Data Privacy policy

I. Data controller (Provider)

Cooltix

Name of the Service Provider

Cooltix GmbH

Registered seat and postal address

Vorgartenstraße 204, 1020 Wien

Tax identification number

ATU69759638

Registration number

FN 434585 x

E-mail address

ticket@cooltix.at

Website

cooltix.at

Customer service email address

ticket@cooltix.at

Hosting Provider name:

DigitalOcean

Hosting provider address:

Frankfurt am Main (FRA1)

II. Data Protection Directives applied by the Company

1. The Provider as data controller undertakes the obligation that every data processing related to its activity complies to the requirements set forth in this policy and the applicable law.

2. The information regarding the data processing of the Provider is permanently available at the footer of the Cooltix.rs web page.

3. The Provider is entitled to unilaterally amend the Privacy Policy. In case of the amendment of the Privacy Policy, the Provider notifies the User via the disclosure of the changes at the www.cooltix.at page at least eight (8) days prior to the changes entering into force. User, by the continued use of the service after the changes entering into force, accepts the amended Privacy Policy.

4. The Provider is committed to protect the User’s personal data, considers the respect of its clients’ right of informational self-determination of high importance. The Provider manages the personal data confidentially with employing all of the required security measures in information technology and data administration.

5. The Provider data processing principles are in line with the General Data Protection Regulation (GDPR).

6. The Provider processes personal data indispensable for the use of its services, with the consent of the data subjects and exclusively bound to purpose.

7. The Company undertakes obligation to disclose, in a clear and obvious notice before collecting, recording and processing any personal data of its users, to inform them about the method, purpose and principles of data collection. In addition to all this, in every case where the data collection, processing, recording is not mandatory by law, the Company draws the attention of the User to the voluntary being of the disclosure of information. In case of mandatory disclosure of information it is necessary to indicate the legislation requiring the data processing. The data subject is to be informed about the purpose of the data processing and about who will be handling and processing the personal data.

8. In every case where Company intends to use the personal data disclosed for any purpose other than the purpose of the original data collection, it informs the User and acquires its preliminary and express consent and provides opportunity for denying the use.

9. The Provider during the collection, recording and processing data adheres in all cases to the limitations defined in legislation, informs the data subject about its activity according to the user’s needs in electronic mail. The Company commits itself to not apply any sanction against any user who denies the non-mandatory disclosure of information

1. Personal Data can be processed if the data subject gives consent or it is required by law or - with legal authorization in the scope defined in it - by decree of the local government for a purpose based on public interest. The legal basis of the data processing is the voluntary consent of the data subject according to the GDPR on the Right of Informational Self-Determination and on Freedom of Information, on certain issues of electronic commerce services and information society services.

2. For the statement of minor person incapable of acting or with limited capability, the consent of this person’s legal representative is required except for those parts of service where the declaration is addressed to a registration occurring en masse and does not require special consideration. For the validity of the legal declaration including the consent of the minor data subject aged 16 or more, the agreement or the later consent of the legal representative is not required.

3. If the personal data was collected with the consent of the data subject, the data controller, in the absence of otherwise required by law, the data collected may be processed

a) for the purpose of complying with the related legal obligation, or

b) for the purpose of appropriation of a legitimate interest of a third person, of the appropriation of this interest is proportional to the limitation of the right related to the personal data protection

without further consent and after the revocation of the data subject’s consent.

IV. The purpose of data processing, the scope of data processed, the duration of data processing and those entitled to know the data

1. Personal data may only be processed for a certain purpose, in order to exercise a right or comply to an obligation. The data processing must comply to the purpose of the data processing in its every stage, the collection and processing of the data must be fair and legal. Only such personal data may be processed which is indispensable for the fulfillment of the purpose of data processing and suitable to achieve the purpose. The personal data may only be processed to the extent and for the duration required for the realization of the purpose. The data processings of the services of the Provider are based on voluntary consent, however, in certain cases, the processing, storage and transmission of a range of the data provided is made obligatory by legislation. The Provider do not use the personal data for any purpose other than designated.

