Privacy Notice for Participants in Events (Online and in-person)

BerlinFlame GmbH (hereinafter “we”) attaches particular importance to the protection of your privacy and personal data. With this privacy notice, we would like to provide you with comprehensive information on how we handle your personal data when you, as a natural person, come into contact with us in the context of participating in one of our events (congresses and webinars or in a similar context).

1 Responsibilities

1.1 Controller within the meaning of data protection law

The controller responsible for data processing is:

BerlinFlame GmbH
Berner Straße 21a
12205 Berlin
E-Mail: info@berlinflame.de

1.2 Our Data Protection Officer

We have appointed an external data protection officer for our organization, who can be reached using the following contact details:

Boris Nicolaj Willm (Resilien[i]T GmbH)
Phone: +49 (0) 211 695289 92
E-Mail: dsb.berlinflame@resilienit.de

1.3 Competent data protection supervisory authority

You can reach the supervisory authority responsible for us at:

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61
10555 Berlin
Phone: 030 138890
E-Mail: mailbox@datenschutz-berlin.de

2 What data do we process – and why?

2.1 Children and adolescents

Our services are generally intended for adults. Persons under the age of 18 may not transmit personal data to us without the consent of their legal guardians.

2.2 Registration (sign-up)

When you register for webinars and congresses, we process the personal data you provide in the registration form to the extent necessary to handle your registration and organize the respective event. In particular, this includes master data and contact data such as your name and e-mail address, and, where applicable, information about your company, your role, or other event-related information.

Your data is processed for the purposes of participant administration, organizing and conducting the webinar or congress, and sending registration confirmations, access information, organizational notices, and, where applicable, event-related documents.

The legal basis is Art. 6(1)(b) GDPR insofar as processing is necessary for carrying out pre-contractual measures or a contractual relationship. Insofar as processing is necessary for the efficient planning, organization, and follow-up of our events, it is carried out on the basis of Art. 6(1)(f) GDPR.

2.3 Participation in online webinars

When participating in online webinars, we process personal data to the extent necessary to conduct the event. This includes, in particular, registration data, technical connection and usage data, and, where applicable, content that you provide during your participation via audio, video, chat, or other interaction functions.

Processing takes place for the purpose of conducting the webinar, participant interaction, and ensuring technical functionality and IT security.

The legal basis is Art. 6(1)(b) GDPR insofar as processing is necessary for conducting the webinar or pre-contractual measures. Otherwise, processing is carried out on the basis of Art. 6(1)(f) GDPR for the proper organization, implementation, and safeguarding of our online events.

If an online webinar is recorded or transcribed and personal data of participants is processed in this context, in particular through the capture of image, audio, or verbal contributions, such processing is carried out exclusively on the basis of prior consent in accordance with Art. 6(1)(a) GDPR. Consent is voluntary and can be revoked at any time with effect for the future.

2.4 Participation in congresses and hybrid events

In connection with your participation in congresses and / or hybrid events, we process personal data to the extent necessary for the organization, implementation, and follow-up of the respective event. This includes, in particular, registration and contact data, participation-related information, and, where applicable, information and content that you provide during your participation on site or through the use of digital functions.

Processing takes place for the purposes of participant administration, organizing and conducting the event, communicating with participants, and ensuring technical and organizational processes.

The legal basis is Art. 6(1)(b) GDPR insofar as processing is necessary for carrying out the event or pre-contractual measures. Insofar as processing serves the efficient planning, organization, implementation, and follow-up of our congresses and / or hybrid events, it is carried out on the basis of Art. 6(1)(f) GDPR.

As part of the event, photo, image, and audio recordings may be made and published for documentation, follow-up reporting, and public relations purposes, in particular on our websites, in social media, and in print media. The legal basis for this is Art. 6(1)(f) GDPR. Our legitimate interest lies in documenting the event and informing the public about our activities. You have the right to object to this processing at any time on grounds relating to your particular situation. Where the statutory requirements are met, we will cease further processing and delete the recordings concerned. However, content that has already been published in print media or on the internet may not be fully removable in all cases.

2.5 Information about further webinar and congress offers

We may also process your contact details in order to send you information about further webinars, congresses, and comparable event offers of our own, provided there is a factual connection to your previous participation or registration.

Processing takes place for the purpose of providing information about further event offers and maintaining existing participant and prospective participant contacts.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in informing interested parties about further thematically suitable events of our own. You may object to this processing at any time with effect for the future.

2.6 Systems used for online transmissions and communication

We use various technical systems and service providers to conduct our online webinars and hybrid events.

Preparatory and accompanying learning content is provided via our own platform. Access is via a personal user account and is generally only possible for registered participants with a valid ticket.

For the technical implementation of on-site livestreams (e.g. in hybrid events), we also use external production service providers who realize the transmission using camera and streaming technology.

2.6.1 StreamYard (online events)

We use the StreamYard service to conduct online events, interviews, webinars, livestreams, and, where applicable, their recording. In this context, personal data of participants or connected guests may be processed. This includes, in particular, name or display name, image and audio data, chat and communication content, and technically necessary connection and usage data.

