Ein Handlauf in einem Treppenhaus.

Privacy

1. Introduction

Data protection is a matter of trust and with this notice we would like to transparently present to you how we process personal data when you visit our website. We hereby also comply with our obligations under the General Data Protection Regulation (GDPR). If you have any queries, we would be pleased, if you contact us.

2. Controller

Controller in the sense of data protection law for the processing(s) and processes described in this notice is:

Museum für Kunst und Gewerbe Hamburg
Steintorplatz
20099 Hamburg
service@mkg-hamburg.de

You can reach our data protection officer at:

Data Protection Officer Museum für Kunst und Gewerbe Hamburg c/o Goalgetter GmbH
Willhoop 3
22453 Hamburg
Germany
datenschutz@mkg-hamburg.de

3. Your rights as a data subject

As a data subject you have, subject to possible legal restrictions, the following rights: The right of/to access, rectification, erasure, restriction of processing, data portability and objection.

At this point, we expressly point out that, as required by law, we reserve the right to make a corresponding identification and, if necessary, also take further measures to clearly verify the identity.

3.1 Right of information

If you wish to receive information about the personal data we process, please inform us in writing. For security reasons and due to regulations, it is possible that we pseudonymise certain data, such as credit card information.

3.2 Right to rectification

If you discover or believe that incorrect information has been processed from you, you can inform us of this in text form. We will check the facts and, if necessary, correct the data accordingly.

3.3 Right to erasure

If you wish your data to be deleted, please inform us respectively in text form. We will check your request in accordance with the legal requirements and delete it accordingly.

However, we would like to point out that we are obliged to store data for a longer period of time due to legal regulations, e.g. a retention period for accounting documents of currently 10 years (Abgabenordnung/Fiscal Code) or for warranty and limitation reasons of at least 3 years.

Furthermore, we would like to mention that although we block your data immediately, it may take a few days until we have finally deleted the data due to technical restrictions.

Furthermore, please note that once the deletion request has been confirmed, there is no longer any possibility of restoring your data.

3.4 Right to restriction of processing

You have the right to restrict the processing of your data. To do so, please inform us in text form of the categories of data you consider to be affected and the reasons for your request. We will examine the matter immediately and inform you of the result.

3.5 Right to data portability

Please tell us in text form which data you would like to transfer and to whom. We will check your request immediately and inform you about the result.

3.6 Right of objection and revocation

If you have given us your consent to certain data processing, e.g. the reception of a newsletter, you have the right to withdraw this consent - also in part - at any time. Please inform us of this withdrawal in text form.

Should the processing of data be based on necessity for the purposes of the legitimate interests pursuant to Art. 6 (1) lit. f DSGVO, you also have the right to object to the processing, as far as there are reasons that arise from your specific situation for doing so or it is a matter of direct marketing.

In the matter of direct marketing, you have a general right of objection without the need to provide information on the specific situation. Please inform us of your objection in text form.

3.7 Right of appeal

If you are dissatisfied with our work in connection with data protection, you have the right to complain to the data protection supervisory authority responsible for you in your federal state (Bundesland).

4. PROCESSING

We process various data when you visit our websites or use our offers and services. This data may be directly or indirectly - due to the influence by other data sources - personal.

We process data in the following cases, among others:

4.1 Visiting our websites

When you visit our websites, we store your IP address. In addition, further data (analysis data, log data, usage data) is transmitted by the browser and stored by our web server. This includes, among others, details of the end device, time of access, the origin of the request, browser and version, about the use of our site and, if applicable, whether you have already visited us.

Purpose: Technically error-free presentation and optimisation of the website / Information security / Evaluations

Legal basis:Art. 6 para. 1 lit. f GDPR (legitimate interest in our internet presence and IT security)

Storage period:According to the legal requirements

Third country transfer: None

DATA NOT DIRECTLY COLLECTED:

Categories of personal data:IP address

Source: Network provider

4.2 Contact and correspondence

On our website, we provide you with the e-mail addresses and telephone numbers of the direct contact persons of various departments for direct contact. Alternatively, you can also contact us by post. If you contact us, the personal data you provide will be stored and used for further correspondence.

