Data protection notice for the MUNICH 2022 application

Welcome to the European Championships 2022 (hereafter "Munich 2022", "we" or "us"). We are the biggest multi-sport event to take place in Germany since the 1972 Olympic Games.

This is to inform you about the purpose and the legal basis on which we process your personal data, how long we retain it, and what rights you have with regards to this data processing if you use the MUNICH 2022 application (hereafter "App").

Please take the time to read and review our privacy notice. It contains important information about how we handle your personal data.

Who is responsible for processing your personal data?

Your data will be processed according to of Art. 4 No. 7 GDPR by Olympiapark München GmbH, Spiridon-Louis-Ring 21 in 80809 Munich, phone +49 89 3067-0, fax +49 89 3067-3333, info@olympiapark.de .

Who can you contact if you have questions about the processing of your personal data, or if you believe that the processing of your data by Munich 2022 violates data protection laws?

If you believe that the processing of your personal data by us violates data protection laws and would like to know about our processing of your personal data in detail, you can contact us at privacy@munich2022.com.

Why do we inform you about the processing of your personal data?

The protection of your personal data is your fundamental right. Since your personal data is subject to data protection, we may only process your personal data if we are legally permitted to do so. The European General Data Protection Regulation (hereafter referred to as "GDPR") provides such legal permission, and our processes and procedures follow the data protection requirements of the GDPR. Among other things, it requires us to inform you which personal data we process, for what purpose, and for how long we do so.

What is personal data?

According to Art. 4 No. 1 GDPR, personal data is all personal information about you; everything that relates to you and makes you identifiable. Examples are your first and last names and email addresses, as well as usage data (such as your IP address), and usage behaviour (such as information about the time of app use, the app version you used, and other data generated while using the app).

Content of this notice

Whenever we use the term "data" in this notice, it refers exclusively to personal data according to the definition of the GDPR.

What data do we process when you use our app?

Whenever you use our app, we will process your data to furnish you with organisational information about all of the sports and festival events of the European Championships Munich 2022, the accompanying festival "The Roof" (hereafter referred to as "events"), as well as our multimedia offerings, including live blogs, live updates, pictures and videos of the events.

Our app is not intended for persons under the age of 18. We ask that persons under the age of 18 do not provide us with any personal data. If we learn that we have collected personal data from persons under the age of 18, we will take steps to delete the data as soon as possible. In order to use the app, you must register and provide us with specific information.

The use of the app is generally possible without providing personal data, i.e., it is not necessary to provide us with personal data in order to use the majority of the app.

However, we do need to process your IP address briefly to enable you to use our app. The IP address, also known as the internet protocol address, is a network computer address, with which app servers or individual devices can be addressed and reached. In order for the data packets that make up our app to be assembled and displayed on your device, two IP addresses are required: yours and ours.

Server log data

In order for our app server to meet your data request, it must process your IP address. When you use our app, it automatically collects data and information from your device, which means data is processed. This data is usually automatically stored in a log file. This data is not linked with other personal data. The following data is stored in log files:

  • Public IP address of the internet access point
  • Date and time of access
  • Operating system used
  • Type and (OS) version of the device
  • Protocol used
  • Language used
  • http status (return code)
  • Amount of data in bytes

The storage period of the log files is 24 hours at most, unless there is suspicion of misuse or a system security error.

Purpose and legal basis

Your data is processed in log files to ensure the functionality of our app. In addition, we use your data to optimise the app and to ensure the necessary stability and security of our information technology systems. We do not evaluate your data for marketing purposes. However, we do regularly evaluate these server logs – anonymously – for statistical purposes. The data contained is not personally linked to you. The statistical purposes are the basis of our legitimate interest for processing your data. The legal basis for the temporary storage of your data and the creation of log files is Art. 6 para. 1 lit. f GDPR.

The collection and processing of this data in log files in order to provide you with this app is mandatory for its operation. Consequently, you do not have the right to object.

