Privacy Policy

Privacy Policy for the website

(Revised: June 2020)

Welcome to the website of Arena Berlin Betriebs GmbH (hereafter “Arena”, “we”, “us”). Of course protecting your personal data and fair and transparent data processing is a key concern of ours. In the following we would like to provide you with information regarding the processing of personal data in connection with the use of the website.

1. Who is the responsible for data processing (the data “controller”)?

The controller is:

Arena Berlin Betriebs GmbH
Eichenstrasse 4
12435 Berlin


2. How do I contact the Data Protection Officer?

The contact details of the Data Protection Officer of the controller are:

Arena Berlin Betriebs GmbH
Eichenstrasse 4
12435 Berlin


3. What are the purposes and legal basis on which we process personal data?

When you visit our website or contact us in a different way, we receive personal data from you.

3.1 In general:

We generally process personal data based on the following legal bases:

  • If you give us your explicit consent on the basis of Article 6(1)(1)(a) GDPR, e.g. if you would like us to contact you directly or receive personalised promotional offers tailored to your individual interests.
  • To fulfil our contractual obligations on the basis of Article 6(1)(1)(b) GDPR.
  • As a company, we are subject to various legal obligations and therefore may process personal data on the basis of Article 6(1)(1)(c) GDPR. For example, under tax law and commercial law we have a duty to retain certain documents.
  • In addition, we may process personal data based on a legitimate interest by us or by a third party (Article 6(1)(1)(f) GDPR). This includes processing data for direct marketing purposes, IT security and combatting fraud.

3.2 Data processing in connection with our website

3.2.1 Visiting the website

If you are using the website for purely informational purposes, i.e. if you do not actively send us information, we basically do not collect any personal data apart from the data your browser automatically sends to enable you to visit the website. This includes, for example:

  • IP-address of the computer making the request for access,
  • The date and time of access,
  • The amount of data transferred.

We cannot generally assign these data to specific individuals. This data processing is only for the purpose of enabling the use of the website (setting up da connection). Where any personal data is involved when the data listed above is processed, this is on the basis of point (f) of Article 6(1) GDPR (legitimate interest; the legitimate interest is derived from the purpose stated above).

3.2.2 Contacting us

You can direct questions to us and send us messages via our e-mail address or by telephone. If you do, your personal data transmitted in this context (e.g. e-mail address, phone number, date and time of the request) will be transferred to us. We process such personal data basically only to get in touch with you in the way you want and to answer your inquiry.

The legal basis for the processing of this personal data is, depending on the individual case, Article 6(1)(1)(a) GDPR (consent) or Article 6(1)(1)(f) GDPR (legitimate interests; the legitimate interest arises from the fact that only by appropriate processing of the data can the action requested by the user, e.g. answering enquiries, be carried out). If the purpose of the contact is the conclusion of a contract, Article 6(1)(1)(b) GDPR (fulfilment of contract or pre-contractual measures) may also be the legal basis for the corresponding processing.

Further information on data processing when concluding contracts of use can be found here.

3.2.3 Applications

You can apply to work at our company electronically, in particular by e-mail at We will of course only use your details to process your application and will not pass it on to third parties. Further information on data protection regarding the processing of personal data in connection with job applications can be found here or on our careers page at

3.2.4     Ticket Shop Badeschiff          Scope of processing of personal data

To process your order of tickets for the Badeschiff, we work together with the contract processor pretix / software development. Here, pretix / Software Development provides the technical infrastructure for processing online orders for our locations and events. In addition, your orders are processed here in order to send an invoice for your order, assign payment information (turnover data in payment transactions), send you a voucher and the paid goods if required.

The following personal data is processed by the pretix / software development:

  • Personal data (name, first name, postal address, billing address, e-mail address, IP address)
  • Bank details, invoice number, payment amount, date of receipt

Further information on the processing of data by pretix / software development can be found here.          Purpose of data processing

Your personal data is collected in order to meet the current requirements of the Berlin state government and to be able to trace potential chains of infection. In addition, we would like to ensure a secure sale and contact-free handling of the booking process for our events.