2. Online webshop service (purchase of admission ticket, voucher, book, media, parking ticket, etc.)

The data processing takes place on the basis of the User’s voluntary declaration based on proper notice, which is required to use the webshop service running on the webpage. The User provides the declaration upon using the service. The declaration contains the User’s express consent to use his/her personal data provided during the use of the page. The legal basis of the data processing is the voluntary consent of the data subject according to the Right of Informational Self-Determination and on Freedom of Information.

The purpose of data processing is the provision of webshop service on the web page, the ordering and its service, the documenting of the purchase and payment, the fulfillment of the accounting obligation. Furthermore, the purpose of data processing is the identification of the User as ticket buyer, the completion of the service ordered, the possibility of the sending of the related notifications, the invoicing and the completion of the payment, the registration of the Users and differentiating them from each other. Data processed: surname and first name, phone number, e-mail address, password given during the preliminary registration, delivery address given upon requesting home delivery, the billing address given for the issuing of invoice, the number, date and time of transaction, content of receipt, customer code, in case of VAT invoice the name, address and tax number, other data requested by event organizer during purchase. Duration of data processing: 8 years

3. Registration

During the preliminary registration, with the provision of a password the User will have the possibility to provide his/her data only one time instead of having to do so for each purchase. The data provided will be processed by the Provider until the User – by unsubscribing – prohibits the use of the data for this purpose. The data that can be provided upon the decision of the User, e-mail address, phone number, name, residence, dwelling, place and date of birth, the products and product category purchased by the User on the orders, the time of purchase, the payment used by the User, the total amount of the items purchased by the User.

4. Online season ticket purchase, renewal

The data processing takes place on the basis of the User’s voluntary declaration based on proper notice, which is required - in case of season ticket purchase - to use the ticket purchase service running on the webpage and for the delivery of the further notifications relating to the season ticket. The User provides the declaration upon using the service. The declaration contains the User’s express consent to use his/her personal data provided during the use of the page. The legal basis of the data processing is the voluntary consent of the data subject according to the Right of Informational Self-Determination and on Freedom of Information and the contents of Act on Accounting.

The purpose of data processing is the provision of season ticket purchase and renewal service on the web page, the documenting of the purchase and payment, the fulfillment of the accounting obligation. Furthermore, the purpose of data processing is the identification of the User as ticket buyer, the completion of the service ordered, the possibility of the sending of the related notifications, the invoicing and the completion of the payment, the registration of the Users and differentiating them from each other, the notification about the annual renewal options of the season ticket (via e-mail or postal letter), reminder about the next season ticket performance (via e-mail or postal letter), in case of free season ticket, notification in every 2 months about the programs and events of the performance venue (via e-mail) - to facilitate the choices of the User. Data processed: surname and first name, phone number, e-mail address, password given during the preliminary registration, delivery address given upon requesting home delivery, the billing address given for the issuing of invoice, the number, date and time of transaction, content of receipt, customer code, in case of VAT invoice the name, address and tax number. Duration of data processing: 8 years

5. Electronic newsletter

If the User subscribes to the newsletter, the data controller may send newsletter in a frequency according to its own decision (but maximum twice a week) except if the User requests the sending of the newsletter in a higher frequency. The data controller, if possible, tries to offer events for the readers of the newsletter tailored to the user’s interest estimated according to his/her residence and/or former purchases and other data provided. Upon the subscription to the newsletter the User consents that the data controller process his/her personal data required for this.

Purpose of data processing: sending e-mail newsletters containing also advertisements for those interested. Legal basis of data processing: consent of data subject, Act of on Essential Conditions of and Certain Limitations to Business Advertising. Scope of data processed: name, e-mail address, residence, data listed on registration, data on earlier purchases, data related to the interests of the User, provided by User.

Duration of data processing: until revocation of consent The newsletter can be cancelled by clicking on the Unsubscribe link on the bottom of the newsletter. The personal data will be deleted within 10 business days from the receipt of the deletion request.

