Data protection information according to Art. 12 ff. GDPR
SMAEK Gate wall

Data protection information according to Art. 12 ff. GDPR

Privacy Notice

A) Name and address of the controller

Your contact person as controller within the meaning of the European Data Protection Regulation (“GDPR”) and other national data protection laws of the member states as well as other data protection regulations is:

Staatliches Museum Ägyptischer Kunst
Arcisstraße 16
80333 München
Tel: 089 28927630
E-Mail: info@smaek.de
(hereinafter referred to as “we”, “us” or “our”)

B) Name and address of the data protection officer

You can reach our data protection officer at the following contact details:

Carsten Förster
Bayerische Staatsgemäldesammlungen –
Zentrale Dienste der Staatl. Museen und Sammlungen
Landshuter Allee 8
80637 München
Tel: +49 (0)89 23805 136
E-Mail: zd.datenschutz@pinakothek.de

C) Data processing within the scope of our Internet presence

I) Website functionality

1) Provision of the website and creation of log files

(a) Legal basis

The legal basis for the processing of your personal data in the context of the provision of the website and the creation of log files is our public duty (Art. 4 para. 1 Bavarian Data Protection Act – BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 General Data Protection Regulation (GDPR)).

(b) Purpose

The temporary storage of your personal data by us is a prerequisite for us to be able to display our website on your computer. For this reason, we store your personal data until the end of the respective session.

The further storage of your personal data in so-called log files by us takes place in order to technically ensure the correct functioning of our Internet presence. Furthermore, the log files are used to check and maintain the proper functioning of the security of our information technology systems.

Your data collected for this purpose will not be processed other than for the aforementioned purposes.

(c) Duration of Storage

We delete your personal data as soon as we no longer need them for the processing purposes we have stated. In the case of processing in the context of providing our website, this is given as soon as you have left our website.

If we store your personal data in our log files, we delete them after 7 days at the latest. If we want or need to store your data beyond this, your data will only be stored or processed anonymously. The anonymization has the consequence that we can no longer assign your data to you.

(d) Possibility of objection and removal

Since the processing of your personal data for the provision of the website and the further storage of your personal data in so-called log files is indispensable for the operation of the website, you do not have the option to object.

2) Technically necessary cookies

(a) Legal basis

The legal basis for the processing of your personal data in the context of the use of technically necessary cookies is our public performance of duties (Art. 4 para. 1 Bavarian Data Protection Act – BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 Data Protection Regulation (GDPR)).

(b) Purpose

The use of technically necessary cookies is a prerequisite for us to make the website use easier and more accessible for you. Some of the functionalities would not be possible without the use of these cookies. These functionalities require that you are recognized by our website even after you have switched to another page in the meantime. Your personal data will not be used in any other way in this context.

(c) Duration of Storage

We delete your personal data as soon as the actual purpose of the processing has been achieved and its processing is therefore no longer necessary. For many functionalities, this is already the case when you leave the website.

(d) Possibility of objection and removal

We provide an overview of all technically necessary cookies used on our website at the end of this privacy notice.

If we use cookies, they will be stored locally on your computer in case of permission. Since information is transmitted from the cookies to our website, they retain full control over the use of cookies.

Your browser also allows you to restrict or completely disable the transmission of cookies in the settings. You can also delete cookies that have already been stored in the past – also automatically – at any time. However, if you deactivate cookies with regard to our website, we cannot guarantee that all functions of our website can be used by you.

If you are still using the Adobe Flash Player, we would like to point out that so-called Flash cookies cannot be prevented or deleted via your browser settings. Rather, a setting in the Adobe Flash Player is required.

II) eCommerce

1) Webshop

(a) Legal basis

The legal basis for the processing of your personal data in the context of the webshop is Art. 6 para. 1 lit. b GDPR.

(b) Purpose

We process your personal data in connection with our webshop for the fulfillment of a contract which has been concluded between you and us.