Furthermore, your personal data will be processed:

  • for the establishment, implementation, support and termination of the contractual relationship;
  • for the fulfilment and achievement of the owed performance success, which refers both to the main performance obligation and to contractual secondary obligations which are connected with the main performance;
  • to be able to advise you as our customers and interested parties;
  • for correspondence with you;
  • for invoicing;
  • for contacting you and processing vouchers for your voluntary use of the waiting list;
  • to handle any liability claims that may exist and to assert any claims;
  • for sending information regarding Arena Berlin Betriebs GmbH locations and events.          Legal basis for the processing of personal data

The processing of your personal data with you as a natural person (“B2C”) is carried out for the preparation, implementation, handling, booking and dispatch of our services on the basis of Art. 6(1)(1)(b) GDPR.

The processing of personal data within the framework of a business relationship (“B2B”) is based on Art. 6(1)(1)(f) GDPR. The legitimate interests here lie in the preparation, implementation, handling, support and termination of the (pre-)contractual contractual relationship.

Your contact information on the traceability of infection chains is processed on the basis of Art. 6(1)(1)(c) GDPR in conjunction with Art. 2(1)(1) no. 8 of the Ninth Ordinance amending the SARS Cov-2 Containment Measures Ordinance of 28 May 2020.         Recipients or categories of personal data

The personal data will be processed by our order processor pretix / Softwareentwicklung within the scope of the booking. The payment can be made via the respective payment service providers such as PayPal or Stripe.

If you pay with PayPal, payment-relevant metadata will be transferred to PayPal. For more information about the processing of data by PayPal, please click here to view PayPal’s privacy policy.

If you pay by credit card, your credit card details are transferred directly to the payment service provider Stripe. Click here  to view Stripe’s privacy policy.          Duration of storage

We do not store your personal data for longer than is necessary for the purpose for which it was collected. This means that data in our systems is destroyed or deleted as soon as the ticket sale has been completed and no legal retention period precludes deletion. Appropriate measures are taken by Arena Berlin Betriebs GmbH to ensure that your personal data is only processed under the following conditions:

  1. for the period of time for which the data is used to provide you with a service
  2. as required by applicable law, contract or in relation to our legal obligations,
  3. only for as long as is necessary for the purpose for which the data were collected, or longer if required by contract, applicable law, with the application of appropriate safeguards.

If the data are no longer required for the fulfilment of contractual or legal obligations, they are regularly deleted, unless their – temporary – storage is still necessary, in particular for the fulfilment of legal retention periods of up to ten years (including those from the German Commercial Code, the German Fiscal Code and the Money Laundering Act).          Transmission of personal data

Your personal data will not be transferred to third countries or international organisations, and there are no plans to transfer them in the future.          Rights of data subjects

According to the basic data protection regulation you are entitled to the following rights:

If your personal data are processed, you have the right to obtain information from the person responsible about the data stored about you (Art. 15 GDPR).

If incorrect personal data are processed, you have the right to have them corrected (Art. 16 GDPR).

If the legal requirements are met, you can demand the deletion or restriction of the processing and object to the processing (Art. 17, 18 and 21 GDPR).

If you have consented to data processing or a contract for data processing exists and data processing is carried out using automated procedures, you may be entitled to data transferability (Art. 20 GDPR).

You also have a right of appeal to a supervisory authority (Art. 77 GDPR).

3.2.5    Urban Sports Club

As part of our cooperation with the Urban Sports Club (Urban Sports GmbH, Michaelkirchstraße 20, 10179 Berlin, hereinafter: “USC”), members of USC can visit our Badeschiff.

USC provides us with the technical infrastructure for processing reservations and check-ins via its service provider Fitogram GmbH, Probsteigasse 15-17, 50670 Cologne.

We can only see which USC members have reserved and checked into which time slots with us via this provider. We only see the names of these people. The purpose is to fulfill our contractual obligations with USC to enable its members to stay with us. This is also our legitimate interest, the legal basis for which is Article 6(1)(f) GDPR. This personal data will not be stored by us, otherwise processed or passed on to third parties. USC is therefore responsible for claims for deletion, correction or restriction of this data. We do not process data in a third country.

