Pivacy Policy
I. At a Glance – Data Processing on Our Website
Dear guests and visitors,
We are delighted that you are visiting our website and hope to welcome you soon on our premises as a guest at the Ochsenbraterei marquee at Oktoberfest!
We want you to feel completely comfortable with us – online as well as offline. For us, good service naturally also includes careful handling of your data.
On this page, we would like to inform you comprehensively about the processing of your personal data when you visit our website and explain your rights under European Union data protection law.
Your Ochsenbraterei Team
II. General Notes and Mandatory Information
1. Controller
The entity responsible for processing your data both online and on site is
Ochsenbraterei Haberl OHG
Englischer Garten 3
80538 Munich
Germany
Phone: +49 89 51 08 57 6-0
E-Mail: info@ochsenbraterei.de
Internet: www.ochsenbraterei.de
2. Data Protection Officer
We have appointed an external data protection officer.
You can reach him:
by e-Mail: datenschutz@haberl.de
by phone: +49 89 716 8024 0
by mail:
msecure GmbH
Attn. DPO Haberl
Bajuwarenring 21
82041 Oberhaching
Germany
III. Description and Scope of Data Processing
A. General and technically necessary processing
1. Provision of the website
Each time our website is accessed, our system, i.e. the web server, automatically collects information from the system of the accessing computer or other device.
The following data is collected:
– Information about the browser type and the version used
– The operating system of the user’s end device
– The user’s internet service provider
– The user’s IP address
– Date and time of access
– The previous website from which the user was referred to our website (referrer URL)
a) Purpose of processing
The temporary storage of your IP address by our system is necessary to enable the website to be delivered to your device. For this purpose, the user’s IP address must remain stored for the duration of the session. The storage of the above-mentioned data in so-called log files serves to ensure the functionality of our website. In addition, this data helps us optimize the website and ensure the security of our IT systems (e.g. for attack detection).
b) Legal basis
The legal basis for the temporary storage of this data and the log files is Art. 6(1) subpara. 1 lit. f GDPR (our legitimate interests as website operator in the secure, disruption-free and lawful provision of the website).
c) Storage period
The above-mentioned data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data collected for the provision of the website, this is the case when the respective session has ended.
In the case of storage in log files, this is the case after no later than 14 days, unless legal reasons in the individual case require a longer retention period. Further storage for statistical and technical analyses is possible. In this case, the user’s IP address is deleted or anonymised so that an assignment to the accessing client is no longer possible and the data contained no longer relates to a person.
2. Session Cookies
To ensure certain functions in some areas of our websites, it may be technically necessary to use so-called session cookies. These are data records (strings) that are temporarily stored on your end device.
a) Purpose of processing
The setting of session cookies serves to recognize a calling browser even after a page change. The data is not used to analyze user behavior.
b) Legal basis
The legal basis for the storage of session cookies is Art. 6(1) subpara. 1 lit. f GDPR (our legitimate interest in providing certain functions on our websites) in conjunction with Section 25(2) No. 2 TDDDG (Federal German Telecommunications and Digital Services Data Protection Act). In cases where the processing of session cookies serves the preparation or performance of contracts, the legal basis is Art. 6(1) subpara. 1 lit. b GDPR.
c) Storage period
Session cookies are deleted when the browser is closed.
3. E-mail and contact form
We can be contacted via our contact form and the e-mail addresses provided. In this case, the personal data transmitted with the inquiry by the sender (in any case name and e-mail address) together with the content of the message will be stored. Optionally, the user can provide a telephone number.
a) Purpose of processing
The processing of this personal data serves us to handle the message and to continue communication.
b) Legal basis
The legal basis for the processing of this data, which is transmitted in the course of sending an inquiry, is Art. 6(1) subpara. 1 lit. f GDPR (our legitimate, aligned interest as controller in communicating with the person sending the message).
If the inquiry aims at the conclusion or performance of a contract (e.g. in the case of a reservation request), the legal basis is Art. 6(1) subpara. 1 lit. b GDPR (performance of a contract or pre-contractual measures).
c) Storage period
The above-mentioned data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For personal data transmitted by e-mail or via the contact form, this is the case when the respective conversation with the user has ended. As a rule, the conversation is deemed to have ended when it can be inferred from the circumstances that the relevant matter has been conclusively clarified. In the case of the preparation or performance of contracts, longer retention periods may result from statutory (e.g. tax law) requirements.
d) Right to object
You as a user have the possibility to object to the data processing at any time with effect for the future. All personal data stored in the course of contacting us will then be deleted immediately, unless statutory retention periods or other legal reasons prevent this.
