Data protection
Privacy statement under the GDPR
I. Name and address of controller
The controller as defined in the General Data Protection Regulation, the member states’ other national data protection laws and other data protection regulations is:
Kulturstiftung Sachsen-Anhalt
represented by its Director General
Leitzkau
Am Schloss 4
39279 Gommern
Germany
E-mail: leitzkau@kulturstiftung-st.de
Website: www.kulturstiftung-st.de
II. Name and address of data protection officer
The controller’s data protection officer is:
Kulturstiftung Sachsen-Anhalt
Datenschutzbeauftragter
Paracelsusstraße 23
06114 Halle (Saale)
Germany
E-mail: datenschutzbeauftragter@kulturstiftung-st.de
III. General information about data processing
1. Scope of processing of personal data
In principle, we only process our users’ personal data to the extent that this is necessary to provide a functioning website and our content and services. Our users’ personal data are only regularly processed with the user’s prior consent. An exception applies to cases in which the circumstances make it impossible to gain their prior consent and the processing of the data is permitted by law.
2. Legal basis for the processing of personal data
Insofar as we obtain the data subject’s consent for the processing of personal data, Article 6 (1a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
Article 6 (1b) of the GDPR serves as the legal basis for processing personal data for the performance of a contract to which the data subject is party. This includes processing which is required prior to entering into a contract.
If it is necessary to process personal data for compliance with a legal obligation to which this company is subject, Article 6 (1c) of the GDPR shall serve as the legal basis.
In cases where it is necessary to process personal data to protect the vital interests of the data subject or another natural person, Article 6 (1d) of the GDPR shall serve as the legal basis.
If processing is necessary for the purposes of a legitimate interest pursued by the controller or by a third party, Article 6 (1f) of the GDPR shall serve as the legal basis for processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
3. Deletion of data and storage period
The data user’s personal data shall be deleted or blocked as soon as the purpose of their storage no longer applies. Data may also be stored if this is provided for by European or national legislators in EU regulations, laws or other regulations to which the controller is subject. The data shall also be deleted or blocked if a storage period prescribed by the above standards comes to an end, unless the continued storage of the data is necessary to enter into or fulfil a contract.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
Every time our website is accessed, our system automatically collects data and information from the requesting computer system.
This involves the following data being collected:
(1) Information about the browser type and version used
(2) The user's operating system
(3) The user's Internet service provider
(4) The user’s IP address
(5) Date and time of access
(6) Website referring the user’s system to our website
(7) Websites accessed by the user's system from our website
The data are also stored in log files in our system. These data are not stored with other personal data relating to the user.
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6 (1f) of the GDPR
3. Purpose of the data processing
The system needs to temporarily store the IP address to allow the website to be delivered to the user’s computer. To this end, the user's IP address must be stored for the duration of the session.
The data are stored in log files to ensure that the website functions. We also use the data to improve the website and to ensure that our information technology systems are secure. In this context, the data are not analysed for marketing purposes.
These purposes also form the basis of our legitimate interest in the processing of data under Article 6 (1f) of the GDPR.
4. Duration of storage
The data are deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. Data collected to provide the website are no longer necessary when the respective session comes to an end.
When the data are stored in log files, they are erased after seven days at the latest. It is possible for them to be stored for longer. In this case, the users’ IP addresses are deleted or altered so that they cannot be linked to the users by the accessing client.
5. Opportunity for objection and prevention
The collection of the data used to provide our website, and the storage of these data in log files, are essential in order to run the website. The user thus has no possibility to object.
V. Use of cookies
1. Description and scope of data processing
Some of our website pages use cookies. Cookies are text files that are stored in the user's Internet browser, or stored on the user's computer system by the Internet browser. When a user visits a website, a cookie may thus be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be identified unambiguously when the website is re-accessed.
2. Legal basis of data processing
The legal basis for the data processing is Article 6 (1f) of the GDPR.
3. Purpose of the data processing
Cookies help us to carry out research and diagnoses, in order to improve our content, products and services. Our legitimate interest lies in optimising our online content and our website design.
4. Duration of storage
As cookies are created and stored in the user’s Internet browser, or on the user's computer system by the Internet browser, we have no influence on the length of time of their storage.
