###

Privacy Policy

Data Privacy Policy in accordance with the GDPR


I. Name and address of the controller

Within the meaning of the General Data Protection Regulation (GDPR) and other national Data Protection Acts of the member states as well as other data protection regulations, the controller is the:

Stiftung Preußischer Kulturbesitz (Prussian Cultural Heritage Foundation)
Von-der-Heydt-Straße 16-18
10785 Berlin
Germany
Tel.: +49 (0)30 266 412889
E-Mail: info@spk-berlin.de-mail.de
Website: http://www.preussischer-kulturbesitz.de/


II. Address of the Data Protection Officer

The controller’s data protection officer can be reached at:

Datenschutzbeauftragte (Data Protection Officer)
Stiftung Preußischer Kulturbesitz
Von-der-Heydt-Straße 16-18
10785 Berlin
Germany
Tel.: +49 (0)30 266 411414
E-Mail: datenschutzbeauftragte@hv.spk-berlin.de


III. General information on data processing

1. Extent of the processing of personal data

In general, we collect and use the personal data of our users only insofar as this is necessary to provide a functional website as well as our content and services. The collection and use of the personal data of our users is consistently carried out only with the consent of the user. An exception is made in such cases in which it is not possible to obtain prior consent due to practical reasons and where data processing is permitted by statutory provisions.

2. Legal basis for the processing of personal data

Insofar as we ask the person concerned to give consent to the processing of his or her personal data, then Art. 6 Para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data which is necessary for the performance of a contract to which the person concerned is a party, then Art. 6 Para. lit. b of the GDPR serves as the legal basis. This also applies to processing operations which must be necessarily carried out prior into entering into a contract.
Insofar as the processing of personal data is necessary for compliance with a legal obligation to which our institution is subject, then Art. 6 Para. 1 lit. c of the GDPR serves as the legal basis.
If processing is necessary for the purposes of legitimate interests pursued by our institution or by a third party, and the interests, fundamental rights and freedoms of the person concerned do not prevail over the first-mentioned interest, then Art. 6 Para. 1 lit. f of the GDPR serves as the legal basis for the processing.

3. Data erasure and storage period

The personal data of the person concerned shall be erased or locked as soon as the purpose for the storage ceases to apply. Furthermore, data may be stored when this is provided for by European or national legislators in regulations, laws or other provisions to which the controller is subject according to Union law. Locking or erasure of the data shall also take place when the storage period prescribed by the standards mentioned expires, unless it is necessary that the data should continue to be stored for the conclusion or performance of a contract.


IV. Providing the website and establishing log files

1. Description and extent of the data processing

Every time a user accesses our web page, our system automatically records data and information from the computer system of the calling computer.
The following data obtained in this way shall be collected:
(1) information about the browser type and the version used;
(2) the user‘s operating system;
(3) the user’s internet service provider;
(4) the user’s IP address;
(5) date and time of access;
(6) websites from which the user’s system has arrived at our web page;
(7) websites which are accessed by the user’s system via our website.
The data shall be likewise stored in our system’s log files. These data shall not be stored together with other personal data of the user.

2. Legal basis for the data processing

The legal basis for the temporary storage of the data and the log files is Art. 6 Para 1 lit. f of the GDPR.

3. Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. The user’s IP address must remain stored for the duration of the session for this.
Data are stored in log files to ensure the functionality of the website. In addition, the data serve to optimise the website and ensure the security of our information technology systems. Data are not evaluated for marketing purposes in this context.
In accordance with Art. 6 Para 1 lit. f of the GDPR, our legitimate interest in the data processing is likewise present for these purposes.

4. Period of storage

The data shall be erased as soon as they are no longer necessary to fulfil the purpose for which they have been collected. Where the data have been recorded to provide the website, this is the case when the respective session is terminated.
Where the data are stored in log files, this is the case within seven days at the latest. Storage over and above this is possible. In this case the users’ IP addresses shall be erased or distorted, so that it is not possible to identify the client calling.

5. Rights to object and have data removed

To operate the web page it is absolutely necessary to record data to provide the website and to store data in log files. Consequently, the user has no right to object to this.


