GDPR
Our website rock-symphony.com is a safe and convenient way to buy electronic tickets for The ROCK SYMPHONY Orchestra concerts in various countries.
We are fully committed to protecting your privacy and respecting your choices. We make every effort to comply with our obligations under the General Data Protection Regulation (GDPR).
We prioritize the protection of individuals’ rights—including where processing is automated—and strive for maximum transparency in our relationship with customers. To this end, we have adopted this policy, which describes our processes, purposes, and the tools available to users to exercise their rights.
You can find additional information about personal data protection at: https://www.cnil.fr/
By continuing to browse this website, you unconditionally accept the terms of use below. The version published on the website is the only version in effect during your use of the resource and remains in force until it is replaced by an updated version.
Our company’s contact details (the Seller/Platform) are provided at the end of this document.
PRIVACY NOTICE & PERSONAL DATA PROCESSING UNDER THE GDPR
By visiting https://rock-symphony.com/, you agree that we collect, process, and use the personal data set out below. This Privacy Notice describes how we process personal data collected through https://rock-symphony.com/ and its content module (the “Widget”). Your access to the Website and our interactions with you are governed by this Notice. You may use the Website without disclosing personal data; however, for most of our services the provision of certain data is necessary. By providing us with personal data, you agree to its collection, use, disclosure, and storage under the terms of this Notice. This document applies to the processing of personal data that you provide to us or that may be collected when you visit the Website, use the Widget, and our services.
Scope. This Notice applies to all users, customers, and visitors of the website.
Governing Law and Jurisdiction. These Terms and any disputes arising out of or in connection with them shall be governed and interpreted in accordance with the laws of the Republic of Estonia. Mandatory rules of European Union law apply as well, including consumer protection and personal data processing rules (e.g., GDPR). The courts of Estonia shall have exclusive jurisdiction over all disputes, unless mandatory consumer-protection law provides otherwise.
Personal Data We May Collect
• Identification data — first name, last name, date of birth, nationality.
• Contact data — email address, phone number, postal/billing address.
• Payment data — information needed to process payment (card data, IBAN, transaction references).
• Ticketing data — purchased tickets, attendance information, seat numbers.
• Technical data — IP address, browser type, operating system, device identifiers, access logs.
• Communications data — customer support correspondence, requests, complaints or feedback.
• Marketing data — newsletter subscriptions, marketing preferences, participation in promotions or surveys.
As a rule, we obtain personal data directly from you via the Website/Widget. In certain cases, we receive limited data from the payment provider (e.g., transaction token/identifier, anti‑fraud status, last 4 digits of a card) — to process payments and prevent fraud; and from event partners/venues (e.g., order number, seating/attendance status) — strictly to perform the contract and ensure access to the event.
We do not knowingly collect data from individuals under 16, except where explicitly permitted by law and with parental consent. For children below 16, we rely on parental consent (see Article 8 GDPR).
Purposes of Processing
• Contract performance — processing ticket purchases, order confirmation, issuing e‑tickets, and providing access to the event.
• Customer support — responding to requests, complaints, and support tickets.
• Legal obligations — complying with tax, accounting, and other statutory requirements (e.g., VAT reporting, anti‑fraud checks).
• Security — preventing fraud, securing transactions, and access control at the venue.
• Service information — sending messages related to the purchased event (e.g., date changes, cancellations).
• Marketing (with consent) — sending newsletters, offers, and personalized advertising only with explicit customer consent.
• Legitimate interests — improving our services, analyzing user behavior, maintaining the proper operation of the website and ticketing system.
Automated Decision-Making / Profiling. We use anti‑fraud scenarios for automatic transaction scoring (analysis of technical signals/payment patterns). This may result in temporary suspension or refusal to process an order pending additional checks.
For marketing (only with consent to cookies/ads), we apply simple segmentation based on purchase/interactions history and cookie identifiers. Such operations do not produce legal effects for you. You have the right to contest an automated decision, to obtain human intervention, and to express your point of view by contacting us via the details in the “Contacts” section.
Required Data. To conclude the contract and issue tickets, you must provide the following data: first name, last name, email (for ticket delivery/notifications), and payment data (processed by the payment provider). If mandatory data is missing, we will be unable to place the order, issue an e‑ticket, send notifications, and/or ensure access to the event.
We do not process personal data for purposes incompatible with those listed above.
Legal Bases for Processing (Article 6 GDPR)
• Performance of a contract (Art. 6(1)(b) GDPR) — processing necessary to fulfill the contract (e.g., ticket purchase, order confirmation, event access).
• Legal obligation (Art. 6(1)(c) GDPR) — processing necessary to meet requirements of EU and Estonian law (e.g., tax and accounting duties, retention periods).
• Legitimate interests (Art. 6(1)(f) GDPR) — processing necessary for our legitimate interests (e.g., website security, fraud prevention, service improvement), provided those interests do not override the data subject’s rights and freedoms.
• Consent (Art. 6(1)(a) GDPR) — processing based on explicit consent, e.g., for marketing communications or surveys. Consent may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.
Sharing Personal Data
We share personal data with third parties only where permitted and necessary by law:
• IT service providers (processors): hosting, technical support, email delivery — processing data on our instructions under a data processing agreement.
• Ticketing platforms and box‑office providers: for booking and issuing tickets (e.g., Fnac Spectacles, Fimalac Entertainment, Ticketmaster). Depending on their role, they may act as our processor or as an independent controller.
