Privacy policy of the Online Shop of HACHEZ CHOCOVERSUM GmbH

  1. Preamble

HACHEZ CHOCOVERSUM GmbH would like to explain to you below which data are collected, processed and used when and for what purpose. We would like to explain to you how our offered services work and how the protection of your personal data is guaranteed. We only collect, process and use personal data if you have consented therein or a law allows this.

This Privacy Policy can be retrieved, saved and printed at any time under the URL https://chocoversum.ticketfritz.de/en/Home/Privacy.

  1. Responsible Persons
  2. Name and address of the controller

The responsible person within the meaning of the EU General Data Protection Regulation (GDPR) is



Messberg 1, 20095 Hamburg

Tel.: (040) 41 91 23 00

Fax: (040) 41 91 23 0 - 20

E-Mail: info@CHOCOVERSUM.de

  1. Name and address of the data protection officer

The data protection officer of the controller is:


Lawyer Bertold Frick

Datenschutz-Metropol GmbH

Baumwollbörse, Wachtstraße 17/24, 28195 Bremen

Tel.: (0421) 339 53 50

Fax: (0421) 339 53 55

E-Mail: frick@trinity-metropol.de


For general questions or suggestions regarding data protection, you can contact us at any time by e-mail at info@chocoversum.de or with our external data protection officer mentioned under point 2.

  • General
  1. Scope of processing personal data

In principle, we collect and use our users’ personal data only to the extent necessary to provide a functional website and our content and services. This includes


  • E-mail address
  • Payment data
  • Booked events / tickets purchased or vouchers
  • Any documents or information provided by you, the personal data


We collect, process and use this data in order to contact you and process your request for events, ticket purchases or general enquiries.

In addition, we collect, process and use the following data to compile visitor statistics on the use of our website and to improve our website. The following data is collected:


  • Date and visit of the URL on which the visitor is located
  • URL that the visitor visited immediately before
  • Browser used
  • Operating system used
  • IP address of the visitor


If this is not the case, personal data will only be used with the user’s consent. An exception applies in cases where prior consent cannot be obtained for effective reasons and the processing of the data is permitted by law.

  1. Legal basis of processing

Insofar as we obtain the consent of the data subject for processing of personal data, Article 6 (1)(a) EU General Data Protection Regulation (GDPR) serves as the legal basis.

For the processing of personal data required to fulfil a contract to which the data subject is a party, Article 6 (1)(b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual actions.

Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Article 6 (1)(c) GDPR serves as the legal basis.

In the event that the vital interests of the data subject or any other natural person require the processing of personal data, Article 6 (1)(d) GDPR serves as the legal basis.

If the processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not prevail over the first interest, Article 6 (1)(f) GDPR serves as the legal basis for processing. The legitimate interest of our company lies in the execution of our business activities.


  1. Routine deletion and blocking of personal data

We only process and store personal data of the data subject for as long as necessary to achieve the storage purpose. In addition, such storage may take place if provided for by the European or national legislator in EU regulations, laws or other regulations to which the person responsible for the processing is subject. As soon as the storage purpose ceases to apply or a storage period prescribed by the aforementioned regulations expires, the personal data is routinely blocked or deleted.


  1. Data security

We take all reasonable technical and organisational measures to ensure the protection of your data. Despite regular checks, full protection against all dangers is not possible.


The website uses industry standard SSL (Secure Sockets Layer) for encryption in some places. This ensures the confidentiality of your personal information over the Internet.




  1. Usage data
  2. Log files


Each time the website is accessed, we or the site provider collect data and information through an automated system. These are stored in the log files of the server.


The following data can be collected here:

  • Information about the browser type and version used
  • The user’s operating system
  • The user’s Internet service provider
  • The user’s IP address
  • Date and time of access
  • Websites from which the user's system is accessed on our website (referrer)
  • Web pages accessed by the user's system through our website

The processing of the data serves to deliver the contents of our website, to ensure the functionality of our information technology systems and to optimize our website. The data of the log files are always stored separately from other personal data of the users.


5.Social plugins

(1) This website uses social plugins from social networks. Separate data protection and liability rules apply to social networks and the websites of third parties in general. The saving and use of personal data by the relevant website operators (service providers) upon the use of their services may exceed the extent provided for under this data protection policy. CHOCOVERSUM cannot influence what data an activated plugin collects and how the provider uses this data. CHOCOVERSUM does not collect any personal information itself by means of or through the use of social plugins.