Processing takes place for the purposes of planning, conducting, transmitting, recording, following up, and, where applicable, later providing online events and livestreams. The legal basis is Art. 6(1)(b) GDPR insofar as processing is necessary for the performance of a contract or pre-contractual measures. Otherwise, processing is carried out on the basis of Art. 6(1)(f) GDPR due to our legitimate interest in efficient digital communication, event implementation, documentation, and follow-up. If consent is obtained for recording or subsequent publication, processing is additionally carried out on the basis of Art. 6(1)(a) GDPR.

Insofar as StreamYard processes personal data on our behalf to provide the streaming, communication, and recording function, this is done within the framework of processing on behalf pursuant to Art. 28 GDPR. Insofar as StreamYard processes data for its own purposes, in particular in connection with account, billing, security, and compliance processes, such processing takes place under the provider’s own data protection responsibility.

If an event is recorded, the image, audio, and, where applicable, chat contributions captured in this way are processed for the purpose of documentation, follow-up, and, where applicable, later internal or external provision. We will provide separate notice of any recording before the start of the respective event.

Personal data may also be processed in countries outside the European Union or the European Economic Area, in particular in the USA. Where there is no adequacy decision or no equivalent level of data protection, the transfer is based on suitable safeguards, in particular EU standard contractual clauses, where applicable.

Further information on data processing by StreamYard can be found in the provider’s privacy notice: https://support.streamyard.com/hc/en-us/articles/15401585037204-Privacy-Policy

2.6.2 Zoom (video conferences and webinars)

We use the Zoom service to conduct online meetings, video conferences, and webinars. The provider is Zoom Communications, Inc. In this context, personal data of participants may be processed. This includes, in particular, name, display name, e-mail address, image and audio data, chat and communication content, shared content, and technically necessary connection and usage data.

Processing takes place for the purpose of conducting and technically providing online meetings and digital communication. Depending on the occasion and design of the respective event, we base the processing on Art. 6(1)(b) GDPR insofar as processing is necessary for the performance of a contract or pre-contractual measures, on Art. 6(1)(f) GDPR for safeguarding our legitimate interests in efficient internal and external communication and organization, or on Art. 6(1)(a) GDPR where consent is obtained.

Insofar as Zoom processes personal data on our behalf to provide the communication services, this is done within the framework of processing on behalf pursuant to Art. 28 GDPR. It cannot be ruled out that Zoom carries out certain data processing operations, in particular in connection with security, diagnostics, billing, or compliance purposes, under its own data protection responsibility.

If online meetings, video conferences, or webinars are recorded, we will inform you in advance or at the beginning of the respective event. In this case, image, audio, and, where applicable, chat contributions may be processed and stored to the extent necessary for documentation, follow-up, or later provision. Where legally required or appropriate in individual cases, we will obtain consent for this.

It cannot be ruled out that personal data will also be processed in countries outside the European Union or the European Economic Area, in particular in the USA. Where a level of data protection comparable to that of the EU is not ensured, a transfer will only take place in compliance with the legal requirements and using suitable safeguards where available.

Further information on data processing by Zoom can be found in the provider’s privacy notice: https://www.zoom.com/de/trust/privacy/privacy-statement/

2.6.3 MailerLite (e-mail communication)

We use the MailerLite service to send access data, organizational information, and event-related content. In particular, contact data such as name and e-mail address are processed.

Processing takes place for the preparation, implementation, and follow-up of events, as well as for transmitting the information required for this purpose. Depending on the occasion and design of the communication, we base the processing on Art. 6(1)(b) GDPR insofar as processing is necessary for the performance of a contract or pre-contractual measures, on Art. 6(1)(f) GDPR for safeguarding our legitimate interests in efficient and reliable event organization and communication, or on Art. 6(1)(a) GDPR where consent has been obtained.

Insofar as MailerLite processes personal data on our behalf to provide the service, this is done within the framework of processing on behalf pursuant to Art. 28 GDPR. It cannot be ruled out that MailerLite carries out certain data processing operations, in particular in connection with security, abuse prevention, compliance, or billing purposes, under its own data protection responsibility.

It cannot be ruled out that personal data will also be processed in countries outside the European Union or the European Economic Area. Where a level of data protection comparable to that of the EU is not ensured, a transfer will only take place in compliance with the legal requirements and using suitable safeguards where available.

Further information on data processing by MailerLite can be found in the provider’s privacy notice: https://www.mailerlite.com/legal/privacy-policy

3 From whom do we receive your data?

As a rule, we receive your personal data directly from you.

In individual cases, however, it may happen that third parties (e.g. colleagues, supervisors, or organizational contacts) transmit personal data of several participants to us as part of a collective booking. In such cases, we assume that the transmitting person is entitled to disclose the data and that the affected participants have been informed about the data processing.

The transmitted data is processed exclusively for the purpose of organizing and conducting the event. Responsibility for the lawfulness of the data transfer lies with the registering person.

4 To whom do we disclose your data?

As a matter of principle, we only disclose your personal data to third parties if this is necessary for the establishment, performance, or termination of a contract or a relationship similar to a contract, or if there is another legal basis for doing so.

