Privacy Policy

This data protection declaration clarifies the type, scope and purpose of personal data (hereinafter referred to as “pb. data”) within our online offer and the websites, functions and contents connected with it as well as external online presences, such as our social media profiles (hereinafter referred to collectively as “online offer”). With regard to the terms used, such as “processing” or “person responsible”, we refer to the definitions in Art. 4 of the Basic Data Protection Regulation (DSGVO).

This privacy policy applies to the online platforms operated by Medien.Bayern GmbH, Rosenheimer Str. 145e, 81671 Munich (“us”, “we”, “Medien.Bayern”, XR HUB Bavaria, or XR HUB Munich) at, ,,,,,, (“Website”).

We ask you to inform yourself regularly about the content of our data protection declaration. We will adapt the data protection declaration as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes make it necessary for you to take action to cooperate (e.g. to give your consent) or to receive other individual notification.

Responsable Person

Medien.Bayern GmbH
Rosenheimer Str. 145 e
81671 Munich,
CEOs: Stefan Sutor (Chair) | Lina Timm
Link to Imprint:

Data Protection Officer

If you have any questions or suggestions regarding data protection, please contact our external data protection officer: datenschutzbeauftragter:

Types of personal data to be processed that you make available to us within the scope of our offers:

  • inventory data (e.g. names, addresses)
  • Contact details (e.g. e-mail, telephone numbers)
  • Content data (e.g. text entries, photographs, videos)
  • Contract data (e.g. object of contract, customer category)
  • Payment data (e.g. bank details, payment history)

The following personal data is collected when you visit our website:

  • Usage data (e.g. websites visited, interest in content, access times)
  • Meta- / communication data (e.g. device information, IP addresses)

Purpose of the processing

  • Execution of the contractual agreements
  • Provision of the online offer, its functions and contents
  • Responding to contact requests and communication with users
  • Security measures
  • Reach measurement / Marketing

Terms Used

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); a natural person is deemed to be identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier comprising a name, an identification number, location data, an online identifier or one or more special features (Art. 4 No. 1 DPA).

“Processing” means any operation or set of operations, whether or not performed by automatic means, relating to pb. data such as the collection, recording, organisation, organisation, filing, storage, adaptation or modification, reading, retrieval, use, disclosure by transmission, dissemination or any other form of provision, alignment or combination, restriction, deletion or destruction;

“Responsible Person” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of pb. data (Art. 4 No. 7 1st half sentence DSGVO).

Relevant legal Bases

In accordance with Art. 13 DSGVO, we inform you of the legal basis of our data processing. If the legal basis is not stated in the data protection declaration, the following applies:

  • the legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 DSGVO
  • the legal basis for processing for the purpose of fulfilling our services and implementing contractual measures and answering enquiries is Art. 6 Para. 1 letter b DSGVO
  • the legal basis for the processing for the fulfilment of our legal obligations is Art. 6 para. 1 letter c DSGVO
  • the legal basis for the processing to safeguard our legitimate interests is Art. 6 para. 1 letter f DSGVO
  • If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d FADP serves as the legal basis.

Cooperation with third parties and with contract processors

Insofar as we are not able to provide pb. disclose data to other persons and companies (processors or third parties), transfer them to them or otherwise give them access to pb. Data, this is only done on the following basis:

  • for the fulfilment of the contract (e.g. if a transmission of the pb. data to third parties, such as to ticket service providers, in accordance with Art. 6 para. 1 lit. b DSGVO)
  • with consent (e.g. newsletter registration, pursuant to Art. 6 para. 1 a DSGVO),
  • due to a legal obligation (e.g. notification to the social security authorities in case of engagement of artists according to art. 6 para. 1 c DSGVO)
  • on the basis of our legitimate interests (e.g. direct advertising in accordance with Art. 6 para. 1 f DSGVO)
  • on the basis of a so-called “order processing contract” (in accordance with Art. 28 DSGVO, e.g. web host, shipping service provider).

Transfers to Third Countries

Unless we pb. Process data in a third country (i.e. outside the European Union, EU or EEA) or do so in connection with the use of third-party services or disclosure or transfer of pb. Data to third parties, this will only take place if it is done to fulfil our contractual obligations, based on your consent, a legal obligation or based on our legitimate interests.

Subject to legal or contractual permissions, we process the pb. Data in a third country only if the special conditions of Art. 44 ff. DSGVO. This means, for example, that the processing is carried out on the basis of special guarantees, such as the officially recognised determination of a data protection level corresponding to that of the EU (e.g. for the USA through the “Privacy Shield”) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).

