In the following, we wish to inform you about the processing of personal data when using our website https://fridericianum.org/. Personal data is all data that can be used to identify you personally, e.g. name, address, e-mail addresses, user behavior or IP address.
Controller according to Art. 4(7) of the EU General Data Protection Regulation (GDPR)
documenta und Museum Fridericianum gGmbH Friedrichsplatz 18
T +49 561 70727-0
F +49 561 70727-39
See legal notice.
You can reach our official data protection officer using the following contact details:
Mr. Stephan Blazy or his deputy Mr. Kevin Marschall (GDPC GbR) by post at the above address with the additional detail – Data Protection Officer -, by e-mail at firstname.lastname@example.org and by phone:
+49 561 83099165.
We are very pleased that you are visiting our website. You can always use our website without providing personal data. However, if a data subject wishes to use one of our company’s services via our website, it is likely that personal data will have to be processed. If it is necessary to process personal data and there is no legal basis for such processing, we shall obtain the consent of the data subject.
The processing of personal data, such as the name, IP address, address, e-mail address or phone number of a data subject, is always carried out in accordance with the General Data Protection Regulation and adhering to the country-specific data protection regulations applicable to us, in particular with respect to HDSIG (Hessisches Datenschutz- und Informationsfreiheitsgesetz, Hessian data protection and freedom of information act). There is always a risk of security vulnerabilities with any data sent over the Internet, meaning that absolute protection cannot be guaranteed. For this reason, every data subject is free to submit personal data to us by alternative means, for example by phone or by post.
1. Scope and purpose of the processing of personal data
1.1 Accessing and visiting the website
When this website is accessed, the browser used by the visitor automatically sends data to the server of this website; the data is then kept in a log file with our host and service provider for a limited period of time, and at most two weeks. We also use so-called Content Delivery Networks (CDN), which enable us to significantly reduce the load times of our website. Until automatic deletion, the following data is stored without further input by the visitor:
– IP address of the visitor’s device,
– Date and time of access by the visitor,
– Name and URL of the page accessed by the visitor,
– Website from which the visitor arrives at the website (so-called referrer URL),
– Browser and operating system of the visitor’s device and the name of the access provider used by the visitor.
This personal data is processed on the basis of our legitimate interests in accordance with Art. 6(1)(1)(f) of the GDPR. We have a legitimate interest in data processing in order to:
– quickly establish a connection to the website,
– make the website user-friendly,
– understand and ensure the safety and stability of the systems and
– facilitate and improve administration of the website.
The processing of data is expressly not for the purpose of gaining knowledge about the identity of the visitors to this website.
1.2 Contact via e-mail (e-mail client on your computer)
Visitors can contact us via email messages in particular, sharing any personal data voluntarily. In order to receive a reply, you must provide at least a valid e-mail address and your surname. Any other information is voluntary and the inquirer is not obliged to share it. By sending the e-mail, the visitor consents to the processing of the personal data sent. The data is processed exclusively for the purpose of handling and responding to inquiries. This is done on the basis of voluntary consent according to Art. 6(1)(1)(a) of the GDPR. The data received from you and processed by us through this means of communication will be automatically deleted as soon as the inquiry is dealt with and there are no reasons for continued storage (e.g. subsequent order, donor or similar).
Your email correspondence with us may also involve the transfer of your personal data to service providers outside the European Union (EU) and the European Economic Area (EEA) onto the territory of the USA because of our use of the Microsoft Office 365 email service. All such transfers will be made on the premise of valid certification according to the EU-US Privacy Shield as a suitable guarantee for the protection of your personal data in a non-secure third country. Companies/services with EU-US Privacy Shield certification guarantee an appropriate level of data protection as required by the EU GDPR. Information about the processing of your personal data by the data controller Microsoft Corporation is provided by Microsoft at the following link: https://privacy.microsoft.com/en-GB/privacystatement. Further details can be requested from the contact addresses given above, along with information about the level of data protection offered by our service providers in third countries.