4. Handling of applicant data
We publish job advertisements on our websites. As a user of the website, you can apply by e-mail for an advertised position or send us an unsolicited application. The scope and type of data processed is determined solely by the data you voluntarily provide to us in this context.
a) Purpose of processing
The purpose of processing the data you submit is to initiate an employment relationship. The data is processed exclusively for the purpose of personnel recruitment and, if applicable, separately from any other data.
b) Legal basis
The legal basis is Art. 6(1) subpara. 1 lit. b GDPR (pre-contractual or contractual measures).
c) Storage period
In the event of a successful application, we will include the transmitted data in our personnel files and retain and process it for the duration of the statutory retention period. Otherwise, we will process your transmitted data exclusively for the purposes of the application procedure and will generally delete it automatically no later than 6 months after completion of the application procedure.
5. Online reservation system
We use the online system of Festzelt OS GmbH, Seitzstr. 23, 80538 Munich, Germany, to process your reservations and payments; they process your data on our behalf.
a) Purpose of processing
The purpose of processing is to provide an online platform for managing reservations, displaying tables and their availability, creating and sending booking confirmations, invoices and vouchers, supporting staff during admission control at the marquee, and creating analyses and statistics.
b) Legal basis
The legal basis for the processing of your data is your consent pursuant to Art. 6(1) subpara. 1 lit. a GDPR, which you granted us prior to using the reservation portal. You can revoke this consent at any time with effect for the future by sending an informal e-mail to info@ochsenbraterei.de. Processing carried out lawfully up to this point remains unaffected by the revocation.
Insofar as the use of the portal aims at the conclusion or performance of a contract, the legal basis is Art. 6(1) subpara. 1 lit. b GDPR (performance of a contract or pre-contractual measures).
c) Disclosure of data / third-country processing
The system is operated in German data centers of Amazon Web Services EMEA SARL (AWS), Luxembourg, as a subprocessor of Festzelt OS GmbH. AWS is obliged to comply with data protection regulations through agreed EU Standard Contractual Clauses. In addition, AWS, as a subsidiary of Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, USA, undertakes to inform us of any requests for access to our customer data by US authorities and to resist such requests where legally permissible. Moreover, your data is encrypted, with key management handled by Festzelt OS. Nevertheless, we would like to point out that, under the current legal situation, there is no data protection level in the USA comparable to the standards of the European Union, and it cannot be excluded with absolute certainty that access by US authorities or services could occur.
For data transfers to the USA, the provider AWS has joined the EU-U.S. Data Privacy Framework, which legitimizes the data transfer on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR.
d) Storage period
Data will only be processed for as long as necessary for the purposes of processing. In the event of revocation of your consent, the data will be deleted immediately, unless other statutory provisions (in particular tax and levy regulations) or other legal reasons require further processing or retention.
6. Newsletter
We use services of CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (“CleverReach”) to send our newsletters.
For this purpose, we transmit the following personal data to CleverReach: e-mail address.
After registering for the newsletter, you will receive an e-mail from CleverReach. You will only be added to the newsletter distribution list after clicking on the link contained therein (double opt-in procedure).
CleverReach is the recipient of your personal data and acts as our processor under contract, insofar as it concerns the sending of our newsletters. Without your consent and the transmission of your personal data, we cannot send you a newsletter.
a) Purpose of processing
Sending newsletters enables us to provide you with information directly and regularly. In addition, we analyze your usage behavior in order to optimize our offering.
This means, for example, that we learn whether and when the newsletter was opened by you or whether and when you clicked on a link in the newsletter.
b) Legal basis
The legal basis for this processing is your consent pursuant to Art. 6(1) subpara. 1 lit. a GDPR. You can revoke your consent to the processing of your personal data at any time. All e-mail dispatches contain a corresponding link that allows you to unsubscribe from our distribution list. Revocation can also be made via the contact details provided. The legality of the processing carried out up to the revocation remains unaffected by the revocation.
c) Duration of processing
Your data will be processed as long as the corresponding consent exists. Apart from that, it will be deleted in the event of termination of the contract between us and CleverReach, unless statutory provisions or other legal reasons require further storage.