6. Cookie and location

The data controller, in order to provide tailored service, saves a small data packet (“cookie”) on the User’s computer. The purpose of the cookie is to provide working of the web page at the highest possible standard to improve user experience. Upon visiting the web page and using its certain functionality, User gives the consent to store the mentioned cookies on the User’s computer and to access them by the data controller. The User can set and prevent the cookie activities with the browser. However, be advised that in this latter case, without the use of cookies the User may not be able to use all the services of the web page. More detailed information about the cookies are available upon clicking on

the “More information” button at the cookie notification appearing on the cooltix.at web page (Cooltix.at Privacy Policy).

If the User uses the service from a mobile device (e.g. smartphone), then upon downloading the program asks for permission to use the location as data. With the User’s permission, the application can offer personally tailored searches which considers the actual location of the User. The location as data will not be recorded in the data controller’s system, it enables only certain functions (more precise search, “around you” function, etc.) to be used during the actual transaction.

7. Statistical data

The data controller may use the data for statistical purposes. The use of the statistically aggregated data must not contain the name or any other data suitable for the identification of the User in any form.

8. The technically recorded data during the operation of the system

The technically recorded data during the operation of the system are the data of the User’s computer which are generated during the use of the service and which are recorded as the automatic result of the technical processes. The data which are automatically recorded are logged without the separate declaration or activity of the User upon login or logout. These data - except in cases made obligatory by law - must not be connected to any other personal data. The data can only be accessed by the data controller. The purpose of the data automatically recorded are the provision of services available via the data controller’s internet sites, the display of tailored content and ads, preparing statistics, the technical development of the IT system, the protection of the Users’ rights and the general analysis of the user habits. The data made available by the Users during the use of the service may be used by the data controller to create User groups and display targeted contents and/or ads on the data controller’s web pages for the User groups.

The data technically recorded automatically during the operation of the system are being stored in the system for the duration justified by the provision of the system operation from the time of their generation. The Company provides that these automatically recorded data - except in cases made obligatory by law - must not be connected to any other personal data. If the User cancelled his/her consent to the processing of his/her personal data or unsubscribed from the service, then following this, his/her person will not be identifiable from the technical data.

9. Recording of telephone conversations

Purpose of data processing: ticket purchase, program offers, quality improvement, documenting and more effective handling of the user needs and problems. Legal basis of data management: consent of data subject. Scope of the data processed: telephone conversation of the customer and the Provider’s employee, the date and time of the conversation. Duration of data processing: 5 years

10. Web pages of the Provider

The html code of the portal contains links to and from third-party server independent of Cooltix GmbH. The provider of these links, due to the direct connection to their servers are capable of collecting User’s data.

Third-party provider assists in the independent measurement of the visit and other web analytics data of the website. About the management of the measurement data, the data controller can provide detailed information and is available at:

Google Analytics

Company

Google LLC

Registered office

1600 Amphitheatre Parkway, Mountain View, California, U.S.

website

http://analytics.google.com/

Facebook Pixel

Company

Facebook, Inc.

Registered office

1601 Willow Rd, 94025 Menlo Park, California

website

https://developers.facebook.com/docs/facebook-pixel/implementation/gdpr/

HotJar

Company

Hotjar Limited

Registered office

Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta

website

https://www.hotjar.com/legal/policies/privacy/

Bugsnag

Company

Bugsnag Inc

Registered office

Level 5

The Old Malthouse, Clarence Street

Bath, United Kingdom BA1 5NS

website

https://docs.bugsnag.com/legal/privacy-policy/

11. Other data processings

Information on data processings not indicated in this notification is provided upon the recording of the data. We advise our visitors that the jury, the prosecutor, the investigating authority, infraction authority, the administrative authority, the data protection officer, and, upon legal entitlement, other bodies for the purpose of information, data disclosure, transfer and making documents available, may contact the data controller. The Provider - if the authority indicated the exact purpose and scope of the data - will provide personal data for the authorities only to the extent indispensable to fulfill the objective of the request.