Using the settings of their Internet browser, users themselves can prevent cookies from being accepted, set a time limit on their storage or delete cookies. Most Internet browsers have a “help” function explaining the steps which need to be taken.
5. Opportunity for objection and prevention
As the installation and use of cookies are determined by the settings of the user's Internet browser, it is not possible to object to these actions. We also have no means of deleting cookies in the user’s Internet browser.
VI. Newsletter
1. Description and scope of data processing
On our museum subpages, you can subscribe to a free newsletter from the museum in question. By subscribing to the newsletter, the user agrees that the e-mail address provided can be saved and processed, along with any address data provided for postal delivery.
During the registration process, your consent is obtained for the processing of the data, and you are referred to this privacy statement.
No data is transferred to third parties in connection with the processing of data for the purpose of sending newsletters. The data are used exclusively for sending the newsletter.
2. Legal basis for data processing
The legal basis for processing the data after the user registers for the newsletter is, if the user provides his or her consent, Article 6 (1a) of the GDPR.
3. Purpose of the data processing
The user’s e-mail address is collected in order to deliver the newsletter.
4. Duration of storage
The data are deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The user’s e-mail address is thus stored as long as the subscription to the newsletter is active.
5. Opportunity for objection and prevention
The user in question may cancel the subscription to the newsletter at any time. Every newsletter contains a link for this purpose.
VII. Registration
1. Description and scope of data processing
On our website, we offer users the chance to reserve places on and register for certain events (e.g. tours) by providing personal data. This involves the data being entered in an online form, sent to us and saved. The data are not disclosed to third parties. The following data are collected during the registration process:
(1) Name, company (if applicable)
(2) Postal address
(3) Telephone number, fax number if available
(4) E-mail address
Users are referred to this privacy statement during the registration process.
2. Legal basis for data processing
The legal basis for processing the data is Article 6 (1b) of the GDPR.
3. Purpose of the data processing
The user’s registration is necessary for the performance of a contract with the user or prior to entering into a contract.
4. Duration of storage
The data are deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
For data collected during the registration process for the performance of a contract or prior to entering into a contract, this is the case when the data are no longer required for the performance of the contract. Even after the conclusion of the contract, it may be necessary to store the party to the contract’s personal data in order to carry out contractual or legal obligations.
5. Opportunity for objection and prevention
As a user, you are able to cancel your registration at any time. Stored data about you can be changed at any time.
The objection can be made both by post and by e-mail. The contact details are listed under Point I. of this privacy statement.
If the data are required for the performance of a contract or prior to entering into a contract, the data may only be erased as long as no contractual or legal obligations preclude this.
VIII. Contact form and e-mail contact details
1. Description and scope of data processing
On our website, there is a contact form which can be used to get in touch by electronic means. If a user exercises this option, the data entered in the web form are transmitted to us and saved. These data are:
(1) Name, company (if applicable)
(2) Postal address
(3) Telephone number, fax number if available
(4) E-mail address
During the submission process, your consent is obtained for the processing of the data, and you are referred to this privacy statement.
Alternatively, users can get in touch via the e-mail address provided. In this case, the user's personal data transmitted in the e-mail is stored.
The data are not disclosed to third parties in this context. The data are used exclusively to process the correspondence.
2. Legal basis for data processing
The legal basis for processing the data is, if the user provides his or her consent, Article 6 (1a) of the GDPR. If the user contacts us with the intention of concluding a contract, then another legal basis for the processing is Article 6 (1b) of the GDPR.
3. Purpose of the data processing
We only process the personal data from the web form in order to process the correspondence. When a user contacts us by e-mail, this is again the required legitimate interest in processing the data.
4. Duration of storage
The data are deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For personal data from the web contact form and for those sent by e-mail, this is the case when the respective correspondence with you is terminated. The correspondence is terminated when it can be inferred from the circumstances that the relevant issue has been fully dealt with.
5. Opportunity for objection and prevention
Users are able to withdraw their consent to the personal data being processed at any time. If users get in touch with us by e-mail, they can object to their personal data being stored at any time. If this is the case, the correspondence cannot be continued.
The withdrawal and the objection can be made both by post and by e-mail. The contact details are listed under Point I. of this privacy statement.