7. Data processing to prevent the misuse of reservations
a) Blacklist
If a reservation is not canceled but nonetheless not honored, we reserve the right not to accept any further reservations from the respective person / company for a period of up to 2 years. In this case, your data will be included in a corresponding blacklist and stored for this period. We use this data based on our legitimate interest within the meaning of Art. 6(1) subpara. 1 lit. f GDPR, which consists in minimizing loss of revenue and the abusive use of our reservation systems.
b) Disclosure of data in case of suspected contractual resale of table reservations and vouchers
The host families of the Oktoberfest tents take consistent action against the resale of table reservations and vouchers (hereinafter “reservations”) at sometimes exorbitant prices on the black market.
Resale, in particular to commercial resellers, constitutes a breach of the general terms and conditions of the respective reservation contract and may result in claims for damages, inter alia pursuant to Sec. 5(4) of the General Terms and Conditions (AGB).
To enforce these claims, AI-based monitoring of relevant auction portals and other content on the internet takes place.
In the event of suspicion of unlawful activities, data relating to your reservation may, in individual cases, be passed on to LDM Rechtsanwaltsgesellschaft mbH, Blumenstr. 13, 69115 Heidelberg, Germany, with whom we have concluded appropriate contracts.
This data will be further processed by the aforementioned law firm under its own controllership for investigations to confirm the suspicion and, if necessary, to pursue legal claims as part of a mandate.
This also constitutes the legitimate interest of us as controllers as the legal basis for processing pursuant to Art. 6(1) subpara. 1 lit. f GDPR.
B. Analytics and marketing tools
1. Google Tag Manager – Management of tools
We use Google Tag Manager. Google Tag Manager is an organizational tool that allows us to centrally integrate and efficiently manage website components from Google via a user interface.
The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with whom we have concluded a corresponding data processing agreement.
a) Purpose of processing
As website operators, we have an interest in the fast and uncomplicated management of the different tools on our website.
The Google Tag Manager collects data on the website and forwards it to the connected analytics tools. These tools (e.g. Google Analytics) then store and evaluate them if they are activated.
b) Legal basis
The legal basis for the processing is Art. 6(1) subpara. 1 lit. a GDPR (your consent, which you have given us via our consent banner).
Google’s privacy policy can be found here: https://policies.google.com/privacy
Google also processes your data in the USA, among other places. We have concluded a data processing agreement with Google incorporating the EU Commission’s Standard Contractual Clauses (SCC). Nevertheless, we would like to point out that there is no level of data protection in the USA comparable to the standards of the European Union.
For data transfers to the USA, the provider has joined the EU-U.S. Data Privacy Framework, which legitimizes the data transfer on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR.
c) Duration of processing
Data is not stored by the Tag Manager itself. You can revoke your consent to the use of the tool at any time with effect for the future.
2. Google Analytics
If you have given your consent, the analytics service Google Analytics 4 is used on this website. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland (“Google”).
Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected by means of cookies about your use of this website is generally transmitted to a Google server in the USA and stored there.
With Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser as part of Google Analytics is, according to Google, not merged with other Google data.
During your website visit, your user behavior is recorded in the form of “events”.
Events can be:
• Page views
• First visit to the website
• Start of the session
• Your “click path”, interaction with the website
• Scrolls (whenever a user scrolls to the end of the page (90%))
• Clicks on external links
• Internal searches
• Interaction with videos
• File downloads
• Ads viewed / clicked
• Language settings
In addition, the following is recorded:
• Your approximate location (region)
• Your IP address (in shortened form)
• Technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
• Your internet provider
• The referrer URL (via which website / via which advertising medium you came to this website)
a) Purpose of processing
On behalf of the operator of this website, Google will use this information to pseudonymously evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyze the performance of our website and the success of our marketing campaigns.
b) Recipients
Recipients of the data are / may be:
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor pursuant to Art. 28 GDPR)
• Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
• Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
• Further information on the terms of use of Google Analytics and on data protection at Google can be found at
• https://marketingplatform.google.com/about/analytics/terms/ and at https://policies.google.com/
c) Third-country processing
Google also processes your data in the USA, among other places. We have concluded a data processing agreement with Google incorporating the EU Commission’s Standard Contractual Clauses (SCC). Nevertheless, we would like to point out that there is no level of data protection in the USA comparable to the standards of the European Union.