12. The data controller does not inspects the personal data provided to it. For the appropriateness of the data provided the person providing it is solely responsible. Any User, upon providing his/her e-mail address, takes the responsibility that from the e-mail address provided the service is used exclusively by him/her. Regarding this responsibility, any liability in connection to the logins from the e-mail address provided lies exclusively on the User having registered that e-mail address. If the User provides not his/her own personal data, then he/she is obliged to acquire the consent of the data subject.

13. Those entitled to know the personal data are colleagues in employment relationship or work contract, the employees of the courier service collaborating in the delivery of the products (if delivery is requested by the user), and the data processors.

V. Transmission of the data, description of the data processors

1. The Provider transfers data to third parties only upon the prior and informed consent of the User. This does not apply the data transmission mandatory by law and to the transfers for the data processors indicated in this document.

2. With the use of the services, the User gives consent to the Provider to transfer the data for the partners below:

- For the organizer of the particular event for the purpose of direct and immediate notification about the cancellation, change of time of the event or about any important circumstance concerning the visitor, and - in case of event cancellation - for the direct management of the redemption or exchange of the tickets.

- For the provider providing the technical conditions of the billing, as data processor, which are the following: cooltix.at, operator: Cooltix GmbH,

- The tasks relating to the sending e-mail for Users are done by the data controller itself and/or, based on a contract made with the data controller as data processor.

Google Mail

Company

Google LLC

Registered office

1600 Amphitheatre Parkway, Mountain View, California, U.S.

website

http://analytics.google.com/

- For the financial institutes participating in the purchase process and conducting the payment, the Provider transfers data required by the given financial institute for the payment process. The scope of the data is different for each financial institute. The personal data provided on the financial institute’s own data collection pages will not be known for the Provider.

- If the User makes a purchase using a special allowance providing discount (e.g. Supershop card), then the data controller transfers the buyer’s data required by the company to the company providing allowance. The User may request information about the data processing rules concerned directly at the company providing it. The data controller does the automated processing of the identifiers of such devices or other data only to an extent which is required by the provider company for the realization of the purchase and to provide discounts.

3. The Provider, as Data controller is entitled and obliged to transmit any personal data available to and properly stored by it to the competent authorities the transmission of which are obligatory by legislation or binding authority obligation. For such data transmission and the consequences resulting from it, the data controller cannot be held responsible.

VI. Data security measures

1. In processing and storing personal data, the Provider proceeds with the maximum care possible. In the field of IT security, the Provider applies the most efficient, state-of-art devices and processes reasonably available.

2. The data controller must plan and execute the data processing operations to ensure the privacy of the data subjects.

3. The data processor and, in its scope of activities, the data controller must ensure the security of the data, and additionally must do the technical and organisational measures and establish those procedural rules which are required for the application of the Avtv and the other data protection secrecy rules.

4. The data are to be protected with the appropriate measures particularly against unauthorized access, modification, transmission, disclosure, deletion or destruction, and the accidental destruction and damage, furthermore against becoming inaccessible due to the changes in the applied technology.

5. For the protection of the data files processed electronically in various records it must be ensured with appropriate technical solution that - except if made possible by law - the data stored in the records be not directly connectable and assigned to the data subjects.

6. During the automated processing of the personal data the data controller and the data processor ensures, with additional measures,

a) the prevention of unauthorized data entry;

b) the prevention of unauthorized use of the automatic data processing systems by unauthorized persons with data transmission equipment;

c) the inspectability and determinability that the personal data were or can be transmitted by data transmission equipment to which organizations;

d) the inspectability and determinability that which personal data were entered into the automatic data processing systems by whom and when;

e) the restorability of the installed system after malfunction and

f) to ensure that report is generated about the errors occurring during the automated processing.

7. The data controller and the data processor shall consider the actual level of technology when defining and applying the data security measures. From multiple possible data processing solution the one to be chosen is the one which provides the higher level of personal data protection, except if it poses disproportionate difficulties for the data controller.