(2) To increase the protection of your data, the plugins are not embedded in the website without restriction, but only when using an HTML link (so-called “Shariff solution” by c’t). Such embedding guarantees that no connection is made with the social network provider’s servers upon visiting a site containing such plugins. If you click on one of the buttons, a new window opens in your browser and calls up the relevant service provider’s website, where (after entering any applicable login information) you are able to activate, for example, the “like” or “share” buttons. Please refer to the relevant provider’s data protection policy for information about the purpose and extent of data collection and the provider’s further processing and use of the data, as well as your rights in this regard and the settings you can choose to protect your privacy.

Operator: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA
Website: www.facebook.com
Data protection: http://www.facebook.com/policy.php

The rights of data subjects can be enforced with Facebook Ireland, as well as Hachez Chocoversum GmbH.

According to the General Data Protection Regulation (GDPR), Facebook is primarily responsible for processing insight data and fulfils all obligations relating to the processing of insight data under the GDPR.

The substance of the page insights controller addendum is made available to data subjects by Facebook Ireland.

As operator, we do not make any decisions relating to the processing of insight data or any other data resulting from Art. 13 GDPR, including legal basis, identity of the controller and the duration for which cookies are saved on users’ terminals.

Operator: Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA
Website: https://www.instagram.com
Data protection: https://help.instagram.com/155833707900388

Operator: TripAdvisor LLC, 400 1st Avenue, Needham, MA 02494 USA
Website: https://www.tripadvisor.de
Data protection: https://tripadvisor.mediaroom.com/DE-privacy-policy

  1. Cookies

(1) Our webpages employ so-called “cookies”. Cookies are small text files that are saved on browser's cache for the duration of your session (so-called “session cookies”) or on your hard drive for a particular time (so-called “permanent cookies”). Cookies enable recognition of the internet browser, so that when you next visit our website, you can be provided more quickly with targeted content which is tailored to your wishes and requirements. We therefore use cookies that are technically necessary to our legitimate interest in providing a website tailored to our visitors’ wishes. The cookies do not save any personal data.

(2) If, in addition to cookies that are technically necessary, we also wish to use marketing, tracking or analysis cookies, your express prior consent is required. This is requested on the cookie banner that appears on our website when you begin to use it. This cookie banner provides information about our cookie policy and gives you the opportunity to choose whether to refuse or grant consent to all or particular types of cookies.

(3) If you grant consent, the legal basis for processing personal data is Art. 6 (1) (a) GDPR.

  1. Google (Universal) Analytics

(1) This website uses Google Universal Analytics, a web analysis service of Google Inc. (referred to below as “Google”).  Google Universal Analytics also uses cookies.

Your express consent is required for the use of Google Universal Analytics. You have the opportunity to refuse or grant consent to this and to obtain information about our company’s data protection policy through the cookie banner when you begin to use our website. 

(2) If you grant consent, the legal basis for processing personal data is Art. 6 (1) (a) GDPR.

You can withdraw your given consent at any time without giving reasons. You can do this by, for example, sending an email to: info@chocoversum.de. In our Legal notice, you will find further contact details to which you can address the withdrawal.

(3) The information about your use of the website created by the cookie is normally transmitted to a Google server in the USA and saved there. IP anonymisation is instituted on our website, so that your IP address is first abbreviated by Google within the member states of the European Union or other contracting states of the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. Google has agreed to comply with the Privacy Shield Agreement concerning the collection, use and saving of personal data from EU member states that was made between the EU and the USA and published by the US Department of Trade, and holds a corresponding Privacy Shield Certificate.

In a decision dated 16/07/2020, the European Court of Justice declared that the Privacy Shield data protection agreement between the USA and the EU is invalid. 

  1. Facebook Remarketing

(1) Our website uses the “Custom Audiences” remarketing function of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). This enables us to present our website’s visitors with interest-related advertisements during visits to the Facebook social network (“Facebook ads”). On visiting our website, the Facebook remarketing tag (cookie) implemented on the site creates a direct connection to Facebook’s servers and the Facebook server is informed that you have visited this website. Facebook lists this information on your personal Facebook user account. More detailed information about the collection and use of the information by Facebook, as well as your rights in this regard and the possible ways to protect your privacy can be found in Facebook’s data protection policy at https://www.facebook.com/about/privacy/.

(2) Your express consent is required in order to employ tracking and marketing cookies. You have the opportunity to refuse or grant consent to these cookies and to obtain information about our company’s data protection policy via the cookie banner when you begin to use our website.