If you want to subscribe to the newsletter available from our website, we will need a valid email address plus information that enables us to verify you as the owner of the specified email address and to confirm that you have agreed to subscribe to the newsletter (known as a ‘double opt-in’). Other items of data are not collected or only on a voluntary basis. The data we do collect is used solely to enable us to send you the information requested and for related purposes of analysis. The data that is entered using the newsletter subscription form is processed solely according to the consent that you have given (point (a) of art. 6(1) of the GDPR). We make every effort to ensure that your data is up to date. Accordingly, you can inform us at any time if your contact details have changed. To do so, you can use one of the contact addresses as given above. You can withdraw the consent you have given to store this data—i.e. the email address and its use to send you our newsletter—at any time. One way to do this is to use the ‘Unsubscribe’ link in a newsletter. This does not affect the lawfulness of data processing activities carried out before the withdrawal. Data stored by us for other purposes is also not affected and not erased.
Our newsletter service provider Sendinblue utilises web beacons, which are also known as ‘tracking pixels’. These web beacons are tiny image files (often just 1×1 pixels in size) that are embedded in the newsletter email and which permit log file record-keeping and analysis of these log files.
When a user opens the email in their email client, the web beacon is loaded from the Sendinblue server and some data about the email recipient is also transferred to the server at the same time, e.g.:
– Whether the email has been opened
– The mail client used to open the email
– The links in the email that have been clicked (click rate)
– Point in time of access
– Client’s associated IP address
The personal data that we store about you in relation to your newsletter subscription is stored until you unsubscribe from the newsletter. After unsubscribing, this data is erased both from our servers and from the servers operated by Sendinblue. Please use this link to access detailed information about data protection and Sendinblue: https://help.sendinblue.com/hc/en-us/categories/360000229110-GDPR.
Cookies are used on the website. These are data packets that are exchanged between the server of our website and the visitor’s browser. These are stored by the device used (PC, notebook, tablet, smartphone, etc.) when visiting the website. Cookies cannot cause damage to the device used. In particular, they do not contain viruses or other malicious software. The cookies always store information that is related to the specific device being used. It is not possible for us to use it to obtain direct knowledge of the identity of the visitor to the website.
Cookies are normally accepted by the default browser settings. The browser settings can be changed so that cookies are either not accepted on the devices used or a special message is displayed before a new cookie is created. It should be noted, however, that deactivating cookies may result in some features of the website not functioning optimally. Cookies help to make the use of our website more comfortable. For example, session cookies can be used to track whether the visitor has already visited individual pages on the website. After leaving the site, these session cookies are automatically deleted.
To improve usability, temporary cookies are used. These are stored on the visitor’s device for a limited period of time. When the website is visited again, they automatically detect that the visitor has already accessed the page at an earlier point in time and remember the previous inputs and settings so that they do not have to be re-entered.
For information about the various types of cookies (for example, cookies that are technically needed to display the website or cookies that are utilised for the purposes of statistics and marketing) that are set on your device when visiting our website, as well as additional information about these cookies (e.g. provider, purpose, duration of storage, etc.), please see the list given below.
Where cookies are not technically essential, we obtain your consent (using the pop-up window that opens at the start of your visit to our website) pursuant to point (e) of art. 6(1) of the GDPR. The legal basis for the data processing associated with the setting of technically essential cookies is provided by our legitimate interests pursuant to point (f) of art. 6(1) of the GDPR.
|Saves visitor settings that have been selected in the cookie box for the Borlabs cookie.
|_icl_*, wpml_*, wp-wpml_*
|Stores the current language.
|Cookie from Matomo for Website analyses. Generates statistical data about how visitors use the website.
|Used to unlock YouTube content.
3. Web analysis by Matomo (formerly Piwik)
3.1 Scope of personal data processing
We use the open source software tool Matomo (formerly Piwik) on our website to analyse the browsing behaviour of our users. The software sets a cookie on the user’s computer (see above for cookie details). If individual pages of our website are accessed, the following data will be stored:
– Two bytes of the IP address of the accessing user system
– The web page accessed
– The web page from which the user was referred to the web page accessed (referrer URL)
– The child pages visited from the original web page accessed
– The duration of the website visit
– The frequency with which the web page is accessed
The software runs on the servers that host our website. Personal data from users is stored only in this location. The data is not shared with third parties. The software is configured so that only two bytes from the IP address mask (e.g. 192.168.xxx.xxx) are stored rather than the full IP address. In this way, no association can be made between the IP address and the accessing computer.
