Data Privacy Notice
The purpose of this data privacy policy is to inform users about how, when and in what form their personal data is stored and about how and when it is processed and analysed and to what ends within the content of our in-person and online services, as well as what websites, functions and other content is implicated in data collection. This encompasses our official website and other online presence such as certain external websites and our social media accounts (designated hereafter as “online services”). The use of terms such as “data processing”, “data analyses”, “liable persons” and others are translations of the official German terminology from Article. 4 of the German Data Protection Act (Datenschutzgrundverordnung, or DSGVO).
Liability
This website is administered by:
State Museum of Egyptian Art
Arcisstrasse 16
80333 Munich
GERMANY
Tel. +49 (0)89 289 27630
E-mail: info@smaek.de
Legal representative and liable for content:
Dr. Sylvia Schoske (Museum Director)
Designated data privacy manager:
Carsten Förster
Tel. +49 (0)89 238 05136
E-mail: Carsten.foerster@pinakothek.de
Types of Data Processed
- Personal data (such as names or addresses)
- Contact data (such as e-mails or telephone numbers)
- Content data (such as texts, photos or videos)
- Behavioural data (such as pages visited, interest in specific content, surf length)
- Meta-/communication data (such as types of device, IP-addresses)
Target Users
Visitors and users of our online presence (hereafter designated as “users”).
Data Use
- Making online content and their functions available
- Answering and processing questions when contacted; communication with users
- Security measures
- Reach analysis / marketing
Terms and Vocabulary
“Personal data” designates all information pertaining to an identified or identifiable natural entity (hereafter “party concerned”). A natural entity is considered identifiable if they can be traced directly or indirectly – particularly through an identifier such as a name, ID-number, location, online-ID (e.g. cookie or other tracker) or through one or more other characteristics expressing the natural person’s physical, physiological, genetic, psychological, economical, cultural or social identity.
“Profiling”: any kind of automated processing of personal data consisting of using the personal data in order to evaluate certain specific personal aspects of a natural entity, particularly in order to analyse or predict the workload, economic background, health, personal preferences, interests, reliability, behaviour, current location or change of location of the aforementioned natural entity.
“Processing” or “analysis” designates any process or series of processes aided or not by automated techniques that make use of personal data. This term is quite general and covers practically any use of data whatsoever.
“Pseudonymisation” designates the processing of personal data in a way that the personal data cannot be attributed to a specific party concerned without additional information, inasmuch as this additional information is stored elsewhere and technical and organisational measures are in place to ensure that the personal data cannot be assigned to an identified or identifiable natural entity.
“Liable party” designates a natural or legal entity, government office, bureau, administration or other which, alone or in combination with other legal entities, decide on the means of processing and uses for personal data.
“Third-party service providers”, “contract service providers” designates a natural or legal entity, government office, bureau, administration or other which processes personal data on behalf of the liable party.
Legal Basis
In accordance with Article 13 of the DSGVO, we herewith state the articles of law relevant to our data processing and analytical activities. For users within the legal jurisdiction of the German Data Protection Act (DSGVO) – to whit, the EU and the EEA – inasmuch as no other articles of law are explicitly referred to in the text of this data privacy statement, the following apply:
- The articles relevant to obtaining consent are Article 6, Paragraph 1 Section a and Article 7 of the DSCVO;
- The article relevant to data processing necessary for the fulfilment of our functions and services and the implementation of contractual obligations as well as the answering of inquiries is Article 6 Paragraph 1 Section b of the DSGVO;
- The article relevant to the processing necessary for the fulfilment of our legal obligations is Article 6 Paragraph 1 Section c of the DSGVO;
- In the event that the vital interests of the persons concerned or of another natural entity necessitate the processing or analysis of personal data, Article 6 Paragraph 1 Section d of the DSGVO comes into force.
- The article relevant to the processing or analysis of data necessary for us to fulfil a task or role considered to be in the public interest or in our role as a figure of public authority is Article 6 Paragraph 1 Section e of the DSGVO.
- The article relevant to the processing or analysis of data to ensure the safeguarding of our legitimate interests is Article 6 Paragraph 1 Section f of the DSGVO.
- The processing of data for uses other than the ones they were collected for follows the guidelines of Article 6 Paragraph 4 of the DSGVO.
- The processing and analysis of select categories of data (corresponding to Article 9 Paragraph 1 of the DSGVO) take places according to the stipulations of Article 9 Paragraph 2 of the DSGVO.
Security Measures
We take appropriate technical and organisational measures to ensure a level of security proportionate to the risks, in accordance with all legal specifications and taking into account the evolving state of technology, the cost of implementation and the type, scope of, factors influencing and projected end use of the processed data as well as the relative probability and severity of the impact of the risks involved for the rights and freedoms of natural entities.
These measures most particularly concern securing the confidentiality, integrity and availability of the data by controlling physical access to the data, as well as by ensuring the separation of data and security of access, entry, transfer and saving procedures, and policing accessibility.