Purpose: Communication / Public Relation / Turnover generation / Documentation / Evaluations

Legal basis: Art. 6 para. 1 lit. b DSGVO (contract initiation/fulfilment) / Art. 6 para. 1 lit. f DSGVO (legitimate interest in communication)

Storage period: According to the legal requirements

Third country transfer: None

4.3 "My Collection" at MKG Collection Online

When you create an account on our website MK&G Collection Online under "My Collection", we store your username, e-mail address and information about the time of registration and the last access. Your e-mail address will only be used to generate an account and to contact you in case of support.

Purpose: Provision of information and services / Evaluations

Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation / fulfillment)

Storage period: According to the legal requirements

Third country transfer: None

4.4 Newsletter

We offer you the opportunity to register on our website to receive our newsletter and thus subscribe to our newsletter. In order to be able to receive our newsletter, we check whether you are actually the owner of the e-mail address provided or whether the owner has authorised the receipt of the newsletter. When you register for our newsletter, we will save your IP address and the date and time of your registration. You can withdraw your consent to receive the newsletter at any time (see No. 11). By doing so, we will immediately stop sending the newsletter to the specified e-mail address and thus the corresponding processing of your data.

Purpose: Communication / Public Relation / Turnover generation / Provision of information / Evaluations

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Storage period: According to the legal requirements or until the revocation of consent

Third country transfer: None

4.5 Use of apps and digital offerings

When using our digital offers and services, in particular via apps for mobile devices, we collect data at various points, which may also contain a personal reference. The collection depends on the product used and the associated task, such as conveying information about an exhibit.

Purpose: Communication / Public Relation / Turnover generation / Provision of information / Evaluations

Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation / contract performance)

Storage period: According to the legal requirements

Third country transfer: None

4.6 Press area

We offer press representatives the opportunity to register for our press distribution list in order to be provided with relevant information.

Purpose: Marketing / Public Relation / Evaluations

Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation/contract performance)

Storage period: According to the legal requirements

Third country transfer: None

4.7 Ticket Management

You can book tickets for your next museum visit or other events through our website.

Purpose: Revenue generation / Marketing / Public Relation / Evaluations

Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation / fulfillment)

Storage period: According to the legal requirements

Third country transfer: None

5. Third party integration

If you or we use third-party services, personal data will be transmitted to them.

5.1 Cloudflare

Provider: Cloudflare GmbH, Rosental 7, 80331 Munich, Germany

Description: Conent Delivery Network and It Security Solutions Provider

Purpose: Provision of our web service / IT Security / Evaluations

Legal basis: Art. 28 GDPR (commissioned processing)

Storage period: According to the legal requirements

Third country transfer: Possible

5.2 Go-mus

Provider: Giant Monkey GmbH, Brunnenstr. 39, 10115 Berlin

Descrition: Software provider for ticketing and beater management

Purpose: Operation Ticketing, incl. Shop / Visitor management / Revenue generation / Evaluations

Legal basis: Art. 28 GDPR (commissioned processing)

Storage period: Until the revocation of consent

Third country transfer: None

5.3 Hotjar

Provider: Hotjar Ltd, Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta

Descrition: Hotjar is an analytics tool that allows us to measure website usage (e.g. so-called heatmaps) and customize our pages to your needs

Purpose: Marketing / Operational procedure / Evaluations

Legal basis: Art. 28 GDPR (commissioned processing)

Receiver (Cat.): Group employees / SaaS provider / Advertising network

Storage period: Until the revocation of consent

Third country transfer: None

5.4 MyFOnts

Provider: Monotype Imaging Holdings Inc, 600 Unicorn Park Drive, Woburn, Massachusetts 01801, USA

Descrition: Provision of fonts

Purpose: Operational procedure

Legal basis: Art. 6 para. 1 lit. f GDPR (provision of a functioning internet presence)

Storage period: According to the legal requirements

Third country transfer: USA

Guarantees: Standard Contractual Clauses of the European Commission

5.5 Outermedia

Provider: Outermedia GmbH, Ostseestr. 107, 10409 Berlin

Descrition: Website anlaysis

Purpose: Website analysis / Marketing

Legal basis: Art. 28 GDPR (commissioned processing)