(c) Duration of Storage

We delete your personal data as soon as they are no longer required to achieve the purpose of their processing. With regard to the processing of the aforementioned personal data, this is the case when the contract has been fulfilled on the one hand and on the other hand all contractual claims have become time-barred and/or there are no longer any legal storage and retention periods.

(d) Possibility of objection and removal

We can only process the contract concluded between you and us in connection with the webshop by means of your personal data. Since the processing is therefore mandatory, you do not have the option to object to the processing.

2) Customer account registration

(a) Legal basis

The legal basis for the processing of your personal data in the context of customer account registration is Art. 6 para. 1 lit. b GDPR.

(b) Purpose

When you register on our website, this not only enables us to maintain our customer relationship with you, but also serves to conclude contracts. The processing of your personal data in connection with the registration of your customer account is therefore necessary for the performance of a contract, the implementation of pre-contractual measures and the maintenance of our customer profiles and relationships.

(c) Duration of Storage

We delete your personal data as soon as they are no longer required to achieve the purpose of their processing. This is the case at the latest when you close your customer account with us.

(d) Possibility of objection and removal

If you no longer wish your data to be processed, you can cancel the registration of the customer account on our website at any time. In this case, we will delete your personal data, unless we are prevented from doing so by legal retention periods.

3) Contact form and e-mail contact

(a) Legal basis

The legal basis for the processing of your personal data, which is transmitted in the course of contacting us, is our public performance of duties (Art. 4 Para. 1 Bavarian Data Protection Act – BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 of the General Data Protection Regulation (GDPR)). If, on the other hand, the purpose of your contacting us is to conclude a contract with us, Art. 6 (1) (b) GDPR is relevant as a further legal basis for the processing of your personal data.

(b) Purpose

We process your personal data in connection with your contact to process and respond to your request.

(c) Duration of Storage

We delete your personal data as soon as they are no longer required to achieve the purpose of their processing. Personal data transmitted to us in the context of contacting us will be deleted if your request has been processed by us and no legal retention periods oppose the deletion.

(d) Possibility of objection and removal

You can object to the processing of your personal data in connection with your contact at any time for the future. However, if you do so, we cannot and will not process your request any further. Provided that there are no legal retention periods to the contrary, all your personal data related to the contact will be deleted in this case.

III) Marketing

1) Newsletter

(a) Legal basis

The legal basis for the processing of your personal data within the scope of the newsletter dispatch is your declared consent according to Art. 6 para. 1 lit. a GDPR.

(b) Purpose

We process your personal data to deliver our newsletter to you. The purpose of our newsletter mailing is to inform you about the museum’s programme of events and new digital content such as newsletters and the like. The newsletter also serves to increase our sales through the sale of tickets, services and other goods.

(c) Duration of Storage

We delete your personal data as soon as they are no longer required to achieve the purpose of their processing. In connection with the sending of the newsletter, your personal data will be stored until you have unsubscribed from our newsletter.

(d) Possibility of objection and removal

The revocation of your consent is open to you at any time. To do so, you can either explicitly revoke your consent or select the unsubscribe link included in each of our newsletters to let us know that you no longer wish to receive the newsletter.

2) Raffles

(a) Legal basis

The legal basis for the processing of your personal data in the context of raffles is Art. 6 para. 1 lit. b GDPR for us.

(b) Purpose

We process your data in connection with your participation in the raffle in order to ensure the fulfillment of the raffle contract concluded between you and us.

(c) Duration of Storage

We delete your personal data when this data is no longer necessary to achieve the purpose. This is the case in connection with the raffle contract, in particular, when the raffle has been completed.

(d) Possibility of objection and removal

You have the option at any time to object to the processing of your personal data in relation to participation in the raffle for the future. In this case, however, you can unfortunately no longer be considered by us in the context of the raffle. In the event of an objection, we will delete all data stored in connection with your participation in the raffle.

