
Privacy
1. Introduction
Data protection is a matter of trust and with this notice we would like to transparently present to you how we process personal data when you visit our website. We hereby also comply with our obligations under the General Data Protection Regulation (GDPR). If you have any queries, we would be pleased, if you contact us.
2. Controller
Controller in the sense of data protection law for the processing(s) and processes described in this notice is:
Museum für Kunst und Gewerbe Hamburg
Steintorplatz
20099 Hamburg
service@mkg-hamburg.de
You can reach our data protection officer at:
Data Protection Officer Museum für Kunst und Gewerbe Hamburg c/o Goalgetter GmbH
Willhoop 3
22453 Hamburg
Germany
datenschutz@mkg-hamburg.de
3. Your rights as a data subject
As a data subject you have, subject to possible legal restrictions, the following rights: The right of/to access, rectification, erasure, restriction of processing, data portability and objection.
At this point, we expressly point out that, as required by law, we reserve the right to make a corresponding identification and, if necessary, also take further measures to clearly verify the identity.
3.1 Right of information
If you wish to receive information about the personal data we process, please inform us in writing. For security reasons and due to regulations, it is possible that we pseudonymise certain data, such as credit card information.
3.2 Right to rectification
If you discover or believe that incorrect information has been processed from you, you can inform us of this in text form. We will check the facts and, if necessary, correct the data accordingly.
3.3 Right to erasure
If you wish your data to be deleted, please inform us respectively in text form. We will check your request in accordance with the legal requirements and delete it accordingly.
However, we would like to point out that we are obliged to store data for a longer period of time due to legal regulations, e.g. a retention period for accounting documents of currently 10 years (Abgabenordnung/Fiscal Code) or for warranty and limitation reasons of at least 3 years.
Furthermore, we would like to mention that although we block your data immediately, it may take a few days until we have finally deleted the data due to technical restrictions.
Furthermore, please note that once the deletion request has been confirmed, there is no longer any possibility of restoring your data.
3.4 Right to restriction of processing
You have the right to restrict the processing of your data. To do so, please inform us in text form of the categories of data you consider to be affected and the reasons for your request. We will examine the matter immediately and inform you of the result.
3.5 Right to data portability
Please tell us in text form which data you would like to transfer and to whom. We will check your request immediately and inform you about the result.
3.6 Right of objection and revocation
If you have given us your consent to certain data processing, e.g. the reception of a newsletter, you have the right to withdraw this consent - also in part - at any time. Please inform us of this withdrawal in text form.
Should the processing of data be based on necessity for the purposes of the legitimate interests pursuant to Art. 6 (1) lit. f DSGVO, you also have the right to object to the processing, as far as there are reasons that arise from your specific situation for doing so or it is a matter of direct marketing.
In the matter of direct marketing, you have a general right of objection without the need to provide information on the specific situation. Please inform us of your objection in text form.
3.7 Right of appeal
If you are dissatisfied with our work in connection with data protection, you have the right to complain to the data protection supervisory authority responsible for you in your federal state (Bundesland).
4. PROCESSING
We process various data when you visit our websites or use our offers and services. This data may be directly or indirectly - due to the influence by other data sources - personal.
We process data in the following cases, among others:
4.1 Visiting our websites
When you visit our websites, we store your IP address. In addition, further data (analysis data, log data, usage data) is transmitted by the browser and stored by our web server. This includes, among others, details of the end device, time of access, the origin of the request, browser and version, about the use of our site and, if applicable, whether you have already visited us.
Purpose: Technically error-free presentation and optimisation of the website / Information security / Evaluations
Legal basis:Art. 6 para. 1 lit. f GDPR (legitimate interest in our internet presence and IT security)
Storage period:According to the legal requirements
Third country transfer: None
DATA NOT DIRECTLY COLLECTED:
Categories of personal data:IP address
Source: Network provider
4.2 Contact and correspondence
On our website, we provide you with the e-mail addresses and telephone numbers of the direct contact persons of various departments for direct contact. Alternatively, you can also contact us by post. If you contact us, the personal data you provide will be stored and used for further correspondence.