Where we use external service providers, this is done within the framework of processing on behalf pursuant to Art. 28 GDPR. In these cases, we ensure through corresponding contracts and appropriate controls that the processing of your personal data is carried out in accordance with the GDPR. Processors may include, for example, IT service providers, hosting providers, and support providers. These service providers are contractually obliged to delete personal data after completion of the service or return it to us in accordance with the legal requirements.

Your data will only be transferred and disclosed to external recipients if this is permitted or required by law or if you have given your consent.

Your data may be disclosed to the following recipients:

• Public authorities and institutions, as well as law enforcement authorities, that receive data on the basis of legal provisions (e.g. tax office, BaFin, tax auditors, courts, employment agency, etc.);
• In the event of a legal dispute or suspicion of a criminal offense (e.g. courts, opposing lawyers, authorities, contractual partners, advisers, business partners, opposing parties, insofar as necessary to safeguard our rights);
• Tax advisers, auditors, auditors, data protection officers, information security officers, or legal advisers;
• Payment service providers for the processing of a payment transaction (e.g. banks, payment services);
• Debt collection service providers or credit agencies, insofar as necessary to safeguard our rights;
• IT and other service providers (e.g. for IT maintenance, cloud services, applications, website support, advertising agency, destruction of files and data carriers, credit checks, sanctions list checks, as well as security and guard services, caterers, call centers);
• Printing and logistics companies, telecommunications service providers, delivery services, the recipient’s e-mail provider, data carrier disposal service providers.
• Medical associations or competent continuing education bodies for the awarding of continuing education points (CME), in particular via central systems such as the Uniform Continuing Education Number (EFN) and platforms such as eiv-fobi.de. For participants outside Germany, no central transmission takes place; they receive certificates of attendance for their own submission.

Please also note that content from online meetings may generally be accessible to all participants in the respective event. If you participate online in an event, the provider of the online meeting software used has access to your data insofar as this is necessary within the framework of processing on behalf. This does not apply if the online meeting is conducted with end-to-end encryption. In this case, the provider of the online meeting software cannot access the content of the meeting.

5 Information on the transfer of data to third countries

Within our organization, we use services from providers located in countries outside the European Economic Area where there is no level of data protection comparable to that of the EU. When using these services, your personal data may be transferred to these countries and processed there. We ensure that such transfers take place only in compliance with Art. 44 et seq. of the General Data Protection Regulation (GDPR) in order to ensure an adequate level of protection for your data.

6 Automated decision-making or profiling

We do not use any automated decision-making processes or profiling in the context of processing that have legal effects on you or similarly significantly affect you. All significant decisions are made by our employees and are based on a careful assessment of the individual case.

7 Storage period

The personal data processed in connection with participation in events is generally stored only for as long as necessary for the implementation and follow-up of the event.

• Participant data in connection with event processing is generally stored for up to five years, provided there are no statutory retention obligations to the contrary.
• Contact data may also be stored beyond this if there is further communication in connection with future events (e.g. sending information or newsletters), provided this is legally permissible.
• To access provided learning content, participants receive a user account through which content is generally available for at least four months after the event. The user account may also remain in existence beyond this in order to use future content (e.g. additional continuing education offers).

Where processing is based on consent, we store the data until the purpose of the processing ceases to apply or the consent is withdrawn.

8 What rights do you have in relation to your data?

As a data subject, you have the following rights vis-à-vis us with regard to your personal data:

• Right to information / right of access to your stored personal data pursuant to Art. 15 GDPR;
• Right to rectification and updating if the stored data concerning you is incorrect, outdated, or otherwise inaccurate pursuant to Art. 16 GDPR;
• Right to erasure if the storage is unlawful, the purpose of the processing has been fulfilled and the storage is no longer necessary, or if you withdraw consent given for processing, pursuant to Art. 17 GDPR;
• Right to restriction of processing if one of the conditions set out in Art. 18(1)(a) – (d) GDPR is met, pursuant to Art. 18 GDPR;
• Right to data portability of the personal data concerning you that you have provided, pursuant to Art. 20 GDPR;
• Right to object to data processing pursuant to Art. 21 GDPR;
• Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR;
• Right to withdraw consent given, whereby the withdrawal does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal, pursuant to Art. 7(3) GDPR;

Detailed information on the rights of data subjects can be found on our website in the privacy notice provided there. If you have any questions about data protection with us, you can contact our data protection officer, who will be happy to provide you with detailed information about the rights to which you are entitled.

Exercise of your rights as a data subject: You can assert your rights and, where applicable, your objection informally by post or e-mail addressed to:

BerlinFlame GmbH
Berner Straße 21a
12205 Berlin
E-Mail: info@berlinflame.de

To ensure efficient processing and response to your request, we ask you to provide proof of your identity when exercising your rights.

9 Changes to this privacy notice

Due to ongoing technical developments and possible changes in the legal situation, we reserve the right to adapt this privacy notice if necessary. We will make the current version available to you in the app or on our website.

10 Note on further privacy information

Further privacy information of our organization also applies, in particular regarding general processing within the scope of the contractual relationship and the use of our website.