3.2 Legal basis for the processing of personal data
The legal basis for the processing of personal data from users is consent obtained from each user pursuant to point (a) of art. 6(1) of the GDPR. This consent is obtained and stored using a cookie (pop-up window that appears at the start of the website visit).
3.3 Purpose of data processing
Processing personal data from users enables us to analyse the browsing behaviour of our users. Thanks to the analysis of the data collected, we are able to compile information about the usage of the individual components that make up our website. This also helps us to continually improve our website and its usability. Since the IP address is anonymised, this complies with user interests regarding the provision of adequate protection for personal data.
3.4 Duration of storage
Data is deleted as soon as it is no longer required for our recording purposes.
3.5 Cookie blocking/deletion options
4. Linking to other websites
On our website, we link to the online social network platforms Facebook and Instagram, on which documenta und Museum Fridericianum gGmbH maintains its own profile pages (for details, see 5, ‘Profiles and presences on social networks and other online platforms’).
Our website also links to online services provided by Deutsche Bahn and Google Maps. No personal data is shared with these service providers and platform operators by documenta und Museum Fridericianum gGmbH. The respective service/platform operators are themselves responsible for the processing of your personal data.
The service/platform operators linked to on our web pages provide their own privacy policies that cover usage within the EU. You can view these policies here:
5. Profiles and presences on social networks and other online platforms
We maintain an active presence on social networks in order to make our cultural offerings and related information accessible to as wide a public as possible.
One should remember that the social media services we use are global in nature and the processing of your personal data may therefore also take place outside the European Union in some cases. To ensure your data protection rights continue to be honoured for transfers to third countries, such transfers are made only in accordance with art. 44 of the GDPR.
Users are also reminded that the respective platform operator may also process your personal data themselves and could consolidate this data into user profiles. In some cases, this may even happen if you do not maintain a user account with the respective social network. If you are registered as a user with one of these networks, your usage of the content that we provide will be evaluated and associated with your profile. This happens regardless of the specific device you use to access this media. This tracking and profile formation is done with the aim of offering you an optimised user experience, and showing you targeted advertising both inside and outside the social network itself. For further details of the methods used by the respective provider to process your personal data and the options you have to withdraw your consent to this processing (‘opt out’), please consult the privacy policies provided by the respective social networks as well as other information (see below).
If you want to exercise your rights as a data subject, we recommend contacting the respective operator of the social network directly. Typically, documenta und Museum Fridericianum gGmbH will have no access to the personal data as processed by the respective providers.
The operators of social networks provide documenta und Museum Fridericianum gGmbH with personal data to the extent that is permitted by the settings that you have configured in your network profile. The operator of the social network may provide us with information such as your name, your user ID, your profile photo, your network, your gender, your username, your age or your age group, your language, your country, your friends list, your follower list and any other information whose provision you have consented to or which is normally provided to us by the social network (such as reports about your interaction with our various presences on the respective social media platforms).
Your personal data as provided is processed by documenta und Museum Fridericianum gGmbH in order to share your opinions with your friends, followers or contacts in associated social networks, and to optimise our web presence and its sphere of influence within the respective platforms. This processing is therefore based on our legitimate interest in reporting on our work to promote culture and the arts, and to pursue activities associated with public relations work in general.
Personal data types processed as part of visiting social networks (depending on settings and the specific network):
Profile data (such as your username and name), contact data (e.g. email address) usage data (e.g. usage times, activities), content data (e.g. data that you have provided such as comments), metadata (device ID, network and connection, cookie data).
Data subject in terms of data processing law:
The respective user of the social network or the device owner whose devices are used to access the service.
Reporting, general public relations work, tracking (such as providing measurements and analysis of browsing and user behaviour), reach measurement (such as access statistics, page views).
Legal basis (depending on your relationship to the respective provider of the social network):
Our legitimate interests or the legitimate interests of third parties (e.g. of platform providers) (see above) (point (f) of art. 6(1) of the GDPR). If you have a user account on a social network and you have given your consent for the transfer of your data to third parties as part of your privacy settings, your consent to tracking also provides a subsidiary legal basis (point (a) of art. 6(1) of the GDPR).