Purpose: Communication / Public Relation / Turnover generation / Documentation / Evaluations
Legal basis: Art. 6 para. 1 lit. b DSGVO (contract initiation/fulfilment) / Art. 6 para. 1 lit. f DSGVO (legitimate interest in communication)
Storage period: According to the legal requirements
Third country transfer: None
4.3 "My Collection" at MKG Collection Online
When you create an account on our website MK&G Collection Online under "My Collection", we store your username, e-mail address and information about the time of registration and the last access. Your e-mail address will only be used to generate an account and to contact you in case of support.
Purpose: Provision of information and services / Evaluations
Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation / fulfillment)
Storage period: According to the legal requirements
Third country transfer: None
4.4 Newsletter
We offer you the opportunity to register on our website to receive our newsletter and thus subscribe to our newsletter. In order to be able to receive our newsletter, we check whether you are actually the owner of the e-mail address provided or whether the owner has authorised the receipt of the newsletter. When you register for our newsletter, we will save your IP address and the date and time of your registration. You can withdraw your consent to receive the newsletter at any time (see No. 11). By doing so, we will immediately stop sending the newsletter to the specified e-mail address and thus the corresponding processing of your data.
Purpose: Communication / Public Relation / Turnover generation / Provision of information / Evaluations
Legal basis: Art. 6 para. 1 lit. a GDPR (consent)
Storage period: According to the legal requirements or until the revocation of consent
Third country transfer: None
4.5 Use of apps and digital offerings
When using our digital offers and services, in particular via apps for mobile devices, we collect data at various points, which may also contain a personal reference. The collection depends on the product used and the associated task, such as conveying information about an exhibit.
Purpose: Communication / Public Relation / Turnover generation / Provision of information / Evaluations
Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation / contract performance)
Storage period: According to the legal requirements
Third country transfer: None
4.6 Press area
We offer press representatives the opportunity to register for our press distribution list in order to be provided with relevant information.
Purpose: Marketing / Public Relation / Evaluations
Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation/contract performance)
Storage period: According to the legal requirements
Third country transfer: None
4.7 Ticket Management
You can book tickets for your next museum visit or other events through our website.
Purpose: Revenue generation / Marketing / Public Relation / Evaluations
Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation / fulfillment)
Storage period: According to the legal requirements
Third country transfer: None
5. Third party integration
If you or we use third-party services, personal data will be transmitted to them.
5.1 Cloudflare
Provider: Cloudflare GmbH, Rosental 7, 80331 Munich, Germany
Description: Conent Delivery Network and It Security Solutions Provider
Purpose: Provision of our web service / IT Security / Evaluations
Legal basis: Art. 28 GDPR (commissioned processing)
Storage period: According to the legal requirements
Third country transfer: Possible
5.2 Go-mus
Provider: Giant Monkey GmbH, Brunnenstr. 39, 10115 Berlin
Descrition: Software provider for ticketing and beater management
Purpose: Operation Ticketing, incl. Shop / Visitor management / Revenue generation / Evaluations
Legal basis: Art. 28 GDPR (commissioned processing)
Storage period: Until the revocation of consent
Third country transfer: None
5.3 Hotjar
Provider: Hotjar Ltd, Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta
Descrition: Hotjar is an analytics tool that allows us to measure website usage (e.g. so-called heatmaps) and customize our pages to your needs
Purpose: Marketing / Operational procedure / Evaluations
Legal basis: Art. 28 GDPR (commissioned processing)
Receiver (Cat.): Group employees / SaaS provider / Advertising network
Storage period: Until the revocation of consent
Third country transfer: None
5.4 MyFOnts
Provider: Monotype Imaging Holdings Inc, 600 Unicorn Park Drive, Woburn, Massachusetts 01801, USA
Descrition: Provision of fonts
Purpose: Operational procedure
Legal basis: Art. 6 para. 1 lit. f GDPR (provision of a functioning internet presence)
Storage period: According to the legal requirements
Third country transfer: USA
Guarantees: Standard Contractual Clauses of the European Commission
5.5 Outermedia
Provider: Outermedia GmbH, Ostseestr. 107, 10409 Berlin
