Data Protection Policy

This policy does not apply to the Berlin Airport Sticker app. We do not process any personal data within the Berlin Airport Sticker app. The app provides you with our company’s special designs for Mes-senger without collecting personal data or tracking.

In addition to these policies, the respective terms and conditions and data privacy policies of the app store you use apply. We have no influence on these and ask you to contact the respective app store operator if you have any questions.

The controller for personal data processing and the provision of information of the app is

Flughafen Berlin Brandenburg GmbH,
represented by the management
12521 Berlin
Phone: +49 30 609160910
Email: commercial@berlin-airport.de

Your personal data will only be processed to the extent necessary for the functional provision of the application and the app ser-vices and in the cases described below under “Special app fea-tures”.

When using the BER app, a server connection to our systems is established and the following information is logged: name of the retrieved file, date and time of the retrieval, data volume trans-ferred, report on successful retrieval, app ID, language setting, operating system of the end device and requesting domain & IP address. 

This logging is done for data security reasons and to ensure the stability and operational reliability of our system and to protect against possible attacks from outside. The log data is anonymised after seven days at the latest and statistically analysed to optimise the service. In the process, users’ IP addresses will be erased or distorted so that assignment to personal information is impossi-ble. The legal basis for this processing is Art. 6 Para. 1 S. 1 lit. f GDPR due to our legitimate interest in enabling the use of the app and the permanent functionality and security of our systems.

Products or services purchased from us via the BER app are pro-cessed by Flughafen Berlin Brandenburg GmbH in compliance with the requirements of German tax law and any personal reference is deleted after expiry of the statutory storage regulations (usually 10 years). This is mostly order data (service, day, price, quantity, pay-ment processing) for purchased products and services.

Usage data stored in the BER app is deleted as soon as you bring this about by uninstalling the app or by changing the app settings.

You have the option of sending us messages via the app. For this, the feedback feature uses an email processing program installed on the end device, provided that you have authorised this. The creation and mailing of messages is processed exclusively in the respective email processing program so that no additional data processing is performed within the app or the FBB app servers. The legal basis for this data processing is Art. 6 Para. 1 S. 1 lit. f GDPR due to our legit-imate interest in processing emails sent as in the course of feedback. 

Furthermore, our app offers special features (as described below), some of which involve necessary and some optional data pro-cessing. If you wish to use certain features of the app, you must grant the app certain access rights to application features on your end device.

Data processing that is absolutely necessary for the provision of special features is carried out on the basis of our legitimate interest in accordance with Art. 6 Para. 1 lit. f GDPR. Access to and storage of information on the end device is absolutely necessary in these cases and is done based on the implementation laws of the EU member states’ ePrivacy Directive, in Germany in accordance with Section 25 Para. 2 Telecommunications-Telemedia Data Protection Act (TTDSG).

All other non-essential (optional) data processing that provides ad-ditional features is done based on your consent in accordance with Art. 6 Para. 1 lit. a GDPR. Access to and storage of information on the end device is done based on the implementation laws of the EU member states’ ePrivacy Directive, in Germany in accordance with Section 25 Para. 1 Telecommunications-Telemedia Data Protection Act (TTDSG). Any consent granted can be turned on or off by you at any time in the settings menu of our app.

4.1. Push notifications and saved flights feature

Our app offers a saved flights feature. If you select this feature and activate push notifications, we will send you push notifications with flight status information, for example, changes to arrival and depar-ture times, gates, reminders. 

We use the Firebase Cloud Messaging service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for push notifications. In this process, a code is generated that is made up of the identifier of the app and your device identifier. This code is stored on our push platform with the settings you have selected, in order to provide you with the content of your requests accordingly. The legal basis of the data processing is Art. 6 Para. 1 S. 1 lit. a GDPR and is based on your voluntary consent for using the feature.

It is possible that data may be transmitted to non-EU countries when using Firebase Cloud Messaging. We have entered into an order pro-cessing contract with Google Ireland Ltd. for the use of Firebase Cloud Messaging. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing De-cision (EU) 2021/914, Module 3) in accordance with Art. 46 Para. 2 lit. GDPR. In addition, we also obtain your express consent for the transfer of your data to third countries in accordance with Art. 49 Para. 1 lit. a GDPR.