Furthermore, we have implemented procedures ensuring an awareness of the rights of concerned parties, regulations on deleting data and the appropriate measures to be taken when data is endangered. We further intend to take data protection measures into account during the choice or development of new hardware, software and workflows, in accordance with the principles in place for ensuring data privacy through technical design and for data privacy-friendly default settings.
Cooperation with Data Processing Services, Liability Partners and Third Parties
Inasmuch as we disclose, share or otherwise grant access to data with other parties (data processing services, liability partners or other third parties) during their processing, this takes place strictly within the scope of the articles of the law (for example when data is disclosed to a third-party payment service in order to fulfil a contractual obligation), if users have explicitly given their permission for us to do so, if we are required to do so by law or on the grounds of legitimate interests on our part (such as in the use of representatives, webhosting services etc.)
Inasmuch as we disclose or otherwise grant access to the data of other service providers to those of our service group, it is done especially for administrative purposes on the grounds of legitimate interests on our part and furthermore always remains within the scope of within German law.
Data Sharing Outside of Germany
Inasmuch as we process or analyse data within a third-party country (defined as being outside the European Union (EU), European Economic Area (EEA) or the Swiss Confederation) or the processing takes place within the context of services provided by third-party providers or the disclosure, or data is transferred to individual or corporate third-parties, then for the exclusive purpose of fulfilling our contractual or pre-contractual obligations, with the user’s explicit permission, because of a legal obligation or on grounds of legitimate interests on our part.
Conditional to legal or contractual permission, we process data or have it processed in a third-party country only if the necessary legal conditions are met. This means that processing takes place only if certain criteria are met and guaranteed, such as an officially certified data privacy level equal or superior to EU guidelines (in the USA, this falls under the “Privacy Shield”) or under officially recognised, specific contractual obligations.
Your Rights
You have the right to demand confirmation of whether data pertaining to your person are being processed or analysed and what is being done with them as well as any further information concerning your data. You also have the right to receive a copy of your data within the confines of the law.
According to the articles of the law, you have the right to request that incomplete data pertaining to your person be completed or to request that erroneous data be corrected.
According to the articles of the law you have the right to request that any data pertaining to your person be immediately and completely deleted or, alternatively, to request a limitation in the processing of your data within the confines of the law.
You have the right to request that data pertaining to your person and that you have made available to us within the confines of the law be handed to you and passed on to other liable parties.
Furthermore, according to the articles of the law, you have the right to file a complaint with the appropriate oversight committee.
Revocation Rights
You have the right to revoke any permission to process your data previously given to the liable party in and for the future.
Right of Appeal
You have the right to refuse the processing of data pertaining to your person at any future point in time according to the confines of the law. The revocation rights also apply to processing for purposes of direct advertisement.
Cookies and Appeal Rights for Processing for direct Advertising Purposes
“Cookies” designate small data packages saved on a user’s end devices. Various information can be stored within cookies. The purpose of cookies is mainly to store information about a user (or about the device on which the cookie is saved) for the duration of their visit of an online service and sometimes beyond. A temporary, “session” or “transient” cookie is one that is automatically deleted once a user leaves the online service and/or closes their browser. A session cookie can, for example, hold the contents of a shopping cart for an online shop, or the user’s login status. “Permanent” or “persistent” cookies are those that remain saved on the end device once the browser is closed. This is how a user can remain logged into a website several days after the last visit. Persistent cookies can also save a user’s interests (sites visited) for reach analyses or marketing purposes. “Third-party” cookies are those saved onto a device by a party other than the party liable for the online service the user is visiting (whose cookies are called “First-Party Cookies”).
We use both temporary and permanent cookies and herewith inform you of their use and scope within this data privacy statement.
We use both temporary and permanent cookies and herewith inform you of their use and scope within this data privacy statement.
Any user who does not want cookies to be stored on their device should activate the option to disallow cookies in their browser’s settings. Stored cookies can also be regularly purged through the browser’s system settings. Please note that disallowing cookies can lead to reduced function of our online services.
A general appeal against the use of cookies for online marketing purposes (particularly in the case of tracking) can be done through the US-website http://www.aboutads.info/choices/ or the EU-site http://www.youronlinechoices.com/ . Users can also prevent the storing of cookies through their browser’s settings. Please note that disallowing cookies can lead to reduced function of our online services.
Deleting Data
Any data we have collected are deleted or restricted in their processing according to the confines of the law. Insofar as not explicitly stated otherwise in this data privacy statement, any data we store will be deleted as soon as they are no longer required to fulfil the function for which they were collected and their deletion does not go against legal storage requirements.
Inasmuch as data is not deleted (being needed for other, legal reasons) their processing will be restricted, e.g. the data will be locked and not processed beyond those necessary functions. This applies, for example, to data that must be kept a certain time under trade or tax laws.
Changes and updates to the data privacy statement
You are responsible for staying informed about any changes to our data privacy statement. We update our data privacy statement as soon as changes to our data processing habits make it necessary.
We will inform you as soon as changes to active permissions on your part are necessary or an individual piece of information is required for reasons other than those for which permission was granted.