Descrition: Website anlaysis
Purpose: Website analysis / Marketing
Legal basis: Art. 28 GDPR (commissioned processing)
Storage period: According to the legal requirements
Third country transfer: None
5.6 Vimeo
Provider: Vimeo, Inc. 555 West 18th Street, New York, New York 10011, USA
Description: Video platform
Purpose: Operational procedure / Public Relation / Customer service / Evaluations
Legal basis: Art. 6 para. 1 lit. a GDPR (consent)
Storage period: According to the legal requirements
Third country transfer: USA
Guarantees: Standard contract clauses
5.7 Hamburgkultur.de
Provider: Wilken, Hörvelsinger Weg 29-31, 89081 Ulm, Germany
Description: Customer management and newsletter system
Purpose: Provision of the service / Customer loyalty / Marketing / Evaluation
Legal basis: Art. 28 GDPR (commissioned processing)
Storage period: According to the legal requirements
Third country transfer: None
5.8 Wordpress
Provider: Automattic Inc, 60 29th Street # 343 San Francisco, CA 94110, USA
Description: Content Management System
Purpose: Provision of the desired website / IT security / Evaluations
Legal basis: Art. 28 GDPR (commissioned processing)
Storage period: According to the legal requirements
Third country transfer: USA
Guarantees: European Union Standard Contractual Clauses
5.9 YouTube
Provider: Google Ireland Ltd., Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland
Description: Video platform
Purpose: Operational procedure / Marketing / Public Relation / Customer service / Evaluations
Legal basis: Art. 28 GDPR (commissioned processing)
Storage period: According to the legal requirements
Third country transfer: USA, possibly by Google
Privacy notice: https://policies.google.com/?hl=de&gl=de
5.10 Zoom
Provider: Zoom Video Communications, Inc. , 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA
Description: Video chat and communication platform
Purpose: Operational procedure / Marketing / Public Relation / Customer service / Evaluations
Legal basis: TKG or TTDSG
Storage period: According to the legal requirements
Third country transfer: USA, possibly by Zoom
Privacy notice: https://explore.zoom.us/de/privacy/
6. Social media Platforms
We offer you a direct link to our appearances at the providers listed below. The plug-ins are marked with the logos of the corresponding provider. If you use one of the plug-ins, personal data (at least the IP address) will be transmitted to and possibly used by the corresponding services. There is also the possibility that the providers may try to save cookies on your computer. If you are logged in to the network, there is the possibility of further data being collected and possibly linked to your profile. We are not the Controller for this processing and cannot influence them. If you have any questions about this processing, please contact the providers of the relevant network directly.
6.1 Facebook and Instagram
Provider: Meta Platforms Ltd., 4 Grand Canal Square, Grand Canal Habour, Dublin 2, Irland
Purpose: Marketing / Public Relation / Evaluations
Storage period: According to the legal requirements
Third country transfer: USA, possibly by Facebook
Privacy notice: https://de-de.facebook.com/policy.php
6.2 Linktree
Provider: Linktree Pty Ltd., Collingwood, Australia
Purpose: Marketing / Public Relation / Customer service / Evaluations
Storage period: According to the legal requirements
Third country transfer: Australia
Privacy notice: https://linktr.ee/s/trust-centre
6.3 Twitter
Provider: Twitter Inc., 1355 Market Street, Suite 900 San Francisco, CA 94103, USA
Purpose: Marketing / Public Relation / Customer service / Evaluations
Storage period: According to the legal requirements
Third country transfer: USA
Privacy notice: https://twitter.com/de/privacy
6.4 YouTube
Tool: YouTube
Provider: Google Ireland Ltd., Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland
Purpose: Marketing / Public Relation / Customer service / Evaluations
Storage period: According to the legal requirements
Third country transfer: USA, possibly by Google
Privacy notice: https://policies.google.com/?hl=de&gl=de
7. The use of tracking tools
In order to make our website available to you in the best possible way, we also use cookies, among other things. Cookies can perform various tasks, including adapting the website to your screen, browser and language settings.
In addition, the term "cookie" is used as a synonym for tracking tools. Tracking tools help us to adapt our website even better to your needs.
7.1 Purpose and legal basis of the processing
In order to be able to use cookies, third-party providers and content in a data protection compliant manner, we use a so-called cookie tool to query your preferences.
This tool divides the providers used into three categories (Necessary, Statistics and Third Party Providers / Content). This classification is also the basis for the purposes and legal bases.