4.2. Purchases within the app

As part of our digital service, you can book services at Berlin Bran-denburg Airport for a fee. All information necessary to make the respective booking is requested in the booking form and the further input screens. The service type, the date of the service, the flight number (if applicable), your surname, first name and email address are collected. 

The legal basis for this data processing is Art. 6 Para. 1 S. 1 lit. b GDPR, as the data processing is necessary in order to fulfil the con-tract. 

For payment processing, we use the payment service provider Adyen (Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ, Amster-dam/Netherlands) for payments with credit cards and debit cards on the website, in the app and at the ticket kiosks. Furtherore, we use PayPal (PayPal (Europe) S.à.r.l. et Cie, S.C.A., (R.C.S. Luxembourg B 118 349), 22-24 Boulevard Royal, L-2449 Luxembourg) directly as a payment service provider for payments on the website and in the app. The respective payment service provider processes your pay-ment data and transmits the successful payment to us for a specific order.

If we process personal data in the context of in-app purchases, the data will be deleted after the expiration of the legal storage obliga-tions. Personal data of the purchaser is archived according to the stipulations of the Fiscal Code (AO) and is erased or anonymised af-ter expiry of the statutory storage regulations. You can delete per-sonalised data stored by you in the app itself by changing the app settings or by uninstalling the app.

4.3. Map, location and services via geofencing

You can view a map of the airport site and terminals in the app to help you find your way around our airport. We also offer you a location and route guidance feature on this map, if required. For this to work in the buildings, you will need to share your exact location on your device using Bluetooth or WiFi location services. We use the service providers POINT. Consulting GmbH, An der Alster 62, 20099 Hamburg and SITUM TECHNOLOGIES, S.L., Rúa do Restollal, nº 32, Edificio Paxonal, Planta 4, Of. 401, 15702 Santiago de Compostela, Spain.

The aforementioned data processing is carried out on the basis of our legitimate interest in accordance with Art. 6 Para. 1 lit. f GDPR. Access to and storage of information on the end device is absolutely necessary in these cases and is done based on the implementation laws of the EU member states’ ePrivacy Directive, in Germany in accordance with Section 25 Para. 2 Telecommunications-Telemedia Data Protection Act (TTDSG).

Furthermore, you have the option of receiving special up-to-date and local offers depending on your location in the airport, if you agree to the data processing that this entails. We use “geofencing” for this purpose – this is when the app recognises that you are entering a certain area using the location feature described above. For example, when you approach the Viewing Terrace, we can show you up-to-date admission prices and offers via the app. In this case, we may send you push notifications as described in section 4.1. The legal basis for sending push notifications based on the described geofencing is your consent in accordance with Art. 6 Para. 1 lit. a GDPR. Access to and storage of information on the end device is done based on the implementation laws of the EU member states’ ePrivacy Directive, in Germany in accordance with Section 25 Para. 1 Telecommunications-Telemedia Data Protection Act (TTDSG).

4.4. Saving flights in the calendar

You have the option to save flights in your device’s personal cal-endar. If you want to make full use of the calendar feature, your end device might request a corresponding authorisation, which you must grant for our app. However, we do not in any way ac-cess other calendar entries in your personal calendar.

The aforementioned data processing is carried out on the basis of our legitimate interest in accordance with Art. 6 Para. 1 lit. f GDPR. Access to and storage of information on the end device is absolutely necessary in these cases and is done based on the implementation laws of the EU member states’ ePrivacy Directive, in Germany in ac-cordance with Section 25 Para. 2 Telecommunications-Telemedia Data Protection Act (TTDSG).