IV) Data protection and legislation

1) Data subject submission according to Art. 12 et seq. GDPR

(a) Legal basis

If you request information about our processing of your personal data in the context of a so-called data subject submission, the legal basis for the processing of personal data based on the request is Art. 6 para. 1 lit. c in conjunction with Art. 12 et seq. GDPR. The legal basis of the documentation of your request to be carried out by us is Art. 6 para. 1 lit. f GDPR.

(b) Purpose

In this context, we process your personal data in order to be able to provide you with information about the data protection content requested in the context of your data subject submission. We must then document both your request and our legally compliant information and processing in order to meet our legal accountability obligation under Art. 5 para. 2 of the GDPR.

(c) Duration of Storage

We delete your personal data as soon as we no longer need it to respond to your data subject submission or to fulfill our legal accountability obligations.

(d) Possibility of objection and removal

If you do not want us to process your data in connection with your data subject submission, you can object at any time for the future. Please note that in this case it is not possible for us to answer your request and provide you with information.

However, you do not have the right to object to the documentation of your data subject submission and any objection to data processing in the context of the data subject submission, as this is a legal obligation for us.

2) Legal defense and enforcement

(a) Legal basis

If we need to process your personal data in the context of legal defense and enforcement, the legal basis is Art. 6 para. 1 lit. f GDPR.

(b) Purpose

If we need to process your data for the purpose of legal defense and enforcement, this is for the purpose of defending against unjustified claims and the legal enforcement and assertion of claims and rights to which we are entitled.

(c) Duration of Storage

We delete your personal data as soon as they are no longer required for legal defense and enforcement purposes.

(d) Possibility of objection and removal

If we have to process your personal data for these purposes, the processing is mandatory. For this reason, you also have no right or possibility to object to the processing.

D) Further data processing besides our website

I) Facebook Insights (Facebook-Fanpage)

1) Joint controllers

We operate our Facebook Fanpage https://www.facebook.com/AegyptischesMuseum jointly with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (hereinafter Facebook) in accordance with the decision of the ECJ, as personal data are processed by Facebook and us in connection with our Fanpage or with its content and we contribute to the decision on the purposes and means of this processing.
For this reason, we have concluded a separate agreement with Facebook and divided which of us fulfills which obligations under the GDPR.
 
You can read the most important contents of this agreement under the following link: 
https://www.facebook.com/legal/terms/page_controller_addendum
 
If you would like to know how Facebook generally processes your personal data, you can find information on this at: 
https://www.facebook.com/legal/terms/information_about_page_insights_data

2) Legal basis

Our legal basis for the processing of your personal data in the context of the Facebook Fanpage is our public duty (Art. 4 para. 1 Bavarian Data Protection Act – BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 General Data Protection Regulation (GDPR).

3) Purpose

In order to fill our Facebook fan page with content that is of interest to you, we depend on learning about your user behavior. This is supported by the processing of your personal data, which is collected during the use of our Facebook fan page and evaluated by Facebook. For this purpose, Facebook provides us with page statistics that give us information about visitors and their interactions with our page. Furthermore, our Facebook fan page allows you to communicate directly with us and to respond to our posts and content.

4) Origin of the data

The data collected from you during your use of our Facebook Fanpage will be evaluated by Facebook and made available to us afterwards.

5) Duration of Storage

Your personal data will be deleted by us as far as they are no longer necessary to achieve the purpose. The deletion of your personal data takes place, as far as we are able, at the latest with the discontinuation of our Facebook-Fanpage page.

6) Possibility of objection and removal

If you do not want Facebook to collect your data, you can object at any time for the future. If you object to the processing of your personal data by Facebook, we will forward this objection request to Facebook.

II) Instagram

1) Joint controllers

We operate our Instagram page https://www.instagram.com/aegyptisches_museum_muenchen/ jointly with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (hereinafter Facebook) in accordance with the decision of the ECJ, as personal data are processed by Facebook and us in connection with our fan page or with its content and we contribute to the decision on the purposes and means of this processing.
For this reason, we have concluded a separate agreement with Facebook and divided which of us fulfills which obligations under the GDPR.
 