V. Use of cookies

a) Description and extent of the data processing

Our website uses cookies. Cookies are text files which are stored on the internet browser, respectively by the internet browser on the user’s computer system. When a user accesses a website, a cookie can thus be stored on the user’s operating system. This cookie contains a character sequence which enables a clear identification of the browser when the website is accessed again.
We use cookies to make our website more user-friendly. Some elements of our web page make it necessary for the browser calling to be identified even after moving to another page.
The following data shall be stored and passed on in the cookies:
(1) language settings;
(2) articles in a shopping basket;
(3) log-in information.

b) Legal basis for the data processing

The legal basis for the processing of personal data using cookies which are necessary for technical reasons is Art 6. Para 1 lit. f of the GDPR. The legal basis for the processing of personal data using cookies for analysis purposes with the consent of the user in this respect is Art. 6 Para 1 lit. a of the GDPR.

c) Purpose of the data processing

The purpose for using cookies which are necessary for technical reasons is to simplify the use of websites for the user. Some functions of our web page are not available without using cookies. For these it is necessary that the browser can be identified, even after moving to another page.
We require cookies for the following applications:
(1) shopping basket;
(2) taking over language settings;
(3) noting search terms.
The user data collected by cookies which are necessary for technical reasons shall not be used to create user profiles.
In accordance with Art. 6. Para 1 lit. f of the GDPR, our legitimate interest in the data processing is likewise present for these purposes.

e) Period of storage, the rights to object and have data removed

Cookies shall be stored on the user’s computer and passed on to our page via these. As a user, you will therefore have complete control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings on your internet browser. Cookies already stored can be erased at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of our website can be used in their entirety.


VI. Newsletter

1. Description and extent of the data processing

On our web page it is possible to subscribe to a newsletter free of charge. On registering for the newsletter the data from the input mask (title, surname, first name(s), e-mail address) shall be passed on to us.
In addition, the following data shall be collected on registration:
(1) IP address of the calling computer;
(2) date and time of registering.
Your consent shall be obtained within the framework of the registration procedure for the data to be processed and a reference made to this data privacy policy.
No data shall be disclosed to third parties in connection with the data processing for sending newsletters. The data shall be used exclusively for sending the newsletter.

2. Legal basis for the data processing

The legal basis for processing data after a user has registered for a newsletter with the consent of the user in this respect is Art. 6 Para 1 lit. a of the GDPR.

3. Purpose of the data processing

Collecting the user’s e-mail address serves to deliver the newsletter.
Collecting other personal data within the framework of the registration procedure serves to prevent an abuse of the services or the e-mail address used.

4. Period of storage

The data shall be erased as soon as they are no longer necessary to fulfil the purpose for which they have been collected. The user’s e-mail address shall thus be stored for as long as the subscription for the newsletter is active.
As a rule, other personal data collected within the framework of the registration procedure shall be erased after a period of seven days.

5. Rights to object and have data removed

The user concerned may cancel the subscription to the newsletter at any time. There is a corresponding link in every newsletter for this purpose.
On doing this it is possible to revoke the consent for the storage of data collected during the registration procedure.


VII. Contact form and e-mail contact

1. Description and extent of the data processing

On our web page there is a contact form which can be used for electronic contact. If a user takes the opportunity to use this, then the data entered into the input mask shall be passed on to us and stored. These data are the title, surname (required), first name(s) (required), e-mail address (required), street, house number, postcode, place, country, telephone and fax.
In addition, the following data shall be stored at the time of transmitting the message:
(1) the user’s IP address;
(2) date and time of registering.
Your consent shall be obtained within the framework of the transmission procedure for the data to be processed and reference made to this data privacy policy.
Alternatively, it is possible to get in contact via the e-mail address provided. In this case, the user’s personal data passed on in the e-mail shall be stored.
No data shall be disclosed to third parties in connection with this. The data shall be used exclusively to process the conversation.

2. Legal basis for the data processing

The legal basis for processing the data with the consent of the user is Art. 6 Para 1 lit. a of the GDPR.
The legal basis for processing the data which is passed on by sending an e-mail is Art. 6 Para 1 lit. f of the GDPR. Should the e-mail contact have the conclusion of a contract as its aim, then the additional legal basis for the processing is Art. 6 Para 1 lit. b of the GDPR.