Storage period: According to the legal requirements

Third country transfer: None

5.6 Vimeo

Provider: Vimeo, Inc. 555 West 18th Street, New York, New York 10011, USA

Description: Video platform

Purpose: Operational procedure / Public Relation / Customer service / Evaluations

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)

Storage period: According to the legal requirements

Third country transfer: USA

Guarantees: Standard contract clauses

5.7 Hamburgkultur.de

Provider: Wilken, Hörvelsinger Weg 29-31, 89081 Ulm, Germany

Description: Customer management and newsletter system

Purpose: Provision of the service / Customer loyalty / Marketing / Evaluation

Legal basis: Art. 28 GDPR (commissioned processing)

Storage period: According to the legal requirements

Third country transfer: None

5.8 Wordpress

Provider: Automattic Inc, 60 29th Street # 343 San Francisco, CA 94110, USA

Description: Content Management System

Purpose: Provision of the desired website / IT security / Evaluations

Legal basis: Art. 28 GDPR (commissioned processing)

Storage period: According to the legal requirements

Third country transfer: USA

Guarantees: European Union Standard Contractual Clauses

5.9 YouTube

Provider: Google Ireland Ltd., Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland

Description: Video platform

Purpose: Operational procedure / Marketing / Public Relation / Customer service / Evaluations

Legal basis: Art. 28 GDPR (commissioned processing)

Storage period: According to the legal requirements

Third country transfer: USA, possibly by Google

Privacy notice: https://policies.google.com/?hl=de&gl=de

5.10 Zoom

Provider: Zoom Video Communications, Inc. , 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA

Description: Video chat and communication platform

Purpose: Operational procedure / Marketing / Public Relation / Customer service / Evaluations

Legal basis: TKG or TTDSG

Storage period: According to the legal requirements

Third country transfer: USA, possibly by Zoom

Privacy notice: https://explore.zoom.us/de/privacy/

6. Social media Platforms

We offer you a direct link to our appearances at the providers listed below. The plug-ins are marked with the logos of the corresponding provider. If you use one of the plug-ins, personal data (at least the IP address) will be transmitted to and possibly used by the corresponding services. There is also the possibility that the providers may try to save cookies on your computer. If you are logged in to the network, there is the possibility of further data being collected and possibly linked to your profile. We are not the Controller for this processing and cannot influence them. If you have any questions about this processing, please contact the providers of the relevant network directly.

6.1 Facebook and Instagram

Provider: Meta Platforms Ltd., 4 Grand Canal Square, Grand Canal Habour, Dublin 2, Irland

Purpose: Marketing / Public Relation / Evaluations

Storage period: According to the legal requirements

Third country transfer: USA, possibly by Facebook

Privacy notice: https://de-de.facebook.com/policy.php

6.2 Linktree

Provider: Linktree Pty Ltd., Collingwood, Australia

Purpose: Marketing / Public Relation / Customer service / Evaluations

Storage period: According to the legal requirements

Third country transfer: Australia

Privacy notice: https://linktr.ee/s/trust-centre

6.3 Twitter

Provider: Twitter Inc., 1355 Market Street, Suite 900 San Francisco, CA 94103, USA

Purpose: Marketing / Public Relation / Customer service / Evaluations

Storage period: According to the legal requirements

Third country transfer: USA

Privacy notice: https://twitter.com/de/privacy

6.4 YouTube

Tool: YouTube

Provider: Google Ireland Ltd., Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland

Purpose: Marketing / Public Relation / Customer service / Evaluations

Storage period: According to the legal requirements

Third country transfer: USA, possibly by Google

Privacy notice: https://policies.google.com/?hl=de&gl=de

7. The use of tracking tools

In order to make our website available to you in the best possible way, we also use cookies, among other things. Cookies can perform various tasks, including adapting the website to your screen, browser and language settings.

In addition, the term "cookie" is used as a synonym for tracking tools. Tracking tools help us to adapt our website even better to your needs.

7.1 Purpose and legal basis of the processing

In order to be able to use cookies, third-party providers and content in a data protection compliant manner, we use a so-called cookie tool to query your preferences.

This tool divides the providers used into three categories (Necessary, Statistics and Third Party Providers / Content). This classification is also the basis for the purposes and legal bases.