Registration as requirements for app use

If you would like to use our app, we offer you the option of registering. To register, we require your email address to be able to send you a user PIN, which in turn you can use to log in to your newly created user account. Each time you log out, you must request a new user PIN for your account.

Registration is not possible without providing the requested information. You can use our app without registering.

Purpose and legal basis

We collect, or process, the email address you provided during registration on the basis of your consent pursuant to Art. 6 para. 1 sentence 1 lit. a, Art. 4 No. 11 in conjunction with Art. 7 GDPR. You have the right to revoke your consent in accordance with Art. 7 (3) GDPR in perpetuity without giving cause. A simple notification to us is sufficient. After you revoke your consent, your email address and with it your app user account will be deleted.

Provision of a user account

After you register, we provide you with a personal user account. In your user account, you can use the favourites function to create your personal program and follow selected content.

Purpose and legal basis

In connection with providing, you with a user account, we process your data on the basis of the contract you entered into with us. The legal basis for this is Art. 6 para. 1 lit. b GDPR in conjunction with the terms of use, which can be accessed here.

App Permissions

Apps are usually applications separate from the operating system. Depending on the operating system used (iOS or Android), our app uses the app permissions or access rights shown here. With the help of these permissions, the app can also access functions and data that are located outside of the app environment itself.

OS Permissions

The permissions described below are used by iOS and Android operating systems:

iOS

  • Push Notifications: Allows our app to receive push notifications. The required consent is obtained via the operating system. Receiving push notifications can be disabled in the app settings.
  • Permission-to-Track: In addition to the Consent Management Platform (hereafter referred to as "CMP"), Apple requires another permission request based on the App Tracking Transparency Framework. This is mandatory for all app operators whose apps are offered in the Apple Store. No tracking tools are activated in our app. Therefore, consent is neither required nor requested.
  • In addition, we require further system-relevant authorisations. These are necessary for the operation of the app but do not process any personal data (such as displaying the network or Wi-Fi status, or permission to establish an internet connection).

Android

  • Push Notifications: Allows our application to receive push notifications. It also includes the receipt of "Cloud 2 Device" notifications sent by the corresponding services of Firebase Cloud Messaging, Amazon Device Messaging, or Huawei Push Kit. Push notification consent is given by installing our app, or by making an explicit request within the app itself. Push notifications can be deactivated at any time in the app settings.
  • In addition, we require other system-relevant permissions. These are mandatory for the operation of the Android app, but do not process personal data (such as displaying network and wifi status, internet access, vibration control, disabling standby mode, using power manager wake locks to prevent sleep mode or screen dimming, automatic start-up after booting, determining whether the device has been fully started, and the ability to display system windows.
  • The system-relevant permissions are listed in the Android/Google Playstore.

Other app permissions

In addition, software development kits, so-called SDKs, can request further permissions while the app is in use. A software development kit is integrated by third-party software. Embedded software may also request the following permissions (depending on the operating system used):

  • Camera and/or photo library access: For use of the selfie camera integrated in the app, which you can access via Browse >> Selfie Camera;
  • Calendar functions access: to save event dates in your calendar;
  • Contacts access: To save contact details pertaining to our partners which you can access via Browse >> Partners in your address book;
  • Geo-location access: To navigate between and within the event locations using the interactive map.

The use of these permissions is not currently active. If a third-party software requests access one of the above, it will be displayed as a separate permission request (pop-up) via your mobile operating system. You can object to this authorisation request at any time.

Managing permissions

You can view, change, restrict or deactivate the app permissions at any time via your device settings, depending on your operating system.

iOS

Settings > Privacy > Select service (location services, contacts, calendars, photos and camera) à Remove authorisation for the Munich 2022 by using the slider.

Android

Settings >> Apps / Application Manager >> App selection à Reset individual permissions by switch

Please note that you will generally find the settings for your device in Android operating systems under the path specified above. However, this may differ in individual cases, depending on the manufacturer.

Please also note that if app permissions are disabled, it may no longer be possible to use all of the app's functions or even the app itself.

