processing in accordance with Art. 21 GDPR. Please contact our hotline staff directly or send an email to datenschutz@hockenheimring.de.

4. Press accreditation

Journalists have the opportunity to register via our media portal at https://media.hockenheimring.de/ and to apply for accreditation in this way. Hockenheim-Ring GmbH processes the following data when registering for press accreditation:

form of address, academic title (optional), first and last name, postcode, city, country, email address, telephone number, medium/publisher/editorial office and media category of accreditation, legitimisation document, such as previously published works, and a copy of the press pass. Information that is not required, such as photo and date of birth, can be redacted on the press pass. If necessary, additional information about the interest in participating in event-specific segments, events and functions may be requested. In the case of a choice of time and place of participation, a corresponding preference such as a fixed date or time is collected.

Once you have registered, you can access media content such as press releases online in the “media area”. Our press department staff are responsible for accreditation and will check the information you provide. After a positive check, you will receive a “provisional accreditation”, which will be confirmed or rejected shortly before the event. You will receive the final authorisation approx. 5 days before the start of the event, together with an e-mail containing all the information relating to the event in question.

Hockenheim-Ring GmbH processes personal data for the implementation of the accreditation procedure, for checking legitimacy and, if accreditation is successful, for participation in the event and its organisation and implementation, including granting of access/participation authorisations (legal basis: the legitimate interest of Hockenheim-Ring GmbH in public relations and press work and verification of legitimacy and the organisation and implementation of the event, Art. 6(1) point (f) GDPR. If separate conditions of participation and use apply to participation in the event, the relevant data processing is based on execution of the contract (Art. 6(1) point (b) GDPR).

If you do not upload a verification, your data will be erased automatically after 3 months. With verification, your account remains active. 3 years after your last login, you will be contacted and reminded of the existence of your account; if you wish to keep it, you can log in. If you do not respond within the specified period, your account and data will be erased. You have the option to register again at any time.

You have the right to object to this processing in accordance with Art. 21 GDPR. Please contact our staff directly or send an email to datenschutz@hockenheimring.de.

5. “miRide” racing simulator

When you visit our Welcome Centre at the Hockenheim-Ring, you have the opportunity to enjoy a racing experience with the help of our “miRide” racing simulator. The provider of the racing simulator is Brogent Technologies Inc, No.9, Fuxing 4th Rd, Qianzhen Dist, Kaohsiung City 806, Taiwan.

Before starting your racing experience, you can personalise it. To do this, please follow the instructions on the screen of the racing simulator. Personalisation is then carried out by entering your name. You are also free to have a photo taken of yourself next to your name – press the [AGREE] button to take the photo. With your consent, the name you enter will be displayed publicly on the screen together with your portrait photo.

If you want to use the racing simulator without personal details, you have the option of entering a pseudonym and selecting an avatar image on the screen input. Press the [REJECT] button to select an avatar image if you do not wish to show your personal details publicly.

Before you start the race, you can choose between the “Thrill”, “Mild” and “Autopilot” modes so that all visitors, whether motorsport professionals or beginners, can enjoy the racing experience. The fastest record is displayed at the top of the dome screen so that anyone who wants to reach the top can chase the record.

The personal data collected is only used to show the game’s top 10 rankings to the public. Your personal data is erased as soon as your result is no longer in the top 10.

The data you provide is only stored on domestic servers and is not transferred to external companies or outside the member states of the EEA. We only store your personal data for as long as is necessary to fulfil the purpose described above.

If you agree with all the above information about the use of your personal data, please click on the “Agree” button. You have the right to withdraw this consent at any time by contacting the controller or by sending an email to datenschutz@hockenheimring.de. Withdrawal from the agreement does not affect the lawfulness of the data processing prior to the cancellation.

Further information about the provider of the racing experience simulator can be found at https://www.brogent.com/en/privacy.html.

6. Online training on “Occupational safety measures”

Annual safety training takes place as an integral part of occupational health and safety and as an essential measure to improve safety. We process the following personal data in the context of implementation of the online training on “Occupational safety measures”:

• surname, first name;
• work email address;
• position;
• date and time;
• technical data (e.g. internet browser, operating system, etc.).

The legal basis for data processing is Art. 6(1) point (c) GDPR in conjunction with Section 12(1) sentence (1) of the German Occupational Health and Safety Act (ArbSchG). The data relating to a training cycle is erased two years after the end of the corresponding training period.

Your personal data is processed by the processors commissioned by us and bound by our instructions and they may gain knowledge of your data in the course of execution of the agreement. The data may only be processed by the processor on the basis of the agreement pursuant to Art. 28 GDPR and is subject to confidentiality.

7. Driving licence check

Checking the driving licences of employees and users of the Hockenheim-Ring GmbH race track is in the interests of all parties involved. It is necessary to process personal data that is collected as part of the check. Below we provide information about the processing of your personal data by us as part of this verification procedure.

Your data is recorded by the employees responsible using a check sheet before you start driving. The following categories of data are collected:

• master data (surname, first name, address) as on the front of the driving licence;
• driving licence data (driving licence number, date of issue, driving licence classes and district of the driving licence).

The personal data collected as part of the driving licence check is processed by the employees responsible exclusively for the purpose of avoiding owner liability in accordance with Art. 6(1) point (c) GDPR in conjunction with Section 21(1) no. 2 of the German Highway Code (StVG). Processing of personal data is necessary for the fulfilment of this task. The employee responsible checks your driving licence and documents that you have a valid licence on the day of the check.