For data transfers to the USA, the provider has joined the EU-U.S. Data Privacy Framework, which legitimizes the data transfer based on an adequacy decision of the European Commission pursuant to Art. 45 GDPR.
d) Storage period
The data we send and that is linked to cookies is automatically deleted after 2 months. Data whose retention period has been reached is automatically deleted once a month.
e) Legal basis
The legal basis for this data processing is your consent under Art. 6(1) subpara. 1 lit. a GDPR.
f) Withdrawal
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent up to the revocation remains unaffected.
3. Linking to social networks and platforms (e.g. Instagram, Facebook, TikTok)
You will find links on our website to our presences on social networks and external platforms such as Instagram, Facebook and TikTok. These are exclusively external links. This means: when you access our website, no personal data is transmitted to these services. Only when you click on one of the links will you be redirected to the respective external page. From this point on, usage data may be collected by the respective provider.
Please note that we have no influence on the processing of personal data by these providers. Further information on data protection on the respective platforms can be found at:
Instagram: https://privacycenter.instagram.com/policy
Facebook: https://www.facebook.com/privacy/policy
TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/
C. Photo and film recordings as well as video surveillance in the marquee
1. Photo and film recordings in the marquee
We regularly produce photo and film recordings during the event. It cannot be avoided that you may be visible in photos or video material.
We only process such image data that is permissible without explicit consent within the framework of the provisions of Sec. 23(1) Nos. 2, 3 of the German Art Copyright Act (KUG) (images of persons as “incidental items”).
a) Purpose of processing
The main focus here is on the depiction of larger groups or the atmosphere in the marquee for the purpose of public communication (advertising).
b) Legal basis
Processing is carried out based on our legitimate interest in self-promotion pursuant to Art. 6(1) subpara. 1 lit. f GDPR.
c) Duration of processing
The data will be deleted once the purpose no longer applies, i.e. after the respective advertising or communication measure has ended.
d) Journalistic reporting
If photo or film recordings are made in our tent by third parties as part of journalistic reporting, the respective media provider is responsible.
2. Video surveillance in the marquee
In and around the marquee, visual monitoring is carried out using opto-electronic devices (video surveillance with live transmission and recording function).
a) Purpose of processing
Video surveillance serves to protect the life, health and freedom of people on the marquee premises.
b) Legal basis
The legal basis is Art. 6(1) subpara. 1 lit. f GDPR in conjunction with Sec. 4(1) BDSG (Federal Data Protection Act).
The legitimate interest of the controller arises from the purposes of the processing, Sec. 4(1) No. 3 BDSG.
Due to the increased risk situation during the Oktoberfest, the processing is necessary, appropriate and proportionate to achieve the stated protection goals.
c) Storage period
The collected data (video recordings) is generally deleted after 72 hours, unless other legal reasons oppose this.
D. SafeNow App
IV. Your rights
Under the General Data Protection Regulation (GDPR), you have the right to:
pursuant to Art. 15 GDPR, obtain information about your personal data processed by us. This includes the purposes of processing, the categories of personal data, the categories of recipients of the data, the planned storage period, the origin of your data, and information about the existence of automated decision-making (profiling);
pursuant to Art. 16 GDPR, request the rectification of inaccurate or completion of your personal data stored by us;
pursuant to Art. 17 GDPR, request the erasure of your personal data stored by us, unless other legal reasons prevent this;
pursuant to Art. 18 GDPR, request the restriction of the processing of your personal data;
pursuant to Art. 20 GDPR, receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format or to request the transmission to another controller;
pursuant to Art. 7(3) GDPR, withdraw consent you have given to us at any time. The lawfulness of the processing carried out up to the withdrawal remains unaffected by the withdrawal;
pursuant to Art. 21 GDPR, OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA. If your objection is directed against direct marketing, we will implement this immediately. If the processing of your data is based on the legitimate interests of the controller or third parties and your objection is based on your particular situation, we will comply unless there are compelling legitimate grounds for the processing which override your interests, or we need your data to assert legal claims.
pursuant to Art. 77 GDPR, lodge a complaint with a supervisory authority. If you believe that we have not adequately complied with your rights and our obligations under the General Data Protection Regulation, you have the right to lodge a complaint with a data protection authority.
The authority responsible for us is the Bavarian State Office for Data Protection Supervision:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
V. Questions?
If you have any questions about the processing of your data, please feel free to contact us at info@haberl.de or contact our data protection team: datenschutz@haberl.de