Processing and protection of personal data
Rights of the personal data subject
The personal data controller Beatworx s.r.o., IČO 08262021, with its registered office at Prokopova 148/15, Žižkov, 130 00 Prague 3, processes personal data of visitors to its events and other people who provide their contact details or participate in the online competitions organised by it.
Participation in the festival is conditional on the presentation of a ticket with the visitor’s name and surname, while the identity of the visitor is verified by simply consulting the ID card, which the visitor is obliged to present at the entrance.
Ticket sales are made through the ticketing companies GoOut and FestTicket (used mainly for ticket purchases in neighbouring countries). The operators of these payment systems provide the administrator with summary reports of tickets sold. The administrator is only able to view the transactions of the GoOut payment system, but not of FestTicket.
Only if a festival visitor has registered on the administrator’s website in the Cashless database does the administrator work with his identity (in the scope of name, surname and e-mail address), as only then is his ticket identified with his identity via a barcode. Until then, the visitor is anonymous; apart from the verification of his identity at the entrance by consulting or consulting the GoOut database, his personal data are not processed in any other way. The processing of personal data within the Cashless database enables visitors to benefit from bonuses in the context of special marketing promotions and allows for the resolution of any disputes between the visitor and the administrator regarding the extent of the exhaustion of the services prepaid in the context of the purchase of festival currency and in the event of a refund of funds in the visitor’s Cashless account (in such cases, the visitor is also asked by the administrator to provide his/her place of residence and bank connection). The processing of personal data within the Cashless database is justified by the performance of the contract for additional services, which consist in the allocation of bonuses and the traceability of the history of use of the subscription services. The visitor concludes this contract with the controller by registering in the Cashless database. The confidentiality of the records in the Cashless database is protected by encryption and general technical IT security measures implemented by the Administrator. The Cashless database is maintained separately for each festival year and it is technically impossible to link it to databases from other years and festivals. The records contained in the Cashless database will be anonymised by the administrator after a period of 5 years, i.e. after which each database will irreversibly contain only transaction data without visitor identities, without the technical possibility of re-assigning identities to these records. The retention of records in connection with people’s identities for a period of 5 years is done by the controller for its own legitimate interest, as it wants to have evidence of the use of services by the visitor, the general limitation period for any claim by the visitor in court being 3 years.
Within the Cashless database, the controller processes a sub-database of significant customers for each festival year, for its own legitimate interest of targeted marketing.
For its own legitimate commercial interest, the controller carries out promotional and recruitment events (e.g. competitions) where it obtains the e-mail addresses of interested potential visitors for the purpose of sending newsletters. The e-mail addresses obtained from various sources are then aggregated and stored in a time-limited (but variable – see below) database of e-mail addresses in the form of a mailing list used for sending mass newsletters, event notifications and other commercial communications. The principle of sending bulk emails is that the addressee of a commercial communication has the simple option of clicking on a link in the body of the email to remove his/her email address once and for all from the administrator’s mailing list if he/she no longer wishes to receive bulk emails from the administrator.
The sources of obtaining the e-mail addresses are as follows: registration of the visitor in the Cashless database (use of the e-mail contact for direct marketing purposes for legitimate interest, subject to the conditions laid down in Act No. 480/2004 Coll.) or voluntary forwarding by the interested party via hostesses or ambassadors, or completion of a competition survey via Google Forms (explicit consent by the data subject to the use of his or her e-mail address for direct marketing purposes). Finally, the controller also has the option of obtaining email addresses from the GoOut database, and only for customers who have opted in to receive commercial emails when filling in their payment details. If an email address is obtained by directly contacting a person, the country of origin of the addressee is also noted for the purposes of classifying the contact into either the “Czech” or “English” sub-database (bulk emails are sent out in either the Czech or English version).
The Administrator maintains a special database, technically as secure as the Cashless database, which contains data on visitors who have already attended a closed event with free unlimited lifetime admission to all Administrator events for visitors with a tattoo of the festival logo. This database is maintained precisely because it has already been terminated, and later accessed visitors who are not registered in the database do not have this right. The maintenance of this database is thus determined by the legitimate interest of the administrator. The database contains: the name and surname of the visitor and a photograph of the tattoo.
The administrator makes audiovisual recordings and photographs of its events and publishes these on its website and on YouTube. These recordings always capture group scenes, not close-ups of people, and certainly not of people in the course of private activities. In addition, it monitors the premises of its events with security cameras in order to increase the safety of persons and their property inside the premises; it does not process the footage from these cameras further, but in the event of suspicion of criminal activity, it will hand it over to the Police of the Czech Republic.
The administrator uses the following internet services: cookies, Google analytics, FB pixel and Youtube data and also runs Facebook contests in the form of status sharing and contests on its website, most often in the form of answering via Google forms.
Your rights regarding the processing of your personal data
You have the right to access your personal data. You have the right to obtain confirmation from the controller as to whether or not personal data relating to you is being processed or whether your identity is included in one or other of the above-described databases and, if so, to know what personal data is being processed in relation to you and to the following information:
(a) the purposes of the processing – see the information on the processing of personal data above;
b) the categories of personal data concerned – you as a visitor or user of the email account and computer;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed – in principle there are no recipients of personal data, the controller does not pass on the personal data collected to anyone and the controller’s collaborators are bound by confidentiality;
d) the planned period of time for which the personal data will be stored – see above for instructions on the processing of personal data, browser settings and fb profile.
You have the right to erasure from the database(s). In relation to the mailing list, there is a simple option to delete your email address in the manner described above. You also have the right to ask the controller to delete your personal data from all databases maintained by it, with the exception of the Cashless core database, which is only anonymised in bulk after 5 years. Please note that by deleting it from the sub-database, you will lose all benefits that attach to your identity within the sub-database.
You have the right to have erroneous, inaccurate or outdated or incomplete personal data corrected and, as part of the correction, updating or completion of your personal data, you have the right to request that the processing of your personal data be restricted until your request is granted (or verified).
You have the right to object to the processing of your personal data. In practice, this is the aforementioned erasure option except for the basic Cashless database. In respect of published photographs and audiovisual recordings, you have the right to object to the publication of such photograph or recording in which you are depicted. In such a case, the administrator will retouch the image by blurring it or withdraw the photograph or recording and delete it.
Please send your requests and complaints regarding the processing of your personal data to firstname.lastname@example.org. In addition to dealing with requests and complaints, we will also answer any questions and remove any ambiguities regarding the processing of your personal data. Public law supervision over the processing of personal data is exercised by the Office for Personal Data Protection, Pplk. Sochor 27, 170 00, Prague 7, www.uoou.cz.