Insofar as statutory retention obligations exist, the relevant personal data is stored for the duration of the retention obligation – generally 3 years. After the retention period has expired, the need for further processing is checked. If this is no longer the case, the data is erased immediately.

8. Background check

Peaceful, trouble-free events at the Hockenheim Ring are in the interests of all those involved. In order to ensure this, the licensing authority may require that only personnel who are accredited, i.e. who have been approved following a background check, are deployed for specific events. Below we provide information about the processing of your personal data by us and by the relevant police authorities as part of this accreditation procedure.

As part of the accreditation procedure and background check, both the organiser (Hockenheim-Ring) and the department in charge of the event are involved as independent data controllers (Art. 4(7) GDPR). The controllers collect and process your personal data in a spirit of mutual trust, taking into account the legal provisions of the GDPR and the BDSG.

The information on the consent form is required for the accreditation procedure (Art. 6(1) point (c) GDPR; Art. 6(1) point (a) GDPR; Art. 9 para. 2 point (a GDPR). The data collected in the course of the accreditation process is recorded electronically by the organiser and sent to the responsible police authorities for data verification. The data provided on the consent form is processed and used exclusively for the purpose of a decision on granting of the right of access and its scope and monitoring compliance with the corresponding restrictions. Collection, processing and use of personal data therefore serves to ensure the security of the event.

The police station in charge of the operation checks on the basis of this data – and if necessary in cooperation with the Baden-Württemberg State Criminal Police Office (LKA BW) and the Federal Criminal Police Office (BKA) – whether there is any information about you in the files of the state or federal police forces that would prevent your deployment for security reasons.

Your data is verified against various police files held by the police authorities for the purposes of averting danger and criminal prosecution. These are files that are used jointly by the federal and state police forces (joint files), but also files that are used separately by the police forces. They include, in particular, so-called offender/criminal offence files, in which criminal convictions, but also pending and discontinued preliminary proceedings and criminal proceedings without a court conviction are stored, and state security files, in which criminal offences with a political background and membership of organisations or associations banned in Germany, etc. are stored.

We wish to emphasise that the information in the police files may be more extensive than in the Federal Central Criminal Register, because the files may also include proceedings that have been discontinued by courts/public prosecutors or terminated without conviction. During the review by the authorities responsible for protection of the constitution, your data is checked against a joint file held by the constitution protection authorities. Your personal data may be passed on to other bodies, e.g. police and constitutional protection authorities in the federal states: Federal Central Criminal Register, Baden-Württemberg State Office of Criminal Investigation (LKA BW).

The data processed in connection with the background check is

• erased by the LKA immediately after the end of the event;
• erased by the department in charge after twelve months from completion of the check;
• erased immediately if consent is withdrawn;
• stored by Hockenheim-Ring GmbH until complete cancellation (not only event-related) or termination of your work for Hockenheim-Ring.

All data subjects have the following rights:

• the right to information about the data processed in accordance with Art. 15 GDPR, Section 91 of the Police Act of Baden-Württemberg (PolG BW);
• the right to data portability in accordance with Art. 20 GDPR;
• the right to rectification and completion of data in accordance with Art. 16 GDPR, Section 92(1) PolG BW;
• the right to erasure in accordance with Art. 17 GDPR, Section 92(2) PolG BW;
• the right to restriction of processing in accordance with Art. 18 GDPR;
• the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR, Section 93 PolG BW;
• the right to object pursuant to Art. 21 GDPR to the processing of personal data carried out on the basis of Art. 6(1) point (e) or (f) GDPR (data processing on the basis of the performance of a task carried out in the public interest or on the basis of balancing of interests);
• the right to withdraw consent vis-à-vis the authorities in charge of the operation in accordance with Section 42(2) no. 3 PolG BW.

You are free to decide whether to give your written consent to the background check. Please bear in mind that, without your consent, verification or repeat verification (accreditation) cannot be carried out.

Your consent remains valid until you withdraw it or the reason for the background check no longer applies (e.g. if you no longer work in security-related areas). This also applies with regard to repeat checks.

If you refuse to give your consent, you cannot be deployed for events/areas of operation requiring accreditation.

X. Data erasure and storage periods

We erase your data when there is no legal basis for its further storage. Erasure takes place, for example, as soon as a legal obligation to store the data has expired. We also erase your data on request in accordance with Art. 17 GDPR.

Where necessary, we process and store your personal data for the duration of our business relationship or for the fulfilment of contractual purposes. This also includes the initiation and execution of a contract. In addition, we are subject to various retention and documentation obligations, including those arising from the HGB and AO. The retention and documentation periods prescribed by these codes range from two to ten years. Finally, the storage period also depends on the statutory limitation periods, which, for example, are generally three years under Sections 195 et seq. BGB, but in certain cases can be up to thirty years.

XI. Automated decision making

In principle, we do not use fully automated decision-making pursuant to Art. 22 GDPR to establish, fulfil or implement the business relationship or for pre-contractual measures. If we do use these procedures in individual cases, we inform you of this separately or obtain your consent as required by law.

XII. Amendment and updating of the privacy policy

This privacy policy is currently valid and was last updated as of: July 24. It may be necessary to amend this privacy policy as a result of further development of our website and services or due to changes in legal or official requirements.

The latest privacy policy can be viewed and printed out at any time on the website at “https://www.hockenheimring.de/datenschutz/”.