Further information on the processing of data by USC can be found here: 

4. Are my data transmitted to third parties?

As a matter of principle, we do not pass on your personal data to third parties, unless otherwise stated in this information on data protection.

We may use (technical) service providers who process your personal data on our behalf (e.g. hosting providers). These service providers process the data exclusively in accordance with our instructions (processors). The legal basis for such data processing is Art. 28 GDPR (commissioned processing) as a rule in conjunction with Article 6(1)(1)(b) GDPR (fulfilment of contract or pre-contractual measures) or Article 6(1)(1)(f) GDPR (legitimate interests).

We may pass on your personal data to third parties if we are legally obliged to do so (e.g. at the request of a court or a criminal prosecution authority). The legal basis for such processing is Article 6(1)(1)(c) GDPR (legal obligation).

5. How long are my data stored?

Except where another retention period is set in the other provisions of this Privacy Policy, we only store the personal data acquired by us in connection with the use of the website as long as this is necessary to process your concerns and/or requests to us and then only to the extent required under our legal obligations to retain data. Where we no longer need your data for the purposes described above, they shall only be stored and not processed for any other purposes during the retention period stipulated by law.

6. What are my rights and how can I pursue them?

You have the following rights with regard to us with respect to the personal data concerning you:

6.1 In general

You have the right to request information from us at any time about the personal data we have stored about you. If the legal requirements are met, you also have the right to correct, delete or restrict the processing of the relevant data, to object to the processing of your data by us (see also 6.2) and to receive from us the personal data relating to you which you have provided in a structured, common and machine-readible format (you can transmit this data or have it transmitted elsewhere).

If you have given your consent to the use of personal data, you can revoke this consent at any time for the future.

6.2 Right of objection

Insofar as we base the processing of your personal data on legitimate interests (Article 6(1)(1)(f) GDPR), you may object to such processing. If you do so, please explain the reasons why we should not process your personal data as we have done. In the event of your objection, we will examine the facts of the case and will either stop or adapt the data processing or show you our compelling reasons for continuing the processing that are worthy of protection.

Of course, you can object to the processing of your personal data for direct marketing purposes at any time.

6.3 Right to lodge a complaint with a supervisory authority

You also have the right to complain to a (competent) data protection supervisory authority about the processing of your personal data.

7. Data Security

Arena uses the latest technical measures to ensure data security (e.g. SLL encryption), particularly to protect your personal data against risks when data are transmitted and against detection by third parties. These measures are adjusted to reflect the state of the art.

8. Amendments to the Privacy Policy

This version of our Privacy Policy is continuously updated to reflect developments on the Internet or our offering. We shall announce amendments in good time on this page. You should visit this page regularly to see the latest updates to our data usage provisions.



Privacy Policy for our appearances in social networks (Facebook, Instagram, LinkedIn)

(Revised: March 2020)

We maintain publicly accessible profiles on various social networks (especially Facebook, Instagram and LinkedIn). Your visit to these profiles may trigger data processing operations. In the following we will give you an overview of which of your personal data is collected, used and stored by us when you visit our profiles. You are not obliged to provide us with your personal data. However, this may be necessary for individual functionalities of our profiles in social networks. If you do not provide us with your personal data, these functionalities will not be available to you or will only be available to a limited extent.

When you visit our profiles, your personal data is not only collected, used and stored by us, but also by the operators of the respective social network, if applicable. This may happen even if you do not have a profile in the respective network. The individual data processing procedures and their scope differ depending on the operator of the respective social network and their scope is not necessarily comprehensible to us. For details about the collection and storage of your personal data as well as the type, scope and purpose of their use by the operator of the respective social network, please refer to the data protection declarations of the respective operator:

1. Facebook

Further information on the processing of your personal data when visiting and using our Facebook page can be found here.

2. Instagram

To advertise our products and services and to communicate with interested parties or customers, we operate pages on the Instagram social media platform.


Together with Facebook, we are jointly responsible in this context only for the processing of so-called “Insights data”, insofar as this data is used for the creation of so-called “Page Insights”. With this data protection declaration, we comply with our duty to provide information in accordance with Art. 13 DSGVO within the scope of joint responsibility.

