Privacy Policy

We provide you with the following privacy policy to explain which types of your personal data (hereinafter abbreviated as ‘data’) we process, and the relevant purposes and scope for this processing. This privacy policy applies to all of the processing of personal data as conducted by our organisation, both in the course of rendering our services and – in particular – on our websites, in mobile applications and on external online platforms, such as in our social media profiles (hereinafter collectively ‘online services’).

Stiftung Haus der Kunst München gemeinnützige Betriebsgesellschaft mbH
Prinzregentenstraße 1
80538 Munich

Authorised representative(s): Dr. Andrea Lissoni, Bianca Knall

Email address: mail@hausderkunst.de

Phone: +49 89 21127 113

Legal notice: https://www.hausderkunst.de/en/imprint

We have appointed an external Data Protection Officer for our company (https://gdpc.de/).
To contact our corporate Data Protection Officer – Mr Blazy, LL.M or his deputy, Dr Marschall, LL.M. –
please call +49 (0)561 830 99 165 or write to the address given below (please address your letter as ‘FAO: Data Protection Officer’), or email your enquiry to datenschutz@hausderkunst.de

Legal basis pursuant to the GDPR: The following section provides you with an overview of the legal framework set out by the EU GDPR, which forms the legal basis for our processing of your personal data. Please be advised that, alongside the provisions of the GDPR, national data protection legislation may also apply in your or our country of residence or domicile. If more specific legal provisions are authoritative in certain cases, we will provide you with relevant details in this privacy policy.

• Consent (point (a) of art. 6(1) of the GDPR) – The data subject has given their consent to the processing of their personal data for a specific purpose or for several specific purposes.
• Contract performance and pre-contractual enquiries (point (b) of art. 6(1) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legitimate interests (point (f) of art. 6(1) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Application procedure as a contractual or pre-contractual relationship (point (b) of art. 6(1) of the GDPR) – Insofar as special categories of personal data pursuant to art. 9(1) of the GDPR (such as health data, the presence of a serious disability or ethnic origin) are requested from the applicant as part of the application procedure, so that the data subject may exercise the rights granted to them as arising from labour law and laws on social security and social protection, and the data controller may fulfil their corresponding duties, this data is processed pursuant to point (b) of art. 9(2) of the GDPR or, in the case of protecting the vital interests of the applicant or other individuals, this data is processed pursuant to point (c) of art. 9(2) of the GDPR or, for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, this data is processed pursuant to point (h) of art. 9(2) of the GDPR. In the case of special categories of data being supplied on the basis of voluntary consent, this data is processed pursuant to point (a) of art. 9(2) of the GDPR.
• Processing of special categories of personal data in relation to healthcare, working capacity and social security (point (h) of art. 9(2) of the GDPR).
• Consent to the processing of special categories of personal data (point (a) of art. 9(2) of the GDPR).
• Processing of special categories of personal data in order to protect vital interests (point (c) of art. 9(2) of the GDPR).

National data protection legislation in Germany The data protection provisions of the GDPR are supplemented by national laws on data protection in Germany. Prominent among such legislation is the Federal Data Protection Act (BDSG), which aims to protect the misuse of personal data during data processing. In particular, the BDSG includes special provisions on the right of access, on the right to erasure, on the right to object, on the processing of special categories of personal data, on processing for other purposes and on data transfer as well as automated decision-making in specific cases, including profiling. Data protection laws from individual German federal states (Länder) may also apply in some cases.

In accordance with the provisions of the law and while taking into account the latest technical standards, implementation costs, and the type, scope, circumstances and purposes of processing, as well as the various probabilities of occurrence and the threats posed to the rights and freedoms of natural persons, we implement suitable technical and organisational measures to provide a level of protection that is appropriate for the risks concerned.

In particular, these measures include ensuring the confidentiality, integrity and availability of data by monitoring physical and electronic access to the data, as well as operations affecting the data itself, including user-level access, input and sharing, and ensuring availability and segregation. Furthermore, we have also set up procedures that ensure the proper recognition of data subject rights, the erasure of data and appropriate responses to data threats. We also account for the protection of personal data during development phases and the selection of hardware, software and procedures in accordance with the principle of data protection, by appropriate technical design, and with data protection by design and default.

TLS encryption (https): we use TLS encryption to protect your data that is transferred to us from our online services. These types of encrypted connections use the prefix ‘https://’ on your web browser’s address bar.