7.2 Definition of the categories

Necessary: Necessary cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Statistics: These cookies help website owners understand how visitors interact with the website by collecting and reporting information anonymously.

Third-party providers and content: These cookies are required by providers of third-party content, such as video portals, podcast or social media platforms, for the playout of your services on the one hand, and by third-party providers for the provision of services, e.g. Google Maps, on the other.

7.3 Purpose

We use cookies for the following purposes:

Necessary
- Control of the cookie settings

Statistics
- Improving user-friendliness
- Analysis of the usage behaviour
- Analysis of the technical parameters
- Adaptation of the offer to the usage behaviour of the user

Third-party providers and content
- Optimisation of processes
- Personalisation
- Connection to selected social media channels

7.4 Legal basis

Necessary
We process the data on the basis of Art. 6 para. 1 lit. f GDPR, the legitimate interest. Our interest is to provide you with a technically functioning website that is adapted to your terminal device and written in an understandable language.

You have the right to object to this processing at any time on reasons relating to your specific situation. For more information, please see Data subject's rights.

Statistics, third-party providers and content
We process this data on the basis of your consent pursuant to Art. 6 (1) lit. a DSGVO, which you can give us via our cookie tool.

This consent is voluntary and can be withdrawn by you at any time with effect for the future. You declare the withdrawal of your consent by calling up the cookie tool again (see below) and changing the settings according to your wishes.

For more information on your right of withdrawal, see Data subject's rights.

8. Data sharing

Personal data will not be transferred to third parties for reasons other than those listed below.

The transfer only takes place if:
- you have expressly given us your consent for the underlying processing,
- this is legally permissible and necessary for the performance of our contractual relationships with you,
- the disclosure of the data is based on a legal obligation, or if
- the disclosure of the data is based on a legitimate interest and there is no reason to assume that you have a predominant interest worthy of protection in the non-disclosure of your data.

8.1 Shared responsibility

As part of our service, we cooperate with partners in selected areas in the form of shared responsibility (Art. 26 GDPR) in accordance with the GDPR. These companies take over part of the processing and receive the required data from us in return. This may also involve personal data. In terms of the GDPR, both companies are then Controller for this processing or the legally flawless handling of your data.

This applies for the following partners:
- Facebook
- Instagram

8.2 Possible recipients

We pass on data to the following recipients or categories of recipients to the extent permitted by law:
- Employees (internal and external)
- Analysis tool provider
- IT infrastructure service provider
- Software service provider
- Other service providers
- Social media provider
- Cooperation partner
- Museums
- Sponsoring societies
- Authorities

8.3 International data sharing

We strive to use only service providers that guarantee us the processing of personal data in the European Union. In individual cases, however, this is not possible.

These partners operate in different countries outside the European Union and the European Economic Area (EEA). In these countries, the same level of data protection is not always legally prescribed and established as in the European Union. From therefore, we have taken a number of measures in accordance with requirements of the GDPR to ensure the highest possible protection of your personal data.

These are:
- Cooperations with companies in a country recognised by an adequacy decision of the European Commission
- Cooperation with companies on the basis of the EU standard contractual clauses
- In addition, in special cases there is the possibility of passing on the data on the basis of your express consent.

We have our partners guarantee the implementation of the measures within the scope of the legal requirements.

9. The protection of your data

To protect your personal data, we have taken measures that comply with data protection law and the state of technology in our business. These are continuously reviewed and adapted, if necessary. The aim is to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties.

For the transmission of data between our websites and our backend systems, communication is encrypted according to the TLS (Transport Layer Security).

We protect systems and processing operations through a range of technical and organisational measures. These include data encryption, pseudo- and anonymisation, logical and physical access restriction and control, firewalls and recovery systems and integrity testing.

Our employees are regularly trained on the corresponding sensitive handling of personal data and are obliged to observe data confidentiality in accordance with the legal requirements.

10. Possible consequences of missing data

There is a possibility that we may collect data from you due to legal requirements or in order to fulfil a contract. If you do not provide us with this data to the appropriate extent, this may lead to us not being able to meet our obligations to the full extent.

11. Amendment of this privacy notice

This privacy notice is revised at irregular intervals in order to adapt it to current developments in the company, our products and services, legal requirements and social developments.

Version: 3.0
Status: 17.2.2023