Facebook and we have concluded an agreement within the framework of joint responsibility, which you can access here: (so-called “Page Insights Supplement”). This agreement applies to data processing that is collected in connection with a visit or interaction with our Instagram Page, but only to the extent that such data is also (subsequently) processed for “Page-Insights”. “Page-Insights” includes analysis services to help site managers better understand interactions with their sites. The purpose of the data processing is to produce aggregated statistics for site managers.

This means that the data is processed as part of a visit to or interaction of individuals with an Instagram page, but only to the extent that the purpose is to use it for “page insights”. For more information on this and the specific data processed, please visit and

This processing of visitor data serves the purpose of providing the site and statistical evaluation of the use of our site. This evaluation is made anonymous for us. The legal basis for data processing is Article 6(1)(1)(f) GDPR (legitimate interests). The legitimate interests with regard to the processing of personal data when visiting the site and the creation of the “site insights” are communication and interaction with interested parties and customers; dissemination of information; anonymous evaluation and presentation of the use of our Instagram page.

When you visit our Instagram page, Facebook collects your IP address and other information that is available on your system in the form of cookies. This information is used to provide us, as the operator of the Instagram pages, with statistical information about usage of the Instagram page. We do not receive any personal data from Facebook in this context.

The data collected about you in this context will be processed by Facebook and may also be transferred to countries outside the European Union. Facebook describes in general terms what information Facebook receives and how it is used in its data policy. There you will also find information about how to contact Facebook and about the settings for advertisements. The Facebook data policy is available at the following link:

If you wish to exercise a right of data protection to which you are entitled under the GDPR (see above point 5 of the data protection declaration for the website, we would like to point out that it is often more effective to assert claims against Facebook if you contact Facebook directly (since Facebook operates the technical infrastructure of the Instagram Platform). Should you nevertheless require assistance, please do not hesitate to contact us.

The respective responsibilities between us and Facebook, in particular with regard to safeguarding the rights of the persons concerned, can be found in the Page Insights supplement (see below).

Further details on how to exercise these rights are provided by Facebook in the “Information on Page Insights Data”:


In addition to the processing of Insights data mentioned in section 2.1, we are in general solely responsible for any further processing via Instagram (for example, if you contact us via Instagram and we process your data to answer your inquiry).


With regard to the processing of personal data referred to in point 2, the provisions in points 1, 2, 3.1 and 4 to 8 of the Privacy Policy for the website (see above) apply in substance mutatis mutandis, unless otherwise provided for in this Privacy Policy.

3. LinkedIn

When you visit our LinkedIn page, we are jointly responsible with LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ( for the processing of your personal data (You can see our Joint Controller Agreement with LinkedIn here:

We operate our LinkedIn page to inform you and communicate with you as a user, an interested person or as a potential employee/applicant. In accordance with the LinkedIn terms of use, which each user must agree to as part of creating a LinkedIn profile, we may identify subscribers to our page and see their profiles or other information shared. For example, your LinkedIn name and profile picture are visible to us (and other LinkedIn users) when you visit our page or comment on our posts. We therefore only collect personal data that has become an obvious part of our LinkedIn page as a result of your participation. We have no interest in collecting and further processing your individual personal data.

LinkedIn uses small text files that are stored on the various end devices of the users (cookies), to store and further process this information. According to LinkedIn, the cookies used by LinkedIn are for authentication, security, preferences, features and services, personalised advertising, and analysis and research. You can view details of the cookies used by LinkedIn here:

LinkedIn’s privacy policy contains further information on data processing.

The operation of the LinkedIn page, including the processing of users’ personal data, is based on Art. 6 para. 1 lit. f) GDPR for the implementation of our legitimate interests in an information and interaction opportunity via LinkedIn for and with our users and visitors. For the LinkedIn retargeting cookie and applications via our LinkedIn page, your consent serves as a legal basis, Art. 6 para. 1 lit. a) GDPR. Further legal bases for data processing may arise in individual cases from Art. 6 para. 1 lit. b) or c) GDPR.

We delete personal data as soon as the purpose of the data processing has been achieved and there are no other legal reasons against deleting the data. We delete private messages in our LinkedIn account manually after 3 months.