(3) If you grant consent, the legal basis for processing personal data is Art. 6 (1) (a) GDPR.

You can withdraw your given consent at any time without giving reasons. You can do this by, for example, sending an email to: info@chocoversum.de. In our Legal notice, you will find further contact details to which you can address the withdrawal.

You can also object to the use of cookies at any time and deactivate the “Custom Audiences” remarketing function. In addition, you can adjust your settings on Facebook itself via the following link: https://www.facebook.com/settings/?tab=ads#_=_. You must be registered with Facebook in order to do this.


  1. Your personal information


  1. What are "personal data"?

Personal data are information about yourself that allow  conclusions to be drawn about your identity or which relate directly or indirectly to you, e.g. your name, address or phone number. Information that does not allow conclusions to be made about a specific or identifiable person is not included.


  1. E-mail, telephone

If you contact us by e-mail or telephone, we will only use the personal data you provide to process your specific request. The given data will be treated confidentially.

  1. Your registration

If you use the opportunity to register on our website, the data in the respective input mask will be transmitted to us. The data are stored solely for the purpose of internal use. Upon registration, the IP address of the user as well as the date and time of the registration will be stored in addition to the data mentioned below. This is to prevent misuse of the services. A transfer of the data to third parties does not take place. An exception exists if there is a legal obligation to disclose. Registered persons have the possibility to delete or modify the stored data at any time. The data subject receives information about the personal data stored about him or her at any time. Registration is based on our legitimate interests. With the opportunity to register, we can offer our visitors the convenience of regularly logging in and storing the data permanently.

  1. Recording of customer contact details in accordance with the Hamburg SARS-CoV-2 containment regulation (HmbSARS-CoV-2 containment regulation)

(1) Purpose: Your data will be used exclusively for the purpose of tracking SARS-CoV-2 infection chains. The use of your data for our own purposes or services, especially advertising, is excluded.

(2) Legal basis: The legal basis for processing your data is Art. 6 Paragraph 1 lit. c General Data Protection Regulation (GDPR) in conjunction with Section 26 Paragraph 2 No. 2 of the HmbSARS-CoV-2 containment regulation.

(3) We use the digital solution from https://darfichrein.de for data acquisition.

(4) Transmission to third parties: Your data will be presented to the competent authority (health authority) upon request.

  • Retention periods / deletion periods: Your data will be deleted after the retention period of 4 weeks has expired.

You are entitled to all data subject rights according to Art. 15 ff. GDPR, in particular information, deletion and restriction of processing.

  1. What data do we collect and what for?

As part of the registration, we need an email address and password from you. The data you provide will be stored with us and serve solely to provide the services you requested and thereby fulfil our contracts with you, in particular the sale through our online store.

  1. Bank and credit card data


For certain fee-based offers, we also need bank or credit card information to process the contract.

If you choose the payment method "credit card", we also need your credit card details, but these credit card details are not collected by us but are collected directly and exclusively via the payment service provider that we have appointed and specialise in the online area Within the Giropay payment method, you can choose your bank and you will be immediately redirected to your bank's online banking website, where you will be able to log in as usual with your access data and we will not collect or process any data in this context.

  1. Can I also shop without registering in the online shop?

A purchase in our online shop is also possible without registration. The data collected by us for processing the purchase will be recorded and stored in the shop system in order to fulfil our contract with you.


  1. Disclosure of personal data

In addition, we will not disclose personal data without your express consent, unless we are legally permitted to do so, e.g. if we are required by law to disclose data (to law enforcement agencies and courts, to public bodies that receive data due to statutory regulations, such as social insurance agencies, tax authorities, etc.) or if we involve third parties to enforce our claims for professional secrecy.


  1. Your rights as an affected person

f HACHEZ CHOCOVERSUM GmbH processes personal data about you, you are a victim within the meaning of the General Data Protection Regulation and you have the following rights against HACHEZ CHOCOVERSUM GmbH as the person responsible:


  1. Right to information

You may ask the person in charge to confirm if personal data concerning you is processed by us.

If such processing is available, you can request information from the person responsible about the following information:

  1. the purposes for which the personal data are processed;
  2. the categories of personal data that are processed;
  3. the recipients or categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
  4. the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the storage duration;
  5. the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
  6. the existence of a right of appeal to a supervisory authority;
  7. all available information on the source of the data if the personal data are not collected from the data subject;
  8. the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.