In this case, all personal data stored in the course of the correspondence are erased.
IX. Rights of the data subject
If your personal data are processed, then you are a data subject within the meaning of the GDPR and have the following rights with respect to the controller.
1. Right of access
You may ask the controller to confirm whether we are processing or process personal data relating to you.
If such processing takes or is taking case, you may demand access to the following information from the controller.
(1) the purposes for which the personal data are processed;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data concerning you have been or will be disclosed;
(4) the envisaged period for which the personal data concerning you will be stored, or, if it is not possible to provide specific information on this, the criteria used to determine that period
(5) the existence of the right to request from the controller rectification or erasure of personal data concerning you or restriction of processing of personal data or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data are not collected from the data subject, any available information as to their source;
(8) the existence of automated decision-making, including profiling, referred to in GDPR Articles 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information about whether the personal data concerning you are transferred to a third country or to an international organisation. In this connection, you shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of GDPR relating to the transfer.
2. Right to rectification
If the personal data which is processed concerning you are inaccurate or incomplete, you have the right to demand that the controller rectify and/or complete them. The controller shall carry out the rectification without undue delay.
3. Right to restriction of processing
Where one of the following applies, you shall have the right to demand that the controller restrict the processing of the personal data concerning you:
(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
(4) if you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where processing has been restricted under the above conditions, you shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a) Duty of erasure
You may obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase such data without undue delay where one of the following grounds applies:
(1) The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw consent on which the processing is based according to 6(1a) of the GDPR, or Article 9(2a) of the GDPR, and there is no other legal ground for the processing.
(3) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
(4) The personal data concerning you have been unlawfully processed.
(5) The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
b) Information transferred to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exceptions
The right to erasure shall not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Article 9(2h), Article 9(2i) and Article 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in Section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Right to be informed
If you have exercised your right to rectification or erasure of personal data or restriction of processing with regard to the controller, the controller is obliged to communicate that rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right vis-à-vis the controller to be informed about these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(1) the processing is based on consent pursuant to Article 6(1a) or Article 9(2a) of GDPR or on a contract pursuant to Article 6(1b) of GDPR; and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1e) or Article 6(1f) of the GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to withdraw your declaration of consent regarding data protection rights
You have the right to withdraw your declaration of consent regarding data protection rights at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the data controller
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless Article 9(2a) or (2g) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The responsible supervisory authority is:
Landesbeauftragter für Datenschutz und Informationsfreiheit Sachsen-Anhalt
Postal address:
Postfach 1947
39009 Magdeburg
Visitor address:
Otto-von-Guericke-Straße 34 a
39104 Magdeburg
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
Use of Google Analytics
Kulturstiftung Sachsen-Anhalt uses Google Analytics to analyse website usage. The resulting data is used to optimise our website.
Google Analytics is a web analysis service operated and provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, United States). Google processes the website usage data on our behalf and is contractually committed to taking measures to ensure the confidentiality of the processed data.
During your visit to our website, the following data is collected, among other things: the pages accessed, the user’s behaviour on those pages (e.g. session duration, clicks), the user’s approximate location (country and city), IP address (truncated for the purpose of anonymisation), technical information such as the browser, Internet provider, device and screen resolution as well as the source page from where a user visited the Kulturstiftung Sachsen-Anhalt site.
These data are transmitted to a Google server in the USA. During this process, Google complies with the data protection provisions of the EU-US Privacy Shield Framework.
Google Analytics stores cookies in your web browser for a period of two years after the user's last visit. These cookies contain a randomly assigned user ID from which the user can be recognised during future website visits.
The recorded data are stored with the assigned user ID, which allows pseudonymous user profiles to be analysed. These user-related data are automatically deleted after 14 months. A summary of the remaining data is retained indefinitely.
If the user does not agree to the data being collected, their collection can be prevented by the one-off installation of an add-on via the Internet address tools.google.com/dlpage/gaoptout?hl=en-GB.
Use of Google Maps
This website uses the product Google Maps from Google Inc. By using this website, you are declaring your consent for automatically gathered data to be collected, processed and used by Google Inc., representatives thereof or third parties. The Google Maps terms of service can be found at www.google.com/intl/en_en/help/terms_maps.html.