Services and service providers used (recipients of your personal data):
As part of our online service provision, and as part of expanding our reach and our content, we make consequent use of external services and service providers, including a number of online platforms. Important information about the processing of your personal data in relation to these services and service providers is given below. The specific details of personal data processing as part of the respective services listed below depends on a number of factors (such as the provider, your own privacy settings and your activities). Accordingly, if you have questions about processing for a specific scenario, you are welcome to contact us or our company Data Protection Officer.
Instagram (social network)
Facebook (social network)
– Sharing of responsibility between documenta and Facebook
YouTube (social network, media portal)
Our website uses plug-ins from Google’s YouTube service. YouTube sets cookies on the device that you use: these cookies can also be used to analyse usage behaviour for market research and marketing purposes. In the process, the YouTube server is informed about the pages on our website that you have visited. If you are logged into your YouTube account, this means that YouTube can link your online activities directly to your personal profile. You can prevent this happening by logging out of your YouTube account. The legal basis for the use of YouTube plugins is your consent pursuant to point (a) of art. 6(1) of the GDPR. Please note that embedded YouTube videos cannot be played without your consent. If you have not given your consent by interacting with our cookie banner, you have the option of doing this afterwards on the lock screen shown for the embedded video. You can also manage the types of consent you have given with the ‘Cookie preferences’ link given at the bottom of this page. If you want to withdraw a particular consent that you have given, you can also use this link to do so.
We process the data (such as reports) provided to us by social media network operators by using the social media management software ‘Hootsuite’. We have a legitimate interest in the use of the software pursuant to point (f) of art. 6(1) of the GDPR. Data transfers to Hootsuite in Canada are covered by an adequacy assessment from the EU Commission.
Hootsuite lets us manage several social media accounts at one time. Social media posts can be prepared, planned, published, liked and shared. At the same time, the channels on the various services can also be tracked within Hootsuite, which enables us to follow relevant discussions on the social web.
6. Calendar entries and event forwarding
Our online services let you download calendar entries for our events. These downloads contain the following information: subject, location, start and finish (date and time), plus textual data describing the event. Please remember that the data is downloaded once from our server and is therefore not updated automatically on your computer. Use of the service is voluntary on your part. If you import event data into your calendar, you apply the data items mentioned above to your devices. We offer no guarantees for the trouble-free operation of this service. Nor do we offer any guarantees if the event is cancelled.
7. Ordering products from our website/order form
Our website gives you the option of purchasing and ordering (exhibition) catalogues as well as other publications. If you use the order form on our website, you will need to provide your personal customer data as part of the ordering process (including your first and last name, email address and invoice/shipping address). We require this data in order to process your order and to conduct order-related correspondence with you (e.g. sending you an electronic invoice by email). Your order cannot be processed otherwise. We process the data you enter to legitimise, process and complete a contract of sale pursuant to point (b) of art. 6(1) of the GDPR. The same applies to those kinds of processing operations required in order to take steps prior to entering into a contract (such as processing your (purchase) enquiry).
If we take back certain products you have acquired as part of processing a warranty claim, or acting in accordance with legal take-back requirements, or in individual cases based on our agreement with you or for reasons of goodwill, then we will process your takeback data for these purposes. The legal basis for goods return procedures is point (b) of art. 6(1) of the GDPR.
We also process your customer data and contract of sale data in order to verify the full payment of the purchase price for your orders. If necessary, we will process this data and other data required to establish and/or assert our rights to claim payment in the event of payment defaults on the legal basis of our legitimate interests pursuant to point (f) of art. 6(1) of the GDPR.
Recipient of your personal data as part of the order process
Within our company, departments are granted access to your data only if they require this data for the processing, handling and completion of your purchase order. In order to process your order, we share your customer data and contract of sale data with our service providers only as required for a specific purpose and only to the extent necessary (these providers include IT/telecommunications service providers for the technical handling of your order, and logistics/forwarding agents for delivery of the goods ordered). The legal basis for these procedures is point (b) of art. 6(1) of the GDPR.