You have the right to request information about whether your personal data is transferred to a third country or an international organisation. In this context, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transmission of information.


  1. Right to rectification

You have a right of rectification and/or completion vis-à-vis the controller if the personal data processed is incorrect or incomplete. HACHEZ CHOCOVERSUM GmbH has to carry out the correction without delay.

  1. Right to limit processing

You may request the restriction of the processing of your personal data under the following conditions:

  1. if you contest the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal information;
  2. the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
  3. HACHEZ CHOCOVERSUM GmbH no longer requires the personal data for the purposes of the processing, but you need them to assert, exercise or defend legal claims, or
  4. if you have filed an objection against the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible outweigh your reasons.


If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the processing limitation has been restricted according to the abovementioned conditions, you will be informed by the person in charge before the restriction is lifted.

  1. Right to erasure

You can demand from HACHEZ CHOCOVERSUM GmbH that the personal data concerning you be deleted immediately, and we are obliged to delete this data immediately, if one of the following reasons applies:

  1. Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You revoke your consent to the processing pursuant to Art. 6 (1)(a) or Art. 9 (2)(a) GDPR and there is no other legal basis for processing.
  3. You file an objection against the processing pursuant to Art. 21 (1) GDPR and there are no prior justifiable reasons for the processing, or you file an objection against the processing pursuant to Art. 21 (2) GDPR.
  4. Your personal data has been processed unlawfully.
  5. The deletion of personal data concerning you is required to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
  6. The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.


If HACHEZ CHOCOVERSUM GmbH has made the personal data concerning you public and is, in accordance with Article 17 (1) of the GDPR, required to erase them, it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested the deletion of any links to such personal data or copies or replications of such personal data.

The right to erasure does not exist if the processing is necessary

  1. to exercise the right to freedom of expression and information;
  2. to fulfil a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task of public interest or in the exercise of official authority conferred on the controller;
  3. for reasons of public interest in the field of public health pursuant to Art. 9 (2)(h) and (i) and Art. 9 (3) GDPR;
  4. for archival purposes of public interest, scientific or historical research purposes or for statistical purposes pursuant to. Article 89 (1) of the GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
  5. to assert, exercise or defend legal claims.


  1. Right to information

If you have the right of rectification, erasure or restriction of processing against the controller, he/she is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

You have the right vis-à-vis us to be informed about these recipients.

  1. Data transferability

You have the right to receive the personal data that you have provided to HACHEZ CHOCOVERSUM GmbH in a structured, conventional and machine-readable format. In addition, you have the right to transfer this data to another person without obstruction by the person responsible for providing the personal data, provided that

  1. the processing is based on consent pursuant to Art. 6 (1)(a) GDPR or Art. 9 (2)(a) GDPR or on a contract pursuant to Art. 6 (1)(b) GDPR and
  2. the processing is done using automated procedures


In exercising this right, you also have the right to request that your personal data be transmitted directly from data controller to another, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected by this.

The right to data transferability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

  1. Right to object

You have the right to object at any time, for reasons that arise from your particular situation, to the processing of your personal data pursuant to Art. 6 (1)(e) GDPR; this also applies to profiling based on these provisions. HACHEZ CHOCOVERSUM GmbH will no longer process your personal data, unless it can prove compelling legitimate reasons for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

Regardless of Directive 2002/58/EC, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.

  1. Right to revoke the data protection consent declaration

You have the right to revoke your data protection declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until revocation.

  1. Automated decision on a case-by-case basis, including profiling



You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect on you or, in a similar manner, significantly affects it. This does not apply if the decision

  1. is required for the conclusion or fulfilment of a contract between you and HACHEZ CHOCOVERSUM GmbH,
  2. is permissible on the basis of Union or Member State legislation to which the controller is subject, and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
  3. with your express consent.


However, these decisions must not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2)(a) or (g) applies and reasonable measures have been taken to protect your rights and freedoms and your legitimate interests.

Regarding the cases mentioned in a. and c., HACHEZ CHOCOVERSUM GmbH shall take appropriate measures to safeguard the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person by the person responsible, to express one's own position and to contest the decision.

  1. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of alleged infringement, if you believe that the processing of your personal data violates the GDPR.

The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

  1. Change of privacy policy

Changes to the law or changes to our internal processes may necessitate an adaptation of this privacy policy. This privacy policy was last updated on 08/12/2020. We will inform you about any material changes to this Privacy Policy on our website.