7.2 Definition of the categories
Necessary: Necessary cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Statistics: These cookies help website owners understand how visitors interact with the website by collecting and reporting information anonymously.
Third-party providers and content: These cookies are required by providers of third-party content, such as video portals, podcast or social media platforms, for the playout of your services on the one hand, and by third-party providers for the provision of services, e.g. Google Maps, on the other.
7.3 Purpose
We use cookies for the following purposes:
Necessary
- Control of the cookie settings
Statistics
- Improving user-friendliness
- Analysis of the usage behaviour
- Analysis of the technical parameters
- Adaptation of the offer to the usage behaviour of the user
Third-party providers and content
- Optimisation of processes
- Personalisation
- Connection to selected social media channels
7.4 Legal basis
Necessary
We process the data on the basis of Art. 6 para. 1 lit. f GDPR, the legitimate interest. Our interest is to provide you with a technically functioning website that is adapted to your terminal device and written in an understandable language.
You have the right to object to this processing at any time on reasons relating to your specific situation. For more information, please see Data subject's rights.
Statistics, third-party providers and content
We process this data on the basis of your consent pursuant to Art. 6 (1) lit. a DSGVO, which you can give us via our cookie tool.
This consent is voluntary and can be withdrawn by you at any time with effect for the future. You declare the withdrawal of your consent by calling up the cookie tool again (see below) and changing the settings according to your wishes.
For more information on your right of withdrawal, see Data subject's rights.
8. Data sharing
Personal data will not be transferred to third parties for reasons other than those listed below.
The transfer only takes place if:
- you have expressly given us your consent for the underlying processing,
- this is legally permissible and necessary for the performance of our contractual relationships with you,
- the disclosure of the data is based on a legal obligation, or if
- the disclosure of the data is based on a legitimate interest and there is no reason to assume that you have a predominant interest worthy of protection in the non-disclosure of your data.
8.1 Shared responsibility
As part of our service, we cooperate with partners in selected areas in the form of shared responsibility (Art. 26 GDPR) in accordance with the GDPR. These companies take over part of the processing and receive the required data from us in return. This may also involve personal data. In terms of the GDPR, both companies are then Controller for this processing or the legally flawless handling of your data.
This applies for the following partners:
- Facebook
- Instagram
8.2 Possible recipients
We pass on data to the following recipients or categories of recipients to the extent permitted by law:
- Employees (internal and external)
- Analysis tool provider
- IT infrastructure service provider
- Software service provider
- Other service providers
- Social media provider
- Cooperation partner
- Museums
- Sponsoring societies
- Authorities
8.3 International data sharing
We strive to use only service providers that guarantee us the processing of personal data in the European Union. In individual cases, however, this is not possible.
These partners operate in different countries outside the European Union and the European Economic Area (EEA). In these countries, the same level of data protection is not always legally prescribed and established as in the European Union. From therefore, we have taken a number of measures in accordance with requirements of the GDPR to ensure the highest possible protection of your personal data.
These are:
- Cooperations with companies in a country recognised by an adequacy decision of the European Commission
- Cooperation with companies on the basis of the EU standard contractual clauses
- In addition, in special cases there is the possibility of passing on the data on the basis of your express consent.
We have our partners guarantee the implementation of the measures within the scope of the legal requirements.
9. The protection of your data
To protect your personal data, we have taken measures that comply with data protection law and the state of technology in our business. These are continuously reviewed and adapted, if necessary. The aim is to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties.
For the transmission of data between our websites and our backend systems, communication is encrypted according to the TLS (Transport Layer Security).
We protect systems and processing operations through a range of technical and organisational measures. These include data encryption, pseudo- and anonymisation, logical and physical access restriction and control, firewalls and recovery systems and integrity testing.
Our employees are regularly trained on the corresponding sensitive handling of personal data and are obliged to observe data confidentiality in accordance with the legal requirements.
10. Possible consequences of missing data
There is a possibility that we may collect data from you due to legal requirements or in order to fulfil a contract. If you do not provide us with this data to the appropriate extent, this may lead to us not being able to meet our obligations to the full extent.
11. Amendment of this privacy notice
This privacy notice is revised at irregular intervals in order to adapt it to current developments in the company, our products and services, legal requirements and social developments.
Version: 3.0
Status: 17.2.2023