You can read the most important contents of this agreement under the following link: 
https://help.instagram.com/519522125107875
 
If you would like to know how Facebook generally processes your personal data, you can find information on this at: 
https://www.facebook.com/legal/terms/information_about_page_insights_data

2) Legal basis

Our legal basis for processing your personal data within the framework of our Instagram page is our public duty (Art. 4 para. 1 Bavarian Data Protection Act – BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 General Data Protection Regulation (GDPR).

3) Purpose

Our Instagram page allows you to react to our posts, comment on them and send us private messages. The evaluation of this data is essential for us to improve the user experience for the future and to make the content more attractive. Furthermore, we receive anonymized or pseudonymized statistics from Facebook, which provide us with insights into the visitors to our Instagram page and their interactions with our Instagram page and its content.

4) Origin of the data

The data collected from you during your use of our Instagram page will be evaluated by Facebook and made available to us afterwards.

5) Duration of Storage

Your personal data will be deleted by us as far as they are no longer necessary to achieve the purpose. The deletion of your personal data takes place, as far as we are able, at the latest with the discontinuation of our Instagram page.

6) Possibility of objection and removal

If you do not want Facebook to collect your data, you can object at any time for the future. If you object to the processing of your personal data by Facebook, we will forward this objection request to Facebook.

III) YouTube channel

1) Extent of processing

In order to provide artistic impressions to as many people as possible, we operate our own YouTube channel https://www.youtube.com/@smaek_muc, which is operated by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (hereinafter “Google”). YouTube is a video platform where users can post videos and make them publicly available.
 
We expressly point out that YouTube stores the data of its users (e.g. personal information, IP address, etc.) in accordance with its data usage guidelines and uses it for business purposes. We have no influence on this data collection and the further use of the data by YouTube.
 
Information about which data is processed by the YouTube company and for which purposes can be found in the terms of use and privacy statements of YouTube and Google respectively.
 
https://www.youtube.com/static?gl=GB&template=terms as well as in general
 
https://support.google.com/youtube/topic/2803240?visit_id=637248885594456664-1434476429&hl=en&rd=1
 
Our use of YouTube does not imply an unqualified endorsement of that medium or the company or Google LLC’s privacy policy.

2) Legal basis

The legal basis for the processing of your personal data is our public duty (Art. 4 para. 1 Bavarian Data Protection Act – BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 General Data Protection Regulation (GDPR).

3) Purpose

We process your personal data in order to best tailor our YouTube channel to the interests of our users. The processing of your data is therefore only carried out for this purpose. In particular, your data will not be combined and evaluated with other data sets for other purposes. In addition, we process your data if you contact us within the framework of our YouTube channel or comment on our videos.

4) Origin of the data

The personal data you provide when using our YouTube channel is not collected by us directly, but is rather provided to us by Google.

5) Duration of Storage

We delete your personal data as soon as they are no longer required for our previously named purposes. Your data will be deleted at the latest – insofar as we can influence this – when we discontinue our YouTube channel.

6) Possibility of objection and removal

If you do not want Google to collect your data, you can object at any time for the future. If you object to the processing of your personal data by Google, we will forward this objection request to Google.

E) Categories of recipients

Within our authority or the museum, your personal data will only be passed on to the units that need them to fulfill their tasks. For activities that we cannot perform within our company in terms of personnel or content, we use reliable and trustworthy service providers. A transfer of your personal data to these recipients is therefore also conceivable. The following categories of third-party service providers come into consideration in particular:

  • IT service providers
  • Lawyers and courts
  • Cooperation partners
  • Banks

F) Third country transfer

In principle, we process your data within the Federal Republic of Germany or the territory of the EU/EEA. In exceptional cases, however, we may also transfer your data to trusted service providers and entities in third countries. The GDPR defines third countries as all countries outside the European Union or the European Economic Area.

