Data privacy

Table of Contents

Responsible Persons

GOLDEN PANDA PICTURES GmbH
Loredana Rehekampff, Josef Brandmaier
Rupertusplatz 1/4
A-1170 Vienna

Authorized Representatives:

Loredana Rehekampff, Josef Brandmaier

Email Address:

office@goldenpandapictures.com

Applicable Legal Basis

Relevant Legal Basis according to GDPR: Below is an overview of the legal basis of the GDPR on which we process personal data. Please note that in addition to the GDPR, national data protection regulations may apply in your or our country of residence. If specific legal bases are also relevant in individual cases, we will inform you of these in the privacy policy.

Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary to protect the legitimate interests of the controller or a third party, provided that these interests do not outweigh the interests or fundamental rights and freedoms of the data subject, which require protection of personal data.

National Data Protection Regulations in Austria: In addition to the GDPR, national data protection regulations apply in Austria. This includes, in particular, the Federal Act for the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act – DSG). The Data Protection Act contains specific regulations on the right to information, the right to rectification or deletion, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases.

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, referring to the affected persons.

Types of Processed Data

  • IP Address.
  • Access Date and Time.
  • Access Method, Protocol, and Requested File Path.
  • Server Return Code.
  • Number of Bytes in the Response.
  • Domain Name of the Requested Page.
  • Browser Identification String.

Categories of Affected Persons

  • Users.

Purposes of Processing

  • Security Measures.
  • Provision of our Online Offer and User-Friendliness.
  • Information Technology Infrastructure.

Security Measures

We take appropriate technical and organizational measures, in accordance with the legal requirements, taking into account the state of technology, implementation costs, and the type, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

These measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data and access to the data itself, entry, transmission, ensuring availability, and separation. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, data deletion, and response to data threats. Additionally, we consider the protection of personal data already in the development or selection of hardware, software, and processes according to the principle of data protection through technology design and through privacy-friendly default settings.

TLS Encryption (https): To protect your data transmitted via our online offering, we use TLS encryption. You can recognize encrypted connections by the prefix https:// in the address bar of your browser.

Data Deletion

The data we process will be deleted in accordance with legal requirements as soon as the permissions granted for processing are revoked or other permissions cease to apply (e.g., if the purpose of processing this data ceases to exist or if they are not required for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted to these purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or to protect the rights of another natural or legal person.

Our data protection notices may also contain additional information on the storage and deletion of data, which primarily apply to the respective processing activities.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, particularly from Art. 15 to 21 GDPR:

  • Right to Object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is associated with such direct marketing.
  • Right to Withdraw Consent: You have the right to withdraw your consent at any time.
  • Right of Access: You have the right to request confirmation as to whether data concerning you is being processed, as well as information about this data and a copy of the data in accordance with the legal requirements.
  • Right to Rectification: You have the right, under the legal requirements, to request the completion of data concerning you or the correction of incorrect data concerning you.
  • Right to Erasure and Restriction of Processing: You have the right, under the legal requirements, to request that data concerning you be deleted without delay or alternatively to request a restriction of the processing of the data in accordance with the legal requirements.
  • Right to Data Portability: You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format or to request the transmission to another controller.
  • Right to Complain to a Supervisory Authority: You have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, workplace, or the location of the alleged infringement if you believe that the processing of personal data concerning you infringes the GDPR.

Provision of the Online Offer and Web Hosting

We process the users' data to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the users' browser or end device.

  • Types of Processed Data: Usage data (e.g., visited websites, access times); meta-, communication, and procedural data (e.g., IP addresses, time data, identification numbers, consent status).
  • Data Subjects: Users (e.g., website visitors).
  • Purposes of Processing: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.
  • Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing Procedures, Methods, and Services:

  • Provision of Online Offering on Rented Storage Space: To provide our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a relevant server provider (also called a "web host"); Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Collection of Access Data and Log Files: Access to our online offer is logged in the form of so-called "server log files." The server log files may include the address and name of the accessed websites and files, date and time of access, transmitted data volumes, messages about successful retrieval, browser type and version, user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to prevent server overloads (particularly in the case of abusive attacks, so-called DDoS attacks) and to ensure server stability; Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Data Deletion: Log file information is stored for a maximum of 14 days and then deleted. Data required for evidence purposes are exempt from deletion until the respective incident is finally clarified.

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process users' data within this context to communicate with the active users there or to offer information about us.

We point out that users' data may be processed outside the European Union in this context. This may entail risks for users, as it may make it more difficult to enforce users' rights.

Furthermore, users' data within social networks are typically processed for market research and advertising purposes. For example, usage profiles can be created based on users' behavior and interests. These usage profiles can, in turn, be used to display advertisements within and outside the networks that presumably correspond to users' interests. Cookies are generally stored on the users' devices for these purposes, in which users' usage behavior and interests are stored. Moreover, data can also be stored in the usage profiles, regardless of the devices used by users (especially if the users are members of the respective platforms and are logged in).

For a detailed description of the respective forms of processing and the opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

Even in the case of requests for information and the assertion of data subject rights, we note that these are best enforced with the providers. Only the providers have access to the users' data and can directly take appropriate measures and provide information. If you still need assistance, you can contact us.

  • Types of Processed Data: Contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta-, communication, and procedural data (e.g., IP addresses, time data, identification numbers, consent status).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Contact requests and communication; feedback (e.g., collecting feedback via online forms); marketing.
  • Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further Information on Processing Procedures, Methods, and Services:

  • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/­about/­legal/­privacy.
  • Facebook Pages: Profiles within the social network Facebook - We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data of visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content users view or interact with, or the actions they take (see "Things done and provided by you and others" in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, known as "Page Insights," to page operators to help them understand how people interact with their pages and with content associated with them. We have entered into a specific agreement with Facebook ("Page Insights Information," https://www.facebook.com/­legal/­terms/­page_­controller_­addendum), which specifically regulates which security measures Facebook must observe and in which Facebook agrees to fulfill the rights of data subjects (i.e., users can, for example, make inquiries or deletion requests directly to Facebook). The rights of users (in particular, to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by agreements with Facebook. Further information can be found in the "Page Insights Information" (https://www.facebook.com/­legal/­terms/­information_­about_­page_­insights_­data); Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/­privacy; Standard Contractual Clauses (Guaranteeing Data Protection Level when Processing in Third Countries): https://www.facebook.com/legal/­EU_data_transfer_addendum; Further Information: Joint Responsibility Agreement: https://www.facebook.com/­legal/­terms/­information_­about_­page_­insights_­data. Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which especially includes the transmission of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Amendment and Update of Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We adjust the privacy policy as soon as changes in the data processing we carry out make this necessary. We will inform you as soon as any changes require your participation (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and check the information before contacting them.

Definitions

This section provides an overview of the terminology used in this privacy policy. Where terms are legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.

  • Personal Data: "Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); a natural person is considered identifiable if they can be identified directly or indirectly, in particular by assigning them to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or one or more special characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of this natural person.
  • Controller: "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" refers to any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, whether collecting, evaluating, storing, transmitting, or deleting.

As of: November 2024