Rights of individuals concerned

You have the right to ask for a confirmation of whether the pb. data are processed and to receive information about these pb. Data and to receive further information and a copy of the pb. Data according to Art. 15 DSGVO.

According to Art. 16 DSGVO you have the right to request the completion of the pb. data concerning you or the correction of incorrect pb. data.

According to Art. 17 DSGVO, you have the right to demand that pb. Data be deleted immediately or, alternatively, according to Art. 18 DSGVO, a restriction on the processing of pb. data.

According to Art. 20 DSGVO you have the right to demand that the pb. data that you have provided us with and to request that they be communicated to other responsible parties.

Right of withdrawal

You have the right to revoke consents granted (Art. 6 para. 1 a DSGVO) pursuant to Art. 7 para. 3 DSGVO with effect for the future.

Right of objection

You may object to the future processing of the pb. data concerning you in accordance with Art. 21 DSGVO at any time. The objection can be made in particular against processing for the purposes of direct advertising (Art. 6 para. 1 f DSGVO).

Right of appeal to the supervisory authority

You have the right to complain to the competent supervisory authority about the processing of your personal data Art. 77 DSGVO.

The Media Data Commissioner is the competent supervisory authority within the meaning of Art. 51 DS-GVO.

Andreas Gummer
Media Data Officer
Bayerische Landeszentrale für neue Medien
Heinrich-Lübke-Str. 27
81737 München


Cookies” are small files that are stored on the user’s computer. Different information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his visit to an online offer.

Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online offer and closes his browser. The contents of a shopping cart in an online shop, for example, can be stored in such a cookie.

Cookies are described as “permanent” or “persistent” if they remain stored even after the browser is closed. Thus, the interests of the users can be stored in such a cookie, which is used for coverage measurement or marketing purposes.

A “third party cookie” is a term used to describe cookies offered by providers other than the person responsible for operating the website (otherwise, if it is only their cookies, it is called a “first-party cookie”).

Deletion of personal data

The pb. we processed Data processed by us will be deleted or restricted in their processing in accordance with Art. 17 and 18 DSGVO. Unless expressly stated in this data protection declaration, the pb. data stored by us will be deleted or limited in their processing. Data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory storage obligations. If the pb. Data are not deleted because they are required for other and legally permissible purposes, their processing is restricted. I.e. the pb. Data will be blocked and not processed for other purposes. This applies, for example, to pb. data that must be retained for commercial or tax law reasons.

According to legal requirements in Germany, the storage takes place in particular for 10 years according to §§ 147 para. 1 AO, 257 para. 1 nos. 1 and 4, para. 4 HGB (books, records, management reports, accounting vouchers, trading books, documents relevant for taxation, etc.) and 6 years according to § 257 para. 1 nos. 2 and 3, para. 4 HGB (commercial letters).


The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services as well as technical maintenance services that we use for the purpose of operating this online offer. For these services, we have used carefully selected contract processors with whom we have concluded contract processing agreements.

Collection of access data and log files

We, or our hosting provider, on the basis of our legitimate interests as defined in Art. 6 Par. 1 lit. f. DSGVO data about every access to the server on which this service is located (so-called server log files). The access data includes:

  • Target URL,
  • File,
  • Date and time of the retrieval,
  • Transferred data volume,
  • Message about successful retrieval,
  • Browser type and version, the operating system of the user,
  • Referrer URL (the previously visited page)
  • Source IP address

For security reasons (e.g. to clarify misuse or fraud), log file information is stored for a maximum period of 30 days and then deleted. Data whose further storage is required for evidence purposes is excluded from deletion until the respective incident has been finally clarified.

Economic analyses and market research

In order to run our business economically and to identify market trends, customer and user wishes, we analyse the data available to us on business transactions, contracts, inquiries, etc. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f. DSGVO, whereby the persons concerned include customers, interested parties, business partners, visitors and users of the online offer.

The analyses are carried out for the purpose of business management evaluations, marketing and market research. In doing so, we can take into account the profiles of registered users with information on e.g. their purchase transactions. The analyses produced are used internally only. The overall business management analyses and general tendency determinations are, if possible, prepared anonymously. If these are not prepared anonymously, we will take technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the security of the processing, i.e. after taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of natural persons (Art. 32 DSGVO).

If we forward analyses to third parties, these are only anonymous, summarized values.

We use carefully selected contract processors for these analyses.