Transfer of personal data to third countries outside the EU/EEC
As a result of the use of Microsoft Office 365 Europe (recipient: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Dublin 18, Ireland) in our company, it is possible that personal data arising or being processed as part of our electronic communications will also be transferred to servers in the USA in the course of our business relationship with you. If we transfer personal data to service providers outside the European Economic Area (EEA) onto the territory of the United States of America because of our use of the Microsoft Office 365 service, these transfers are conditional on providers holding valid EU-US Privacy Shield certification. The above mentioned service provider is certified according to the EU-US Privacy Shield. Companies/services with EU-US Privacy Shield certification guarantee an appropriate level of data protection as required by the EU GDPR. Microsoft provides details of this at the following link: https://privacy.microsoft.com/en-GB/privacystatement. Further details can be requested from the contact addresses given above, along with information about the level of data protection offered by our service providers in third countries.
Duration of storage for your (order/contract) data
If your data is no longer required for the fulfilment of contractual, legal and internal processing purposes (after the end of the contract as concluded with you), this data will be erased. Typically however, we are required to retain personal data (such as order and invoice data, for example) past the end of the contractual relationship as a result of obligations arising from commercial and tax law. This retention period can be up to ten years. The reader is referred to the corresponding laws, particularly s. 257 of the German Commercial Code, s. 147 of the German Fiscal Code and point (c) of art. 6(1) of the GDPR.
In this context, it may therefore be necessary for your data to be viewed by or forwarded to government agencies or local authorities as part of inspections of documents carried out as part of our company’s tax audits (for example). We are also required to process customer and contract of sale data at regular intervals as part of preparing our annual financial statements. The legal basis for this is a legal obligation pursuant to point (c) of art. 6(1) of the GDPR.
In cases where we require personal data and documents as evidence for the establishment, exercise or defence of legal claims, this data is retained by us in accordance with the respective periods of limitation, although processing for other purposes is restricted during this time. This also applies to processing for the establishment and handling of claims under warranty and claims for compensation, for example (max. 30 years). The legal basis for this processing is point (f) of art. 6(1) of the GDPR.
Data processing serves the primary purpose of handling and completing the application procedure, and assessing the suitability of candidates for the affected vacancy. As a result, the processing of your applicant data is necessary in order to justify an employment relationship and therefore to make a decision about an offer of employment. The primary legal basis in this case is point (b) of art. 6(1) of the GDPR and s. 23(1) of the Hessian Data Protection and Freedom of Information Act. (HDSIG). Where necessary in order to make a hiring decision, the processing of special categories of personal data is carried out on the basis of art. 9(1) of the GDPR and s. 23(3) of the HDSIG. In cases where you have voluntarily provided us with special categories of personal data whose processing is not necessary for making a hiring decision, then the collection and processing of this data is made on the basis of the consent you gave when providing us with this data. We also collect personal data from applicants based on our legitimate interests in defending against legal claims (especially those arising from the AGG) pursuant to point (f) of art. 6(1) of the GDPR. Processing may also take place using electronic channels. This is particularly the case if an applicant uses an electronic channel—such as email, for example—to transmit the corresponding application documents to us or uses the contact form on our website for this purpose. We have also set up a dedicated email address to handle applications sent by email [bewerbung[at]documenta.de]. If we conclude an employment agreement with an applicant, the data transmitted will be stored in accordance with the provisions of the law for the purpose of handling and managing the employment relationship. If no such agreement is made with the applicant, then the application documents are deleted automatically no later than six months after issuing the rejection decision, unless a deletion of this kind would run counter to any other legitimate interests on our part. An example of ‘other legitimate interests’ in the above context would be a duty to provide evidence in a case arising due to the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz, AGG).
9. Information about data protection for event participants
We process the personal data that you provide to us during the registration process for the purposes of preparing and organising the respective event as well as for capacity planning. The legal basis here is your consent as given during registration pursuant to point (a) of art. 6(1) of the GDPR and, depending on the type of event, contract conclusion pursuant to point (b) of art. 6(1) of the GDPR. You may withdraw your consent as given at any time with future effect. As a result of your withdrawal of consent, we will no longer be able to use your personal data for the event—which nonetheless requires registration—and you will therefore be unable to participate in the event.