3. Purpose of the data processing

The processing of personal data from the input mask serves solely to deal with the contact being made. In the case that contact is made by e-mail, we also have the necessary legitimate interest here in the processing of the data.
Other personal data processed during the transmission procedure serve to prevent an abuse of the contact form and to ensure the security of our information technology systems.

4. Period of storage

The data shall be erased as soon as they are no longer necessary to fulfil the purpose for which they have been collected. For personal data from the contact form’s input mask which have been sent by email, this is the case when the respective conversation with the user is terminated. The conversation is terminated when it can be inferred from the circumstances that the issues concerned have been conclusively settled.
Additional personal data collected during the transmission procedure shall be erased after a period of seven days.

5. Rights to object and have data removed

The user may at any time withdraw his consent to the processing of personal data. In this case, all personal data stored in the course of making contact shall be erased. Withdrawal of the consent and objection to the storage are possible by e-mail or by post.


VIII. Rights of the person concerned

The following list covers all rights of the person concerned in accordance with the GDPR. Rights which are not relevant for our own website do not have to be named. The list can be shortened in this respect.
If your personal data is being processed, then you are a person concerned within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information

You have the right to request confirmation from the controller as to whether personal data concerning you is being processed by us. If this is the case, you may request information about the following from the controller:
(1) the purposes for which the personal data are being processed;
(2) the categories of the personal data being processed;
(3) the recipients, respectively the categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the intended period of storage of the personal data concerning you or, if no specific details are possible here, then the criteria used to determine this period;
(5) the existence of a right to request rectification or erasure of personal data concerning you, a right to restrict processing by the controller or a right to object to this processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) all available information on the source of the data where the personal data are not collected from the person concerned;
(8) the existence of automated decision-making , including profiling, according to Art. 22 Paras 1 and 4 of the GDPR and – at least in these cases – meaningful information about the logic involved, as well as about the implications and the intended effects of such processing for the person concerned.
You have the right to request information as to whether the personal data concerning you shall be passed on to a third country or to an international organisation. In this context you may request to be informed about the appropriate safeguards, according to Art. 46 of the GDPR, in connection with the transfer.

2. Right to rectification

You have the right to obtain rectification and/or completion from the controller, inasmuch as the processed personal data concerning you are incorrect or incomplete. The controller must carry out the rectification without undue delay.

3. Right to restriction of processing

Under the following conditions you may request the restriction of the processing of personal data concerning you:
(1) if you dispute the accuracy of personal data concerning you for a period which enables the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you decline the erasure of the personal data and request the restriction of the use of the personal data instead;
(3) the controller no longer requires the personal data for the purposes of the processing, but you require these to assert, exercise or defend legal claims;
(4) if you have lodged an objection to the processing in accordance with Art. 21 Para 1 of the GDPR and it has not yet been determined whether the legitimate interests of the controller override your interests.
Where processing of personal data concerning you has been restricted, these data – with the exception of their storage – may only be processed with your consent, or for the purpose of asserting, exercising or defending legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or of a member state.
If the processing has been restricted in accordance with the above-mentioned conditions, you shall be informed by the controller before the restriction is lifted.

4. Right to erasure

a) Obligation to erase
You may request the controller to erase the personal data concerning you without undue delay and the controller is obliged to erase these data without undue delay if one of the following reasons applies:
(1) The personal data concerning you are no longer necessary for the purpose for which they were collected or otherwise processed.
(2) You withdraw your consent on which the processing is based in accordance with Art. 6 Para 1 lit. a or Art. 9 Para 2 lit. a of the GDPR and there is no other legal basis available for the processing.
(3) You lodge an objection against the processing in accordance with Art. 21 Para 1 of the GDPR and there are no overriding legitimate reasons for the processing, or you lodge an objection against the processing in accordance with Art. 21 Para 2 of the GDPR.
(4) The personal data concerning you were unlawfully processed.
(5) The erasure of the personal data concerning you is necessary for compliance with a legal obligation in Union or member state law to which the controller is subject.
(6) The personal data concerning you were collected in relation to the offer of information society services in accordance with Art. 8 Para 1 of the GDPR.