In the course of our processing of personal data, this data may need to be transferred to other bodies, companies, legally independent organisational units or individuals, or may need to be disclosed to the same. Recipients of this data may include service providers entrusted with IT duties, for example, or providers of services and content that is intended for embedding into websites. In such cases, we comply with the legal provisions and, in particular, conclude contracts or agreements that are appropriate for protecting your data with the recipients of your data.

Data processing in third countries: In cases where we process data in a third country (i.e. outside the European Union (EU) or European Economic Area (EEA)) or where processing takes place in the context of third-party service provision or the disclosure or transfer of data to other individuals, bodies or companies, these activities are always conducted in full compliance with the provisions of the law.

Subject to express consent having been given or where transfer is required for contractual or legal reasons (see art. 49 GDPR), we process data or have data processed only in third countries that have a recognised level of data protection (art. 45 GDPR), where a contractual obligation is in place and maintained by means of the ‘standard contractual clauses for controllers and processors’ from the EU Commission (art. 46 GDPR) or where certification has been obtained or binding corporate rules apply (see arts 44 to 49 GDPR, information page from the EU Commission: commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en).

EU–US Trans-Atlantic Data Privacy Framework: Within the scope of the Data Privacy Framework (DPF), the EU Commission has recognised the level of data protection to be secure for certain companies based in the USA as part of its adequacy assessment, dated 10 July 2023. The list of certified companies as well as other information about the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/. This privacy policy also includes information about the service providers that we use who are certified under the Data Privacy Framework.

The data that we process is erased in accordance with legal requirements as soon as the consent given for its processing is withdrawn or other authorisations no longer apply (e.g. if the purpose for the processing of this data no longer applies or the data itself is not necessary to fulfil this purpose). In cases where data is not erased, because it is required for other and legally permissible purposes, the processing of this data is restricted to these purposes: this means that the data is blocked and not processed for other purposes. This applies, for example, in the case of data that must be retained for commercial or tax reasons, or whose storage is required for the assertion, exercising or defence of legal claims, or which is needed to protect the rights of other natural persons or legal entities.

As part of our privacy policy, we may provide users with further information about the erasure and retention of data, where this information applies specifically to the respective processing workflow.

Rights of data subjects as granted by the GDPR – as data subjects, you are granted various rights by the GDPR and especially by the provisions of arts 15 to 21 of the GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data about you, where such processing is based on point (e) or (f) of art. 6(1) of the GDPR; this right also includes profiling based on these provisions. If the personal data affecting you as a data subject is processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data affecting you as a data subject for this kind of marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent given: You have the right to withdraw any consent you have given at any time.
• Right of access: You have the right to obtain confirmation as to whether your personal data is being processed, and to information about this data as well as other information and a copy of the data in accordance with legal provisions.
• Right to rectification: In accordance with legal provisions, you have the right to request that your incomplete personal data is completed and/or that your incorrect personal data is rectified.
• Right to erasure and restriction of processing: In accordance with legal provisions, you have the right to request that your personal data is erased without undue delay or, alternatively, in accordance with legal provisions, to request a restriction of processing for your personal data.
• Right to data portability: In accordance with legal provisions, you have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format, or to request the transfer of this data to another controller.
• Lodging a complaint at a supervisory authority: In accordance with legal provisions and without prejudice to some other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority – and, in particular, a supervisory authority in the Member State in which you are ordinarily resident, or the competent supervisory authority for your place of work or the place of the suspected breach – if you are of the opinion that the processing of your personal data is in breach of the provisions of the GDPR.

Cookies are small text files or other blocks of storage that are used to store information on user devices and access this information at a later date. Cookies may be used to store a user account login status, for example, the contents of a basket in an online shop, content that has been accessed or functions that have been used for an online service. Cookies can also be used for a wide variety of other purposes, such as to improve the functionality, security and convenience of online services or to help in the creation of analyses of user flows.

Information about consent: We set cookies in compliance with legal requirements. Accordingly, we obtain prior consent from users except in cases where this is not required by applicable law. In particular, consent not does not need to be obtained if the storage and accessing of information – including to/from cookies – is necessarily required in order to provide users with a telemedia service that has been expressly requested by these users (i.e. our online services). Cookies considered as necessarily required typically include cookies with functions that serve the purpose of presenting the online service or ensuring it remains operational, such as for load balancing, security, the storage of preferences and selection options from users or similar, in relation to the provisioning of the primary and secondary functions of the online service as requested by the user. The fact that users may give or withdraw their consent to such uses is communicated clearly to users, plus information about the respective use of cookies.