• Payment systems through which your payment is processed. We currently use Stripe to provide this service. More details: https://stripe.com/. Any personal data you provide to this payment service provider is processed by the provider (as a separate controller) in accordance with its own privacy notice.
• Mailing services — processing data on our behalf and per our instructions under Article 28 GDPR.
• Event partners — in certain cases, local organizers or venues, but only to the extent necessary to perform the contract (e.g., access control, seating).
• Public authorities and courts — where required by law (e.g., tax authorities, courts, or law enforcement). Tax authorities process such data as separate controllers in line with their own privacy notices.
• Professional advisers — auditors, accountants, lawyers bound by confidentiality.
In addition, we may disclose your personal data if required by law.
International Data Transfers (Chapter V GDPR)
We may transfer personal data to recipients outside the European Economic Area (EEA) when the relevant processor, joint controller, or other recipient is located in a third country. Such transfers are made strictly in accordance with Chapter V GDPR and only with appropriate safeguards, including:
• An adequacy decision of the European Commission (Art. 45 GDPR);
• Appropriate safeguards (Art. 46 GDPR), including Standard Contractual Clauses (SCC, 2021/914) and/or Binding Corporate Rules (BCR), alongside necessary technical and organizational measures (e.g., encryption, access limitations) and a transfer impact assessment (TIA);
• Derogations under Art. 49 GDPR (e.g., explicit consent, necessity for contract performance) — only to the extent strictly necessary for the transfer’s purpose.
For analytics and advertising we may use Google Analytics and Meta (Facebook) Pixel, and TikTok Pixel. Processing can occur in the EU and/or the USA. Transfers outside the EEA are covered by Standard Contractual Clauses (SCC) and supplementary measures (data minimization, pseudonymization, IP masking). Mailing/hosting providers process data in the EU/EEA or in other countries subject to SCC/BCR and equivalent safeguards.
We do not sell or rent personal data to third parties. Our processors act under data processing agreements (Art. 28 GDPR), follow our instructions, and do not use data for their own purposes; sub‑processors may be engaged only with our authorization and subject to equivalent safeguards. For joint controllers, an Article 26 GDPR arrangement allocates responsibilities; key provisions are available upon request. Upon a data subject’s request, we will provide summarized information on safeguards and/or access to relevant clauses (e.g., SCC excerpts).
Retention Periods
We store personal data only as long as necessary to achieve the purposes for which it was collected, or for the period required by law. Retention timelines:
• Ticketing and contractual data — for the duration of the contractual relationship and up to 3 years thereafter to defend against potential legal claims.
• Accounting and tax data — for 7 years, in line with Estonian accounting and tax legislation.
• Customer support correspondence — up to 2 years after the ticket is closed.
• Marketing data — until consent is withdrawn or for a maximum of 2 years after your last interaction with us.
After the retention period expires, personal data will be securely deleted or anonymized.
Your Rights (GDPR Articles 15–22)
• Right of access (Art. 15) — request confirmation of processing and obtain a copy of your personal data.
• Right to rectification (Art. 16) — have inaccurate or incomplete data corrected.
• Right to erasure (Art. 17) — have your personal data deleted, except where we are legally required to retain it.
• Right to restriction (Art. 18) — restrict processing in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine‑readable format and transmit it to another controller.
• Right to object (Art. 21) — object to processing, in particular for direct marketing.
• Right to withdraw consent (Art. 7) — when processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint (Art. 77) — file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or another supervisory authority in your place of residence.
You can exercise your data subject rights (access, rectification, erasure, restriction, portability, objection, withdrawal of consent) by contacting us at: [email]. We respond within one (1) month of receiving your request; where necessary, this may be extended by a further two (2) months due to complexity and number of requests — in such cases we will notify you of the extension and reasons before the initial one‑month period expires.
For security, we may ask for minimal identity verification and may clarify certain details to process your request correctly. Responses are provided free of charge, except for manifestly unfounded or excessive requests, where a reasonable fee may be charged or the request refused with reasons provided.
You may lodge a complaint with the supervisory authority in your habitual residence, place of work, or the place of the alleged infringement. A list of EU authorities is available on the EDPB website.
Cookies
Our website uses cookies and similar technologies to ensure proper operation, enhance user experience, and for analytics and marketing.
Cookie categories:
• Strictly necessary — essential for the site to function (e.g., ticket booking, secure sign‑in). These do not require consent.
• Analytics — help us analyze traffic and improve the site. Used only with your consent.
• Functional — remember your settings (e.g., language/region). Used only with your consent.
• Advertising & tracking — used for marketing, personalized ads, and retargeting. Used only with your explicit consent.
On first visit, a banner offers “Accept all” / “Reject all” / “Settings”. We are the controller for processing on our site; Google/Meta/TikTok may act as separate controllers for their subsequent processing under their own policies.
Types of cookies used:
• Necessary cookies — essential for correct operation, such as ticket purchases, secure sign‑in, and session management. They cannot be disabled.
• Analytics cookies (Google Analytics) — to measure and analyze website usage and improve usability; set only with your consent.
• Marketing cookies (Facebook Pixel and similar tools) — for personalized advertising, campaign measurement, and retargeting; set only with your explicit consent.
You may withdraw your consent at any time by changing cookie settings in the Cookie Settings section of our website. Withdrawal does not affect processing performed before withdrawal.
You can manage, block, or delete cookies at any time through your browser settings. Disabling certain cookies may cause some site features (e.g., ticket purchase or secure sign‑in) to function improperly.