When contacting us (e.g. via contact form, e-mail, telephone or social media), your data will only be processed for the purpose of handling your contact request and, if applicable, its contractual handling in accordance with Art. 6 Para. 1 lit. b) DSGVO. Your details may then be stored in a customer relationship management system (“CRM system”) or comparable enquiry organisation. In this case, we use a carefully selected CRM service provider as the processor of the order.
We will delete the enquiries if they are no longer required. We check the necessity every two years; furthermore, the statutory archiving obligations apply.

Events subject to charge

Medientage München

We organize the annual Medientage München. For contract processing, i.e. for ticket issuing, we process your pb. Data (title, first name, surname, city, country, e-mail address), your payment data and all information provided voluntarily during registration (such as title, company, position), Art. 6 para. 1 lit. b DSGVO. These will be deleted after 10 years according to the legal retention periods of the German Commercial Code and the German Fiscal Code.

Expo tickets are also available free of charge as part of the Medientage München. For contract processing, i.e. for issuing tickets, we process your pb. Data (title, first name, surname, city, country, e-mail address), your payment data and all information provided voluntarily during registration (such as title, company, position), Art. 6 para. 1 lit. b DSGVO. Your pb. Data will be deleted after 5 years.

Since Medientage München is an event for networking in the media sector with a large number of partners (exhibitors, sponsors, media cooperations etc.), it has a high degree of media impact. During Medientage München, we will produce image and sound recordings for our public relations work (Art. 6 para. 1 lit. f DSGVO), which can be published on the Internet and on television without any restrictions in terms of location, time or content. In addition, image and sound recordings are also made by representatives of various media present for general reporting purposes. If you do not wish this, please do not register.

With this registration you will receive information from us by e-mail, which will inform you about details and changes to the program of Medientage München and the Night of the Media as part of our contract processing (Art. 6 Para. 1 lit. b DSGVO). We will also use this e-mail distribution list to ask you about your customer satisfaction after our event. You can object to receiving e-mail information at any time using the link at the end of the e-mail.

Events and Workshops free of charge

Medien.Bayern GmbH also organizes free events such as meetings of the Media Network, Media Lab Bayern and XR HUB Munich. For planning and handling (e.g. creating guest lists and enabling access controls) we process your pb. data (title, first name, surname, street/no., postcode/city, country, e-mail address) as well as all voluntary details provided in the context of the registration (such as title, company, position). We will keep these pb. data for a period of six months and delete them afterwards.

In addition to the events, we also run free workshops. Here we also ask for professional competence (e.g. editor, moderator, …) so that the lecturers can prepare themselves especially for the requirement profile of the group.

Depending on the type of event or workshop, there may be cooperation partners that we can name. In this case, the cooperation partner or possibly the external service providers will receive your pb. In this case your pb. data will be transmitted to the cooperation partner or possibly also to the external service providers, whereby the data may also only be used for the proper execution of the event. The data will be deleted when they are no longer required for processing (possibly as proof of use).


With the following notes we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the described procedures. We use a carefully selected order processor for the newsletter dispatch.

Content of the newsletter: We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter “newsletter”) only with the consent of the recipients or on the basis of a legal provision. Insofar as the contents of the newsletter are specifically described in the context of a registration for the newsletter, they are decisive for the consent of the users. Furthermore, our newsletters contain information about our services and us.

Double-Opt-In and logging: The registration to our newsletter is done in a so-called Double-Opt-In procedure. This means that after registration you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can register with foreign e-mail addresses. The newsletter registrations are logged in order to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your pb. Data stored by the shipping service provider are logged.

Registration data: To subscribe to the newsletter, you only need to enter your e-mail address. Optionally, we ask you to enter a name for personal contact in the newsletter.

The dispatch of the newsletter and the associated measurement of success is based on the consent of the recipients in accordance with Art. 6 Para. 1 lit. a, Art. 7 DSGVO in conjunction with § 7 Para. 2 No. 3 UWG or on the basis of the legal permission in accordance with § 7 Para. 3 UWG.

The registration procedure is recorded on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f DSGVO. We are interested in the use of a user-friendly and secure newsletter system that serves our business interests as well as meeting the expectations of the users and also allows us to provide proof of consent.

Cancellation/revocation – You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. You will find a link to cancel the newsletter at the end of each newsletter. We may store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove a previously given consent. The processing of these pb. Data will be limited to the purpose of a possible defence against claims. An individual request for deletion is possible at any time, provided that the former existence of a consent is confirmed at the same time.