4.5. Usage analysis

We use Google Analytics Firebase (hereinafter Google Firebase) to analyse the user behaviour of the app. The provider is Google Ire-land Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Firebase comprises various features, which enable us to analyse your in-app behaviour. This way we can, for example, analyse your screen calls, pressing of buttons, in-app purchases or the effectiveness of advertising measures. We can further de-termine which features are used frequently or rarely within our app. This helps to constantly improve the app and the service for you. Google Firebase stores, among others, the number and dura-tion of the sessions, operating systems, device models, region and a host of further data for these purposes. You will find a more detailed overview of the data recorded by Google Firebase at: support.google.com/firebase/answer/6318039?hl=de

The use of Google Firebase presumes, if applicable, the forward-ing of your personal data to the USA. 

Google Firebase is used in order to optimise this app and to im-prove our services. 

You can find further information relating to Google Firebase at: 

firebase.google.com 

www.firebase.com/terms/privacy-policy.html 

So that your personal data is protected, we have activated IP anonymisation for Google Firebase so that no complete IP ad-dresses are transmitted to the provider. Similarly, older visitor log files are deleted after 14 months at the latest. We do not use ad-vertising features, remarketing or cross-site tracking and have deactivated these. You can view and change your personal set-tings for this at any time in the system settings of your device. As an Android user, you can also make changes directly here in the BER app’s privacy policy under “User Analysis”. 

The legal basis for data processing is your consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR, which you gave us at the be-ginning of using the app or at a later point in time. You can re-voke any consent given at all times with effect for the future. 

We have entered into an order processing contract with Google Ireland Ltd. for the use of Google Analytics. In the event that per-sonal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Mod-ule 3) in accordance with Art. 46 Para. 2 lit. GDPR. In addition, we also obtain your express consent for the transfer of your data to third countries in accordance with Art. 49 Para. 1 lit. a GDPR.

4.6. Crash reporting (additional features and contents)

We use Firebase Crashlytics for the purpose of crash reporting to ensure the stability of the application. The provider is Google Ire-land Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Firebase Crashlytics captures and sorts crash reports from the app.

The legal basis for the data processing is our legitimate interests according to Art. 6 Para. 1 S. 1 lit. f GDPR in being able to ensure the stability of the application. 

We have entered into an order processing contract with Google Ireland Ltd. for the use of Firebase Crashlytics. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) in accordance with Art. 46 Para. 2 lit. GDPR. 

4.7. Content Delivery Network

We use Amazon CloudFront, a content delivery network from Am-azon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, United States, and a content delivery network from Fastly, Inc. to make the operation of the App faster and more secure. 

In the course of using the content delivery networks, Amazon CloudFront and Fastly receive information about IP addresses and connection log data.

We have commissioned the company Digitas Pixelpark GmbH, Leibnizstraße 65, 10629 Berlin, with the use of this technology. 

The legal basis is Art. 6 Para. 1 lit. f GDPR, whereby our legitimate interest lies in ensuring the security and rapid accessibility of our app content.

Digitas Pixelpark has concluded an order processing agreement with Amazon Web Services, Inc. and Fastly, Inc. 

In the event that personal data is transferred to the USA or other third countries, standard contractual clauses (Implementing Deci-sion (EU) 2021/914, Module 2) have been concluded with Ama-zon Web Services, Inc. in accordance with Art. 46 Para. 2 lit. c GDPR.

4.8. Google Tag Manager (additional features and content)

The app uses Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used to integrate and manage other tools for analytical purposes, such as Google Analytics.

The legal basis is Art. 6 Para. 1 lit. f GDPR, based on our legitimate interest in integrating and managing multiple tools.

Google Tag Manager itself does not store any personal data beyond merely establishing the connection.

We have concluded an order processing agreement with Google Ireland Limited. In the event that personal data is transferred from Google Ireland Limited to the USA or other third countries, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) in accordance with Art. 46 Para. 2 lit. GDPR.