Purpose and legal basis

Your data is processed on the basis of your consent. This takes effect when you open the app for the first time (iOS), and/or operating system authorisation (iOS and Android), or by downloading our app (Android), or, in the case of a previously exercised objection, when consent is given again (regardless of the operating system). The legal basis for this is Art. 6 para. 1 sentence 1 lit. a, Art. 4 No. 11 in conjunction with Art. 7 GDPR. You have the right to revoke your consent in accordance with Art. 7 para. 3 GDPR in perpetuity without giving cause by changing the relevant settings in your mobile operating system settings.

If authorisation is required for app operation, your data is processed on the basis of our legitimate interest for this specific purpose. Technical permissions are needed to ensure the functionality of the app. This is also in our legitimate interest in data processing. The legal basis for this is Art. 6 para. 1 lit. f GDPR.

General information on services used

Certain services are indispensable for the use of our app. Our service providers process your personal data on our behalf and according to our instructions within the European Union (EU), unless expressly described otherwise in this data protection notice. The data will not be used independently or passed on to third parties.

We have negotiated standard EU contractual clauses with non-European providers. We would like to point out that these providers therefore have to comply with the data protection standards of the EU, so that there is an appropriate level of protection for your personal data under data protection law.

Services used by Amazon Web Services EMEA SARL

For the services described below, we use the offer and services of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg (hereafter referred to as "AWS").

Hosting

We use AWS Cloud service for the hosting and technical deployment of our app. You can find more information about AWS Cloud here. AWS Cloud processes your data on certified data centres in Frankfurt am Main.

Content Delivery Network

To optimise the media files loading speed in our app, we use Amazon CloudFront. Amazon CloudFront (hereafter referred to as "CloudFront") is a so-called "Content Delivery Network" (hereafter referred to as "CDN"). The CDN enables us to significantly reduce the loading time of app content by sending our video and image media files from a faster server (as compared to the app server). This also serves to ensure that our app runs stable. You can find more information about CloudFront here.

We use the AWS Cloud and AWS CloudFront services on the basis of our legitimate interest as described in each case. The legal basis for this is Art. 6 para. 1 lit. f GDPR. The processing of your data is mandatory for the app operation. Consequently, you do not have the right to object.

Sending push notifications

The Simple Notification Service (hereafter referred to as referred to as "Amazon SNS" or "SNS") is used to send push notifications within the app, both with the Android and iOS operating systems. You can find more information about the working environment of SNS here.

We offer you the option of customising push notifications individually in your app settings in the Android version. In the iOS version, the push notifications pop-up shows when you open the app for the first time.

In order to provide SNS, Amazon processes the following information:

  • Push token (provider device ID: APNs, FCM, WNS, etc.),
  • Hardware ID (which may contain one of the following: IDFA / IDFV (iOS), Android ID, Registration ID, user generated identifier for the device)
  • System language of the unit to support the multi-language function
  • The time zone of the unit to support the "Send by Time Zone" function
  • Device model
  • Application version
  • Operating system and version
  • IP address (anonymised at country level) for the last device connection to the SNS service

A so-called geolocation, i.e. the assignment of an IP address, takes place exclusively on the basis of the anonymised IP address and only up to the geographical level of the country. Under no circumstances can deductions be made about the specific location of a user from the information obtained in this way. The IP address is not stored.

Depending on your operating system, the push notifications are sent via the following functions:

  • Google Play Services (GCM, Location) - used on Android. Data transmission: (Anonymised IP address, device type operating system and version, language device ID, application version)
  • Amazon Device Messaging (GCM, Location) - used on Android. Data transmission:
  • (Anonymised IP address, device type operating system and version, language registration ID, application version)
  • Hauwei Push Kit (GCM, Location) - used on Android. Data transmission:
  • (Anonymised IP address, device type operating system and version, language device ID → the token is determined via the Application Associated ID (AAID), application version)
  • Apple Push Notification Service - used on iOS. Data transmission: (Anonymised IP address, device type, operating system and version, language device ID, application version)

If you withdraw your consent to receive push notifications, your data will be removed from the system after two working days.

