Privacy Policy for the Booking Portal for Set-up and Tear-down Drives (Loading Slots) at Messe Stuttgart

Information according to the EU General Data Protection Regulation (GDPR)
As of: August 2023

Protecting your personal data is important to Landesmesse Stuttgart GmbH (Messe Stuttgart). With this privacy policy, we aim to inform you about the processing of personal data related to the booking portal for set-up and tear-down drives (loading slots). These guidelines complement our general privacy policy, which you can find at https://www.messe-stuttgart.de/datenschutz.

1. Data Controller and Data Protection Officer
Data Controller according to the General Data Protection Regulation (GDPR):
Landesmesse Stuttgart GmbH 
Messepiazza 1, 70629 Stuttgart 
Email: info(at)messe-stuttgart.de 
Data Protection Officer:
Dr. Christian Borchers 
datenschutz süd GmbH 
Web: www.datenschutz-sued.de
Email: datenschutz(at)messe-stuttgart.de 
Phone: 0931-3049760 

2. Categories and Sources of Personal Data
Bookers

Messe Stuttgart processes data from users of the booking portal who book a loading slot. These users are referred to as "bookers." Bookers can be employees of exhibitors, trade fair freight forwarders, agencies, or transport companies. They have the option to register for a user account on the booking portal. After verifying their email address, they can create a profile and book loading slots.  
In the booking profile, bookers must provide certain mandatory data, including name, communication language, company, address, department, business contact details (email, possibly phone number), registration number, license plate, vehicle type/size, as well as the date, time/time window, and location of the booking. 
Booking loading slots incurs costs. To process the payment, providing payment data to the payment service provider is mandatory. Messe Stuttgart only receives information about the outcome of the payment process and the payment method used, such as a truncated account number. 
If bookers make a booking for another person (third party) or provide third-party data (especially the driver) to Messe Stuttgart, they must ensure and guarantee that:

  • they are authorized to provide this data to Messe Stuttgart
  • Messe Stuttgart is allowed to process this data lawfully for the purposes stated in Section 3
  • the affected person(s) have been sufficiently informed about the processing of their data according to these privacy guidelines.
Drivers

Bookers provide the mobile numbers of drivers and select the desired language (German or English). Drivers then receive SMS notifications to be informed about the upcoming end of the time window or in case of a time overrun. Information about entrances and exits is processed. 

Technical Personal Data
In the context of processing access logs, the following technical basic and usage data is collected and processed: username, password, technical role, permissions. This also includes information such as the Internet Protocol (IP) address, internet service provider, date and time of access, requested resource, return status, origin (referrer), software used (browser), and hardware used (mobile client). 
In addition, data is automatically collected using cookies and other technologies. Detailed information about the cookies and technologies used in the loading slot booking portal can be found here

 

3. Purposes of Processing and Legal Bases
Contractual Performance and Legitimate Interest

The processing of personal data in the booking profile by Messe Stuttgart is carried out according to Section 2 for the following purposes: to establish and execute the contractual relationship with Messe Stuttgart, including related communication and handling of loading slot bookings (Legal basis: Art. 6 (1) (b) GDPR).  
Furthermore, the processing is carried out in the legitimate interest of Landesmesse Stuttgart and for the purposes of entrance control, monitoring compliance with booked time windows, event and logistics planning, as well as planning, execution, evaluation, and improvement of space and traffic planning and management (Legal basis: Art. 6 (1) (f) GDPR). 
Drivers are notified by SMS when the loading slot expires or contacted by phone to clarify disruptions in operations or emergencies. 
Additionally, traffic volumes are evaluated without personal reference.  
The payment processing of loading slot bookings is also done to fulfill the contract or in the legitimate interest of Messe Stuttgart, especially to assert or defend legal claims (Legal basis: Art. 6 (1) (f) GDPR). The responsibility for processing payment data lies with the respective payment service provider, who collects and processes payment data separately during the payment process. Messe Stuttgart ensures that appropriate measures are taken to ensure the security and confidentiality of payment data.