Downloading documents from our website
We offer documents for free download on our website. Every download file collects anonymised data about the number of times it is downloaded.
This data is collected purely for internal statistics. This data is not collated to create personal user profiles.
Contacting us
When contacting us (through our contact form, e-mail, telephone or social media), user data will be used to process the request according to Article 6 Paragraph 1 Section b (within the scope of contractual/pre-contractual relationships) and Article 6 Paragraph 1 Section f (other requests) of the DSGVO. The data may be saved in a Customer-Relationship-Management System (“CRM System”) or similar request management system.
We delete the data when they are no longer relevant. Relevance is examined every two years; legal archiving obligations apply.
Hosting and e-mail
We use hosting services for the following services: infrastructure and platform services, computing capacity, memory expansion services, databank services, e-mail, security services as well as technical maintenance services, which we use to power various aspects of our online services.
In these cases, we and/or our hosting providers process basic data, contact data, content data, contract data, user data, meta- and communication data from users, interested parties and visitors of our online services on the basis of our legal interest in providing an efficient and secure online service according to Article 6 Paragraph 1 Section f of the DSGVO together with Article 28 of the DSGVO (closing on an order management contract).
Newsletter data
If you wish to receive the newsletter we offer online, we will need your e-mail address as well as information that allows us to verify that you are the owner of that address and consent to receiving our newsletter. Other data are not collected or are optional. This data is used strictly to allow us to send you the requested service and are not passed on to a third-party. Processing of the data entered into our newsletter registration form is strictly based on your consent (Article 6 Paragraph 1 Section a of the DSGVO).
The permission to store your data and e-mail address and for their use in sending you the newsletter can be revoked at any time by clicking on the link “austragen” in the newsletter itself. Any data processing actions taken prior to revocation of consent remain legal under German law. The data we receive for purposes of providing the newsletter are saved until consent of use is revoked and then erased. Revocation of consent for use in the newsletter process does not affect any data we may have received from you and saved in another context.
Use of third-party services and content
For purposes of justified interest (for example, in the interest of analysis, optimisation and economical use of our online services according to Article 6 Paragraph 1 Section f of the DSGVO), our online services make use of content or service products from third-party services, such as videos or fonts (hereafter designated as “content”). This automatically presumes that the third-party service providers will register users’ IP addresses as they cannot send content to their browsers without an IP-Address. The IP Address is therefore necessary for content to be viewed. We try to include content only from third-party service providers who use IP-addresses exclusively for providing content.
Third-party service providers may also use “pixel tags” (invisible graphics also called “web beacons”) for statistical or marketing purposes. “Pixel tags” allow the processing of information such as visitor traffic on the pages of the website. Pseudonymised information may also be saved on the user’s device in the form of cookies and, among other things, provide technical information on the user’s browser and operating system as well as referring websites, length of visit and other information on the use of our online services as well as allowing this information to be linked from that received from other sources.
CleverReach
This website uses CleverReach to send out newsletters. The provider information is: CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. CleverReach is a third-party service provider that organises and analyses newsletter dispatch. The data you enter to receive the newsletter (such as your e-mail address) are saved on the servers belonging to CleverReach in Germany and Ireland.
Newsletters sent by CleverReach allow us to analyse the behaviour of newsletter recipients. For example, we can analyse how many recipients actually view the newsletter, how often which links inside the newsletter are accessed, etc. With the help of conversion tracking, it is also possible to analyse whether clicking on a newsletter link is then followed by a previously defined activity on our website (for example, purchase of a product). Further information on data analysis through Clever Reach can be viewed here: https://www.cleverreach.com/en/features/reporting-tracking/
Data analysis is subject to your consent (Article 6 Paragraph 1 Section a of the DSGVO). You can revoke consent at any time by unsubscribing to the newsletter.
Any data processing actions taken prior to revocation of consent remain legal under German law.
If you do not wish CleverReach to analyse your data, please unsubscribe to the newsletter. Every newsletter sent has an unsubscribe link (“austragen”) you can click to achieve this.
The data we receive for purposes of providing the newsletter are saved until permission is revoked and then erased both from our servers and from those belonging to CleverReach. Revocation of consent for use in the newsletter process does not affect any data we may have received from you and saved in another context.
For more information, please read CleverReach’s data privacy policy: https://www.cleverreach.com/en/privacy-policy/
We have signed a contract with CleverReach for management services and enforce the strict German Data Privacy laws in using CleverReach.
Google ReCaptcha
In order to recognise and identify bots – for example, when filling out an online form – we use “ReCaptcha” by third-party service provider Google LLC, 1600 Ampitheatre Parkway, Moutain View, CA, 94043, USA.
Their data privacy policy: https://www.google.com/policies/privacy/ Opt-out: https://adssettings.google.com/authenticated
YouTube
For our online services we embed videos from the platform “YouTube”, by third-party service provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Their data privacy policy: https://www.google.com/policies/privacy/
Opt-out: https://adssettings.google.com/authenticated