8. The Provider chooses and operates the IT devices used for the personal data processing during the provision of service so that the data processed:

a) is accessible for those authorized (availability);

b) is ensured to be authentic and to be authenticated (authenticity of the data processing);

c) can be proved to be unchanged (data integrity);

d) is protected against unauthorized access (data confidentiality).

9. The Provider ensures the security of the data processing with such technical, organizational and organisational measures which provide protection level adequate to the risks occurring in relation with the data processing.

10. The Provider, during data processing, preserves

a) secrecy: protects the information so as only those authorized may access it;

b) integrity: protects the accuracy and completeness of the information and the processing method;

c) availability: ensures that if the authorized user needs to, he/she can access the required information and the related devices be available.

11. The IT system and network of the Provider is protected both against computer-assisted fraud, spying, sabotage, vandalism, fire and flood, and additionally against computer viruses, intrusion and denial-of-service attacks. The Provider ensures the security with server level and application level protection measures.

12. The electronic messages, regardless to protocol (e-mail, web, ftp, etc.) are vulnerable to network threats which may lead to unauthorized activity or the disclosure or modification of the information. For the protection against such threats the Provider does all reasonable protective measures. It monitors the systems in order to record any security deviation and serve evidence in case of all security events. However, the internet is well known – and so known for the Users – to be not hundred percent secure. For the possible damages caused by unavoidable attacks occurring despite the reasonable maximum care the Provider is not responsible.

VII. Rights of data subjects and their application, objection against personal data processing, judicial exercise of rights and compensation

1. The request for change in personal data and the deletion of personal data can be indicated by sending a a written statement expressed in private document providing full evidence from the registered e-mail address or via post. Additionally, certain personal details can also be modified by modification on the page containing the personal profile. Following the completion of a request for deletion or modification of personal data the former (deleted) data cannot be restored any longer.

Users may request information about the processing of their personal data. Enquiry sent via e-mail is considered by the data controller to be authentic if it is sent from the registered e-mail address of the User. Upon the data subject’s request the data controller provides information about the data processed by it or by the data processor entrusted by it, their source, the purpose, legal basis and duration of the data processing, the name and the address of the data processor and about its activities relating to the data processing, furthermore - in case of the transmission of the data subject’s personal data - the legal basis and the recipient of the transmission. The enquiry request is to be sent via e-mail to the address ticket@cooltix.rs. The Provider is to provide the information within the shortest possible time but in maximum 30 days from the receipt of the enquiry in a clear and understandable form, in writing upon this request of the data subject.

The information described above is free of charge if the enquirer had not submitted an enquiry for the same range of data in the actual year. Otherwise costs may be applied. The cost already paid must be reimbursed if the data was processed illegally or the request for information lead to correction.

The information for the data subject can only be denied by the data controller in cases defined in Avtv. In case of the denial of information the data controller informs the data subject in writing about which provision of this law resulted in the denial of information. In case of the denial of information the data controller informs the data subject about the possibility of judicial remedy and the contact with National Authority for Data Protection and Freedom of Information (hereinafter: Authority). The data controller notifies the Authority about the rejected enquiries until 31st January of the year following the year concerned.

2. The data subject may request the correction of his/her personal data at the data controller and the deletion or blocking of his/her personal data except for the mandatory data processing.

3. The data controller, for the purpose of the checking of the legality of data transmission and for the purpose of informing the data subject keeps a data transmission register which contains the time of transmission of the personal data processed by it, the legal basis and the recipient of the transmission, the definition of the scope of personal data transmitted and other data specified in the legislation regulating the data processing.

4. If the personal data is incorrect and there is correct data available for the data controller, the data controller corrects the personal data. 5. Personal data must be deleted if

a) its processing is illegitimate;

b) the data subject requests it – according to the contents of Avtv;

c) it is defective or wrong – and this state is not legally remediable – provided that the deletion is not excluded by law;

d) the purpose of data processing is ceased or the duration determined by law for the storage of data is expired; e) it is ordered by jury or the Authority.

In case of point d) of the paragraph above the deletion obligation does not apply to such personal data the medium of which is to be submitted to archives according to the legislation on the protection of archival material.