Operation, Functionality, and Security

In the legitimate interest of Messe Stuttgart, the accuracy of bookers' email addresses is verified to authenticate their identity. For this purpose, a confirmation link is sent via email, which must be activated before completing the registration (Legal basis: Art. 6 (1) (f) GDPR).

The processing of technical personal data is done in the legitimate interest of Landesmesse Stuttgart for the purpose of operating, ensuring the functionality and security of the booking portal, as well as system administration, user access management, and incident and problem management.

Use of Processors

In the context of loading slot booking and the operation of the booking portal, Messe Stuttgart employs external service providers (especially for portal operation, hosting, and IT support) who process personal data on behalf of Messe Stuttgart (so-called "processors").

Other Data Recipients

In the event that individuals subject to special personal protection by the Federal Criminal Police Office (BKA) or the State Criminal Police Office (LKA) participate in an event (such as constitutional organs of the federal government like the Federal President or the Federal Government or foreign guests), there may be a check of all event participants, including the set-up and tear-down phase, by the BKA or LKA. As part of such a check, the BKA or LKA may request data such as names, companies/organizations, and functions of organizers.

In case of incidents, disruptions, emergencies, and crises, Landesmesse Stuttgart may, if necessary, disclose the data of bookers and participants to the police, law enforcement authorities, fire brigade, emergency services, and other authorities (such as the health department).

Furthermore, data may be disclosed to third parties for the purpose of contract fulfillment. These partners include transport companies, courier services, post (for orders), email/telecommunications providers, banks, credit institutions, and payment service providers (for payments). These third parties are independently responsible under the General Data Protection Regulation (GDPR).

Data may be disclosed to authorities and public bodies if Landesmesse Stuttgart is legally obligated to do so, either due to laws and regulations (such as supervisory proceedings) or due to court orders, resolutions, judgments, or similar. To comply with tax and commercial laws and regulations, personal data is disclosed to tax and other competent authorities and public institutions. Recipients of personal data may also include courts and lawyers in the context of legal disputes, legal disputes, legal advice, and auditors.

 

4. Data Transfer to Third Countries
Some of the processors and third parties (see Sections 3.3 and 3.4 above) are located in countries outside the European Union (EU) that may not provide an equivalent level of data protection for personal data as the EU. This is particularly because these third countries may lack an appropriate legal framework, independent supervisory authorities, or data protection rights and remedies. The transfer of personal data to such third countries is only done if there is either a decision by the European Commission regarding the existence of an adequate level of protection for the respective third country or organization (Art. 45 (3) GDPR), or there are appropriate safeguards according to Article 46 GDPR, such as standard data protection clauses approved by the European Commission under Art. 46 (2) (c) GDPR, and additional measures if necessary. You can request a copy of these safeguards, for example, by email (contact details can be found in Section 1 above). 

 

5. Storage Duration
Bookers' master data is stored for the duration of the existence of their user account. Personal data that is stored will be deleted as soon as it is no longer necessary for the respective processing purpose. If processing is based on consent or the legitimate interest of Messe Stuttgart, the relevant data will no longer be used for the corresponding purpose and will be deleted, if applicable, upon withdrawal of consent or receipt of an objection, unless there are legal exceptions. Data subject to commercial or tax retention obligations is only deleted after the expiration of the statutory periods (usually 6 or 10 years). Evidence of granted consent is stored for a maximum of three years after the revocation or expiration of the consent. 
Personal data of drivers and vehicle license plates are automatically deleted thirty (30) days after the end of processing, in this case after the completion of the loading slot by checking out. 

 

6. Data Protection Rights

To exercise the following rights, data subjects can contact the controller at any time. The contact details can be found in Section 1 above. The rights of data subjects according to Art. 12-21 GDPR include

  • the right to information about personal data,  
  • the right to correction, deletion, and data portability 
  • the right to restriction of processing. 

 

7. Right to Object
If the processing of your personal data is based on the legal basis of legitimate interest (see Section 3 above), you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. 
If you believe that the processing of your personal data violates data protection regulations, you have the right to lodge a complaint with a supervisory authority of your choice (Art. 77 GDPR in conjunction with § 19 Federal Data Protection Act).