Newsletter – Measuring success

The newsletters contain a so-called “web-beacon”, i.e. a pixel-sized file which is retrieved from our server when the newsletter is opened, or from the server of a mailing service provider if we use one. Within the scope of this retrieval, technical information such as information on the browser and your system, as well as your IP address and time of retrieval are initially collected.

This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their access locations (which can be determined by means of the IP address) or the access times. Statistical surveys also include determining whether newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor, if used, that of the dispatch service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our contents to them or to send different contents according to the interests of our users.

Social media online presence

We maintain online presences within social networks and platforms in order to communicate with the customers, interested parties and users active there and to be able to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.

Unless otherwise stated in our privacy policy, we process the pb. Users’ data, insofar as they communicate with us within social networks and platforms, e.g. write articles on our online presences or send us news.

Integration of third-party services and content

Within our online offer, we set within our online offer on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer in the sense of Art. 6 Par. 1 lit. f. DSGVO), we use content or service offers from third parties in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”).

This always assumes that the third party providers of this content are aware of the IP address of the users, as without the IP address they would not be able to send the content to their browsers. The IP address is therefore required to display this content. We endeavour to use only such content whose respective providers use the IP address only to deliver the content. Third party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain technical information about the browser and operating system, referring websites, visiting time and other details about the use of our online offer, as well as being linked to such information from other sources.

Google Maps

We integrate the maps of the “Google Maps” service of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include, in particular, IP addresses and location data of the users, which, however, cannot be collected without their consent (usually in the context of the settings of their mobile devices). The data may be processed in the USA. Privacy policy:, Opt-Out:


Within our online offer, functions and contents of the service Twitter, offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, can be integrated. This may include content such as images, videos or text and buttons that users can use to communicate their favors regarding the content, the authors of the content or to subscribe to our posts. If the users are members of the platform Twitter, Twitter can assign the call of the above mentioned contents and functions to the profiles of the users there. Twitter is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law ( Privacy policy:, Opt-Out:


Within our online offer, functions and contents of the service Instagram, offered by Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA, can be integrated. This may include, for example, content such as images, videos, or text and buttons that allow users to express their favorites regarding the content, the authors of the content, or to subscribe to our posts. If users are members of the Instagram platform, Instagram may associate the access to the above content and functions with the user’s profile. Instagram Privacy Policy:


Within our online offering, functions and content of the Xing service offered by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany, can be integrated. This can include, for example, content such as images, videos or texts and buttons with which users can express their favor regarding the content, the authors of the content or subscribe to our contributions. If the users are members of the Xing platform, Xing can assign the call of the above-mentioned contents and functions to the user profiles there. Privacy policy of Xing:


Within our online offer, functions and contents of the LinkedIn service, offered by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland, can be integrated. If the users are members of the LinkedIn platform, LinkedIn can assign the access to the above-mentioned contents and functions to the user profiles there. LinkedIn’s privacy policy: LinkedIn is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law ( Privacy policy:, Opt-Out:

Focal Analytics: website usage statistics for analysis purposes using a cookie

For this website, we use the services of Focal Analytics GmbH ( to analyze personal data of website visitors using cookies, to optimize our offer and to make our offer more user-friendly. The legal basis for the processing is your consent (Art. 6 para. 1 a of the German Data Protection Act), which you declare voluntarily with an opt-in in our consent tool.

The collection and analysis is pseudonymized by storing a first-party cookie on your device. If this first-party cookie has been activated by your consent, it helps us to increase the quality of the data and to uniquely recognize your visit. Such first-party cookies are not readable by other websites and scripts. Unlike so-called third-party cookies (e.g. set by tools such as Google Analytics), website visitors cannot be identified across multiple websites. Your consent can be revoked at any time in the future.

Focal Analytics: website usages statistics for analysis purposes without cookies.

We use the services of Focal Analytics GmbH ( for this website to analyze website visitor data. The legal basis for the processing is our legitimate interest (Art. 6 para. 1 f of the German Data Protection Act) to optimize our offer and to make our offer more user-friendly.

By default, the data of website visitors is collected anonymously without cookies. Similar to other so-called „tracking software“, a short JavaScript code is installed on our website for this purpose. In accordance with the DSGVO, the browser setting „Do-Not-Track“, which allows website visitors to explicitly object to all tracking technologies, is also taken into account.

We have carefully selected our service provider and concluded a so-called order processing agreement (Art. 28 of the German Data Protection Act) with them. A transfer of your data by Focal Analytics does not take place.

The Focal Analytics tool can be deactivated by using the Opt-Out switch.