5. Instead of deletion, the data controller blocks the personal data if the data subject requests so or it can be assumed according to the information available that the deletion may infringe the legitimate interests of the data subject. The personal data blocked this way can only be processed while the data processing purpose excluding the deletion of personal data exists.

6. The data controller marks the personal data processed if the data subject debates its correctness or accuracy but the incorrectness or inaccuracy of the debated personal data cannot be clearly determined.

7. It is required to notify the data subject and anyone to whom the data was transmitted for data processing about the correction, blocking, marking and deletion. The notification may be omitted if it does not infringe the legitimate interest of the data subject regarding to the purpose of data processing.

8. If the data controller does not complete the request of the data subject for correction, blocking or deletion, it describes in writing, within 30 days from the receipt of the request, the factual and legal reasons for the denial of the request. In case of the denial of correction, deletion or blocking, the data controller informs the data subject about the possibility of judicial remedy and the contact with the Authority.

9. The data subject must be informed prior to the beginning of data processing whether the data processing is based on consent or it is mandatory.

10. The data subject must be informed clearly and in detail prior to the beginning of data processing about all facts related to the processing of his/her data, in particular about the purpose and legal basis of data processing, the person authorized for data processing, the duration of the data processing and whether the personal data of the data subject is processed by the data controller according to Avtv § 6. Paragraph (5) and about who may know the data. The information shall cover the data subject’s rights related to the data processing and the possible legal remedies. In case of mandatory data processing the notification may be done by the disclosure of the reference to the legal provisions containing the information according to the paragraph above.

11. The data subject may object to the processing of his/her personal data,

a) if the processing or transmission of personal data is required exclusively for the completion of legal obligation related to the data controller or for the application of the legitimate interest of data controller, data importer or third person, except in case of mandatory data processing;

b) if the use or transmission of the personal data is done for the purpose of direct marketing, public opinion survey or scientific research; and

c) in other cases defined by law.

The data controller assesses the objection in the shortest possible time but maximum within 15 days from the receipt of the submittal of the request, makes a decision regarding its justification and notifies the requester about its decision.

If the data controller determines the objection of the data subject to be justified, it will stop the data processing – including data collection and transmission –, blocks the data and sends notification about the objection and the actions done based on it to all to whom the data related to the objection had been transmitted and who are to act in order to apply the right to objection.

If the data subject disagrees with the decision made by the data controller or the data controller fails to act within the applicable deadline, the data subject – within 30 days from the notification about the decision or the last day of the deadline – may apply to court in a way as determined by applicable local law.

If the data importer cannot receive the data required for the application of its rights due to the objection of the data subject, then in order to acquire the data, it may apply to court – in a way as determined by applicable local law – against the data controller within 15 days from the notification. The data controller may involve the data subject into the suit.

If the data controller fails to notify, the data importer may request information from the data controller about the circumstances related to the failure of the data transmission, which information must be provided by the data controller in 8 days following the delivery of the request of the data importer. In case of requesting information the data importer may apply to court against the data controller within 15 days from the provision of information or at the latest from the deadline for it. The data controller may involve the data subject into the suit.

The data controller cannot delete the data of the data subject if the data processing had been ordered by law. However, the data cannot be transmitted to the data importer if the data controller agreed with the objection or the court justified the legality of the objection.

12. The data subject, in case of the infringement of his/her rights and in cases determined by applicable local law, the data importer may apply to court against the data controller. The court proceeds with priority in the case.

The fact whether the data processing complies to the legislation, is to be proven by the data controller. In case according to applicable local law, the data importer is to prove the legality of the data transmission to it.

The evaluation of the suit is in the competence of the general court. The suit – according to the choice of the data subject – may be commenced at the general court of the residence or dwelling of the data subject.

In the suit, one without legal capacity may also be a party. The Data Protection Authority may intervene into the suit for the court success of the data subject.

If the court agrees with the request, it will oblige the data controller to provide information, the correction, blocking, deletion of the data, the forfeiture of the decision made with automated data processing, the considering of the data subject’s right to objection and to the disclosure of the data requested by the data importer defined by applicable local law.