If necessary, we will also process your data for purposes not requiring your consent pursuant to point (f) of art. 6(1) of the GDPR, namely to protect our legitimate interests or those of third parties, such as when organising a defence against legal action.
Please note that photographs and video recordings are taken during our events, and that this image and video material about the respective event may be published online on websites operated by documenta und Museum Fridericianum gGmbH or by its business partners. Such materials may also be published in social media and/or in one of the publications issued by documenta und Museum Fridericianum gGmbH or its business partners as part of public relations work (and in relation to press coverage in particular).
By participating in the event, you give your consent to the publication of photographs and video materials recorded during the respective event (s. 22, 23 of the German Artistic Copyright Act, KUG). The collection of this data, namely photographic records and their processing, is made for the purpose of pictorial press coverage on the basis of point (f) of art. 6(1) of the GDPR. Please be advised that you may withdraw your consent to this processing for reasons resulting from your particular individual situation on the basis of art. 21(1) of the GDPR. In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for this processing that override your interests, rights and freedoms, or where this processing is required for the establishment, exercise or defence of legal claims.
Your notice of withdrawal should be directed to the address given above.
Please be advised that data worthy of being archived may also result from the documentation of the event and that this data may therefore become part of documenta’s archival materials. If these archival materials contain your personal data, we will process this data pursuant to point (c) of art. 6(1) of the GDPR, and sections 7, 8 and 11 of the Hessian Archival Law (HArchivG). We will process any special categories of personal data potentially processed in this context on the basis of section 25 of the HDSIG.
If you have any questions about this information, including questions about your (privacy) rights, you can also contact our Data Protection Officer: datenschutzbeauftragter[at]documenta.de.
10. Your rights
You have rights with us regarding your personal data. Special statutory provisions may preclude the fulfillment of general data protection rights. If you assert such a right, but special statutory provisions prevent us from complying, we will inform you of this stating the specific reasons. You are entitled to the data protection rights listed below:
According to Art. 15 of the GDPR, you may request information about your personal data processed by us. In particular, you may request information about the purpose of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned retention period, the right to rectification, deletion, restriction of processing or opposition, the existence of a right of appeal, the origin of your data if it was not collected by us or the existence of automated decision-making including profiling, as well as any specific significant details if applicable.
In accordance with Art. 16 of the GDPR you can immediately demand the correction of incorrect data or the completion of your personal data stored by us.
According to Art. 17 of the GDPR, you have the right to request the deletion of your personal data stored with us, unless the data processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.
10.4 Restriction of processing
According to Art. 18 of the GDPR, you can request a restriction of processing of your personal data if you dispute the accuracy of the data, the processing is unlawful but you refuse its deletion and we no longer require the data but you still need it to assert, exercise or defend legal claims or you have filed an objection against the processing in accordance with Art. 21 of the GDPR.
10.5 Data portability
In accordance with Art. 20 of the GDPR, you may receive the personal data you have shared with us in a structured, up to date and machine-readable format or request that it be forwarded to another person with authority.
According to Art. 7(3) of the GDPR you have the right to revoke your consent at any time (e.g. in writing or by e-mail). As a result, we are no longer allowed to continue processing data based on such consent in the future.
According to Art. 77 of the GDPR, you can lodge a complaint with the competent supervisory authority about our processing of your personal data at any time. Our supervisory authority (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, The Hessian Representative for Data Protection and Freedom of Information) is based in Gustav-Stresemann-Ring1, 65189 Wiesbaden, Germany.
10.8 Objection to the processing of your data
Insofar as we are processing your personal data in our legitimate interest according to Art. 6(1)(1)(f) of the GDPR, you may object to the processing, in particular if it is processed for advertising purposes. This is especially the case if processing is not necessary for the purpose of fulfilling a contract with you; we will always describe the purpose in an accompanying description of the functions.
When exercising such objection, we request that you explain the reasons why we should not process your personal data as we have. If your objection is justified, we will examine the situation and either stop or adjust the data processing or point out to you the compelling legitimate reasons on the basis of which we will continue the processing. Of course, you may object to the processing of your personal data for advertising and data analysis purposes at any time. You can inform us of your objection using the contact data shown above.