We ensure that the service providers in third countries can guarantee us that your personal data is processed at a level that at least meets the requirements of the GDPR.

Furthermore, a transfer to third countries will only take place if an adequacy decision has been issued by the European Commission for that third country (see the current list of adequacy decisions here) or, in the absence of such a decision, on the basis of standard contractual clauses and if we have provided appropriate safeguards, such as standard contractual clauses, and enforceable rights and effective remedies are available to you

Please note: If you use our social media channels on Facebook, Instagram or YouTube, personal data will be transmitted to Meta or Google in the USA. Access to your personal data by US authorities cannot be ruled out

G) Your rights

According to the GDPR, you are entitled to the following data subject rights:

I) Right of access

You can request access to your personal data processed by us in accordance with Art. 15 DS-GVO. In your request for access, you should specify your request in order to make it easier for us to compile the necessary data. Please note that your right to access information may be restricted under certain circumstances in accordance with the statutory provisions (in particular Section 34 BDSG and Art. 10 BayDSG).

If a right to access exists, we will inform you about:

  • the purposes of the processing
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed
  • the envisaged period for which the personal data will be stored
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing as well as the right to lodge a complaint with a supervisory authority
  • where the personal data are not collected from you, any available information as to their source
  • the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you

II) Right to rectification

If the information concerning you is not (or no longer) accurate, you may request a rectification in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.

III) Right to restriction of processing

Within the framework of the specifications of Art. 18 GDPR, you have the right to demand a restriction of the processing of the data concerning you if one of the following conditions is met:

  • If you contest the accuracy of your data, for a period of time that allows us to verify the accuracy of the personal data
  • the processing of your personal data is unlawful
  • Our purpose has ceased to exist, but you need the data to assert, exercise or defend legal claims
  • You have objected to the processing pursuant to Art. 21 para 1 GDPR and we are reviewing it

IV) Right to erasure

You can request the erasure of your personal data under the conditions of Art. 17 GDPR. Your right to erasure depends, among other things, on whether the data concerning you is still needed by us to fulfill our legal duties.

Your claim exists in particular if

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  • you have withdrawn your consent on which the processing was based and we lack any other legal basis for the processing
  • you have objected to the processing and there are no overriding legitimate grounds for the processing
  • the personal data have been unlawfully processed
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which we are a subject
  • the data was collected from you as a minor under the age of 16 for offers of information society services

V) Right to notice

If you have exercised one of the aforementioned rights, we will also inform other recipients of your personal data in this regard.

VI) Right to data portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that the legal requirements of Art. 20 GDPR are met.

VII)  Right to object

According to Art. 21 GDPR, you have the right to object to the processing of data relating to you at any time for reasons arising from your particular situation. However, we are not always able to comply with this, e.g. if legal provisions oblige us to process data within the scope of our official task fulfillment.

If we process your personal data for the purpose of direct marketing, you have the right to object at any time.

VIII) Right to revocation

You have the right to revoke any consent given to us at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

IX) Right to complain to a supervisory authority

If you are of the opinion that we have not complied with data protection regulations when processing your data, you may, without prejudice to any other administrative or judicial remedy, lodge a complaint with the supervisory authority responsible for us.

The supervisory authority responsible for us is:
Bavarian State Commissioner for Data Protection
(Bayerischer Landesbeauftragter für den Datenschutz)
Wagmüllerstr. 18
80538 München
Tel.: 089/2126720
E-Mail: poststelle@datenschutz-bayern.de

H) Overview of the cookies used

Below we inform you about all cookies used on our website, their purpose as well as the respective storage period.

I) Technically necessary cookies

Eine Tabelle Oberste Zeile: Provider | Cookie name | Purpose/Description | Duration of storage Mittlere Zeile: WordPress | wordpress_test_cookie | Checks if cookies are enabled in the browser | End of session Untere Zeile: WordPress | wp_lang | Saves language settings | End of session