If the court, in cases defined by applicable local law, rejects the data importer’s requests, the data controller is obliged to delete the data subject’s personal data within 3 days from the disclosure of the judgment. The data controller is to delete the data even if the data importer does not apply to court within the deadline determined by applicable local law.

The court may order the public disclosure of its judgment – with the disclosure of the identification data of the data controller – if it is required by the interest of data protection and the rights of the higher number of data subjects protected by this law.

13. The data controller must compensate for all damage caused to others by the illegitimate processing of the data subject’s data or the breach of the data security requirements. Against the data subject, the data controller is also responsible for the damage caused by the data processor The data controller is relieved from the responsibility if it can prove that the damage is caused by an unavoidable reason outside of the scope of data processing. The damage needs not to be compensated for if it resulted from the intentional or grossly negligent conduct of the claimant.

VIII. Right enforcement possibilities:

Should you have any questions or observations, contact the colleague of the Provider at the e-mail address ticket@cooltix.at. The User may exercise his/her right enforcement options at the court according to the data protection law and the Civil Code.

Attachment

Definitions applied in this Privacy Notification

data file: the aggregate of data processed in one register;

data controller: natural or legal entity or entity without legal personality which, on its own or together with others, defines the purpose for data processing, makes and executes the decisions related to data processing (including the means used) or have them executed by a data processor entrusted by it; data controller:

a. Cooltix GmbH (registered office: Vorgartenstraße 204, 1020 Wien) and Cooltix Kft (registered office: 1084 Budapest, József utca 3. 3/27);

b. during the performances and events, the Event Organizer for whose event the User purchased the passes; the name and data of the event organizer are available at the cooltix.rs page and on the pass.

data processing: regardless to the procedure applied, any operation or batch of operations done on the data, thus, in particular the collection, registering, recording, classification, storage, modification, use, query, transmission, public disclosure, coordination or connection, blocking, deletion and destruction of the personal data, and the prevention of the further use of the data;

data processing: execution of technical tasks related to the data management operations regardless to the method and the means applied to execute the operations and the location of the application, provided that the technical task is executed on the data;

data processor: natural or legal entity or entity without legal personality which, according to its contract made with the data controller – including the contracting according to the provision of legislation – performs the processing of data; data marking: the marking of the data with an identification mark for the purpose of its differentiation; data destruction: the total physical destruction of the medium containing the data; data transmission: the making of the data available for specific third person; data deletion: making of the data unrecognizable in a way that their restoration is no longer possible; data blocking: marking of the data with an identification mark to limit its further processing for indefinite or definite period; automated data file: series of data to be processed automatically;

EEA state: EU Member State and other State Party in the Agreement on the European Economic Area, and the state whose citizen is granted the same legal status as those of State Party in Agreement on the European Economic Area based on the international contract between the European Union and its Member States and a non-State Party of the Agreement on the European Economic Area;

data subject: any definite natural person identified or – directly or indirectly – identifiable based on personal data;

User: natural person which registers on the Provider’s home page or makes a purchase without registration;

machine processing: contains the following operations if those are performed in part or whole with automated devices: data storage, logic or arithmetic operations performed on the data, modification, deletion, retrieval and distribution of data; third country: any country which is not EEA state;

third person: natural or legal entity or entity without legal personality which is not identical to the data subject, data controller or data processor;

consent: the voluntary and definite expression of the data subject’s will, which is based on appropriate information and with which the data subject gives his/her unambiguous approval for the – complete or covering some operations – processing of personal data relating to him/her; public disclosure: making of the personal data available for anyone;

personal data: data which can be related to the data subject – in particular the name, identification mark of the data subject, and one or more pieces of physical, physiological, mental, economic, cultural or social knowledge characteristic to his/her identity

-, and the conclusion relating to the data subjects that can be drawn from the data;

objection: the statement of the data subject with which he/she objects to the processing of his/her personal data and requests the termination of data processing or the deletion of the data processed.