We process your data on the basis of your consent pursuant to Art. 6 para. 1 sentence 1 lit. a, Art. 4 item 11 in conjunction with Art. 7 GDPR. You have the right to revoke your data processing consent, in particular its use for the sending of push notifications by AWS (in accordance with Art. 7 (3) GDPR) in perpetuity without stating cause, by selecting the "Settings" item in the app menu and setting the slider accordingly.

Services used by Google Ireland Limited

For the services described below, we use the offers and services of Google Ireland Limited, based in Google Building Gordon House, 4 Barrow St in Dublin, D04 E5W5, Ireland (hereafter referred to as "Google").

Google Maps

In our App you can access an interactive map with event venues. To provide the map, we use the SDK for the Google map service. Further information on the Google map service can be found here.

Google Firebase Cloud Messaging

We use FCM as an integral part of our app infrastructure which means it cannot be disabled, since it enables us to deliver push messages. For this purpose, the following device data is processed: Type of device, operating system and version, language settings, device ID, and app version. The data is processed anonymously, so that you cannot be traced or identified. FCM uses an anonymised IP address. The anonymisation remains exclusively within the EU or EEA. The data provided by your device within FCM is not merged with other Google data.

You can find information about how FCM works here.

We use FCM to deliver push messages. on the basis of our legitimate interest. The legal basis for this is Art. 6 para. 1 lit. f GDPR. The processing of your data is necessary for the delivery of the messages. Consequently, you do not have the right to object However, we offer you the possibility to adjust the individual permissions for push messages in the app settings, (for example to activate or deactivate them), as described above. If you deactivate push messages, you also deactivate the use of FCM.

You can view, change, restrict and/or deactivate the user ID at any time via your device settings as follows: Settings >> Google >> Ads à Reset Ad ID

Interactive map

The app also gives you access to an interactive map with the relevant event locations. To provide the map, we use the SDK for the Google map service or Apple Maps (MapKit). Further information on the Google map service can be found here. Information on Apple Maps is available here.

What rights do you have?

You have the right to request confirmation as to whether we are processing data relating to you, information about this data, and further information in accordance with Art. 15 GDPR.

In accordance with Art. 16 GDPR, you have the right to request that the data concerning you be supplemented or that incorrect data concerning you be corrected.

In accordance with Article 17 of the GDPR, you have the right to demand that data relating to you be deleted without delay or, alternatively, to demand restriction of the processing of your data in accordance with Article 18 of the GDPR.

You have the right to request that the data you provided be transferred in accordance with Article 20 of the GDPR, as well as the right to request a transfer to other data controllers.

In accordance with Art. 7 (3) GDPR, you have the right to revoke any consent you have given at any time without giving cause, in perpetuity. If you revoke your consent, we may not continue future data processing based on this consent. Please send any revocation to privacy@munich2022.com .

If we process your data on the basis of legitimate interests in accordance with Art. 6 (1) f GDPR, you may object to the future processing of your data at any time in accordance with Art. 21 GDPR, provided that there is cause respective to your particular situation. However, we cannot always comply with your objection, e.g. if legal provisions oblige us to process the data.

If your objection is directed against direct advertising, you have a general right to object. In this case, we will implement your right to object without you having to provide specific cause. Please send your objection to privacy@munich2022.com .

If you believe that we have not complied with data protection regulations when processing your data, you can contact the competent supervisory authority with a complaint in accordance with Art. 77 GDPR.

The authority responsible for us is the Bavarian State Commissioner for Data Protection (BayLfD). However, you can also contact the regulatory body of your usual place of residence or workplace.

You can reach the BayLfD at the following postal address Wagmüllerstr. 18 in 80538 Munich, by telephone on +49 (0) 89 3136730 or at https://www.datenschutz-bayern.de.

Last updated 09-08-2022