For more information, see Google’s information on Tag Manager:

https://support.google.com/tagmanager/answer/6102821">support.google.com/tagmanager/answer/6102821

The data we collect will only be disclosed if there is a legal basis for this under data protection law in the specific case, in particu-lar if:

• you have given your explicit consent in accordance with Art. 6 Para. 1 lit. a GDPR,
  
• disclosure is necessary to assert, exercise or defend legal claims in accordance with Art. 6 Para. 1 lit. f GDPR and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data,
• we are legally obliged to disclose data in accordance with Art. 6 Para. 1 lit. c GDPR, in particular if this is necessary for prosecution or law enforcement based on official re-quests, court orders or legal proceedings or
• this is permitted by law and necessary in accordance with Art. 6 Para. 1 lit. b GDPR for processing contractual rela-tionships with you or for implementing pre-contractual measures that take place at your request.

Part of the data processing may be carried out by our service pro-viders. In addition to the service providers mentioned in this pri-vacy policy, this may include, in particular, data centres that store our website and databases, software providers, IT service provid-ers that maintain our systems, agencies, market research compa-nies, group companies and consulting companies. If we pass on data to our service providers, they may only use the data to fulfil their tasks. Service providers have been carefully selected and commissioned by us. They are contractually bound by our in-structions, have appropriate technical and organisational measures in place to protect the rights of data subjects and are regularly monitored by us.

As explained in this privacy policy, we use services whose provid-ers are partly located in “third countries” (outside the European Union or the European Economic Area) or process personal data there, meaning countries whose level of data protection does not correspond to that of the European Union. If this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data privacy for any data transmissions. These include, among others, the standard contractual clauses of the European Union or binding internal data privacy regulations.

Where this is not possible, we base data transmission on the ex-ceptions set out in Art. 49 GDPR, notably your explicit consent or the necessity of the transmission for contract performance or for executing pre-contractual measures.

If third-country transfer is intended and there is no adequacy decision or suitable security, it is possible and there is a risk that authorities in the respective third country (e.g., intelligence ser-vices) may gain access to the transmitted data to collect and ana-lyse it and that enforceability of your rights as data subject can-not be guaranteed. You also will be informed of this via a consent banner when obtaining your consent.

You can access the user settings for this app via the settings in the BER app and change them at any time with regard to the use of spe-cial functionalities and associated data processing, or uninstall the entire app. In particular, you can revoke any consent given by switching off the corresponding functionalities in the user settings, depending on the operating system of your device, or by deactivat-ing the radio button at the end of this declaration.

You also have the right to revoke any consent given to us at any time. As a result, this means that we will no longer be allowed to continue processing data based on this consent in the future. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revoca-tion.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it con-cerns objecting to data processing for direct marketing purpos-es, you have a general right of objection, which will also be im-plemented by us without giving reasons.

If you would like to exercise your right to revocation or objec-tion, simply send an informal message to the contact details above. 

However, since the processing of personal data and devices gen-erally takes place in the app and the connected services, we are generally unable to influence this individually. Therefore, you must deactivate the corresponding features in the app or in the device settings or uninstall the app to prevent the data pro-cessing described in this data privacy policy.

You have the right to complain to a a data protection supervisory authority. The competent supervisory authority in Brandenburg (our registered office) is: State Commissioner for Data Protection and Inspection of Files, Alt-Stahnsdorfer Damm 77, 14532 Klein-machnow.

You also have the following rights: 

• right of access to your personal data processed by us (Art. 15 GDPR);
• right to rectification of your personal data stored by us that is incorrect (Art. 16 GDPR);
• right to deletion of your personal data (Art. 17 GDPR);
• right to restriction of the processing of your personal data (Art. 18 GDPR);
• right to data portability of your personal data (Art. 20 GDPR).

Your enquiries will generally be stored for documentation purposes for a period of three years and, in individual cases, for asserting, exercising or defending legal claims even beyond this period. The legal basis is Art. 6 Para. 1 lit. f GDPR, based on our interest in de-fending against any civil claims in accordance with Art. 82 GDPR, avoiding fines in accordance with Art. 83 GDPR and fulfilling our accountability obligations in accordance with Art. 5 Para. 2 GDPR.

If you have any questions and suggestions regarding data protec-tion, you can also contact our company Data Protection Officer at any time. Send an appropriate message about this to us at:

Flughafen Berlin Brandenburg GmbH

Group Data Protection Officer

12521 Berlin

Berlin, July 2023 (v14)