b) Information to third parties
Where the controller has made personal data concerning you public and is obliged to erase these data in accordance with Art. 17 Para 1 of the GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the costs of implementation, to inform controllers for data processing who are processing these personal data that you, as the person concerned, have requested them to erase all links to these personal data or copies or replications of these personal data.

c) Exemptions
No right to erasure exists inasmuch as the processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing according to Union or member state law to which the controller is subject, or for the performance of a task which is in the public interest, or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 Para 2 lit. h and i as well as Art. 9 Para 3 of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 Para 1 of the GDPR, insofar as the right referred to in section a) is likely to render the realisation of the objectives impossible or seriously restrict these or
(5) for asserting, exercising or defending legal claims.

5. Right to be informed

If you have asserted the rights to rectification, erasure or restriction of processing against the controller, then the controller shall be obliged to inform all recipients to whom the personal data concerning you have been disclosed about this rectification or erasure of the data or the restriction of processing, unless this proves impossible or requires a disproportionate effort.
You have the right to request the controller to inform you about these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to pass these data on to another controller without hindrance from the controller who was provided with the personal data, insofar as
(1) the processing is based on consent in accordance with Art. 6 Para 1 lit. a of the GDPR or on a contract in accordance with Art. 6 Para 1 lit. b of the GDPR and
(2) the processing is carried out by automated means.
When exercising this right you also have the right to have the personal data concerning you transferred directly from one controller to another controller, to the extent that this is technically feasible. The freedoms and rights of other persons may not be adversely affected as a result of this.
The right to data portability shall not apply to the processing of personal data which is necessary to perform a task which is in the public interest, or in the exercise of official authority vested in the controller.

7. Right to object

Based on Art. 6 Para 1 lit. e or f of the GDPR, you have the right to object at any time to the processing of personal data concerning you in relation to your particular situation; this also applies to profiling based on these provisions.
The controller shall no longer process the personal data concerning you, unless he/she can demonstrate compelling legitimate reasons which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Where the personal data concerning you are processed for direct advertising purposes, you shall have the right to lodge an objection at any time against the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling, to the extent that this is connected with such direct advertising.
Should you lodge an objection to processing for the purposes of direct advertising, then the personal data concerning you shall no longer be used for these purposes.
In the context of using information society services – notwithstanding Directive 2002/58/EG – it is possible for you to exercise your right to object by automated means, in which technical specifications are used.

8. Right to withdraw the declaration of consent regarding data protection law

You have the right to withdraw your declaration of consent regarding data protection law at any time. The withdrawal of consent shall not affect the lawfulness of the processing already carried out on the basis of the consent up to the withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect on you or significantly affects you similarly. This shall not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the controller;
(2) is authorised on the basis of Union or member state law to which the controller is subject and these legal provisions contain appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, or
(3) is made with your explicit consent.
However, these decisions may not be based on special categories of personal data in accordance with Art. 9 Para 1 of the GDPR, unless Art. 9 Para 2 lit. a or g of the GDPR applies and appropriate measures have been taken to safeguard your rights and freedoms as well as your legitimate interests.
As regards the cases referred to in (1) and (3), the controller shall take appropriate measures to safeguard these rights and freedoms as well as your legitimate interests, which include at least the right of a person to intervene on behalf of the controller, to declare one’s own point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, your place of work or the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 of the GDPR.


IX. Supplementary clause: images and videos of persons on the website

The General Data Protection Regulation (GDPR) has strengthened the rights of persons concerned. It is possible that there are persons depicted in images and videos on our website whose consent for this has not been obtained in the past. If you should be affected by this, you have the right to withdraw your consent with reason at any time for the future.


X. Right of reservation with regard to updates

The Stiftung Preußischer Kulturbesitz reserves the right to amend the Data Privacy Policy according to technical advances and changes to the statutory framework conditions. You will find the respective effective date of this Data Privacy Policy at the end of the policy in each case.

Effective date of the Data Privacy Policy 24.05.2018