Information about legal basis in data protection law: The specific legal basis in data protection law on which we process the personal data of users with the help of cookies depends on whether or not we are required to ask users for consent. If users give consent, then the legal basis for the processing of the data is the consent that has been given. In other cases, the data processed with the help of cookies is processed on the basis of our legitimate interest (e.g. in ensuring the cost-effective operation of our online services and improvements to their usability) or, if processing takes place in the context of rendering our contractual duties, where the use of cookies is required in order to fulfil our contractual obligations. Elsewhere in this privacy policy, we clarify the purposes for which we use cookies for data processing. Such information is also provided as part of our consent and processing workflows.

Retention period: In relation to the retention period, a distinction is made between the following types of cookies:

• Temporary cookies (also referred to as session cookies): Temporary cookies are deleted as soon as a user has exited from our online services and closed their user device (e.g. closed their browser or mobile application).
• Permanent cookies: Permanent cookies are retained even after the user device has been closed. These can be used to store a login status, for example, or display preferred content immediately when the user returns to browsing the same website. The user data collected with the help of cookies can also be used to measure reach. In cases where we do not provide users with explicit details of cookie type and retention period (e.g. as part of obtaining their consent), users should assume that cookies are permanent and that the retention period may be up to two years.

General information about withdrawal of consent and objection (‘opt-out’) Users can withdraw the consent they have given at any time and object to the processing of their data in accordance with the provisions of the law. To this end, users can change their browser settings to restrict the use of cookies (although this may have the effect of limiting the functionality of our online services as well). An objection to the use of cookies for online marketing purposes can also be registered by using the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Cookie settings/opt-out options:

Further information about the cookies currently in use can be found by looking at the cookie banner (under ‘Details’).

• Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Consent (point (a) of art. 6(1) of the GDPR).

Other information about processing workflows, procedures and services:

• Processing of cookie data based on consent given: We have deployed a procedure for cookie consent management. This allows us to obtain consent from users for the use of cookies or the types of processing and the providers as stated in the course of the cookie consent management procedure. In addition, users can also manage consent and opt out from the use of cookies. This procedure involves the storage of the consent declaration, to avoid the request having to be repeated and also to provide a record of consent given in accordance with legal requirements. This storage may be server-side and/or in a cookie (known as an ‘opt-in cookie’, or with the help of comparable methods), so as to be able to identify the consent that was given by a user or from their device. Subject to individual details as given by the providers of cookie management services, the following information applies. The consent declaration may be stored for a period of up to two years. To this end, a pseudonymous user identifier is created and stored together with the time of the consent given, details about the scope of the consent given (e.g. which categories of cookies and/or service providers), as well as the browser, system and user device used. Legal basis: Consent (point (a) of art. 6(1) of the GDPR).
• Cookiebot: Cookie consent management. Service provider: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark. Website: https://www.cookiebot.com. Privacy policy: https://www.cookiebot.com/en/privacy-policy/. More information: Data that is stored (on the service provider’s website): the IP address of the user in an anonymised format (the last three digits are set to 0), date and time of consent, browser details, the URL from which the declaration of consent was made, an anonymous, random and encrypted codeword, the user’s consent status.

We offer our services on online platforms that are operated by other service providers. In this context, our privacy policy is supplemented by the privacy policies from the respective platforms. This applies particularly in relation to the completion of payment procedures (e.g. in the context of the purchase of tickets/admission tickets to events) and the procedures deployed on these platforms for reach measurement and interest-related marketing.

• Types of data processed: Customer data (e.g. names, addresses); payment data (e.g. bank account details, invoices, payment history); contact details (e.g. email, phone numbers); contractual data (e.g. subject of contract, term, customer category); usage data (e.g. web pages visited, interest in content, access times). Metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status).
• Data subjects: Customers.
• Purpose of data processing: Contractual performance and fulfilment of contractual obligations. Marketing.
• Legal basis: Contract fulfilment and pre-contractual enquiries (point (b) of art. 6(1) of the GDPR). Legitimate interest (point (f) of art. 6(1) of the GDPR).

Other information about processing workflows, procedures and services:

• Xing: Social network. Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.xing.de. Privacy policy: https://privacy.xing.com/en/privacy-policy.
• Eventbrite: Platform for events that provides event organisers with help in organising virtual, in-person and hybrid events, and offers functions for participant communications, event registration, ticket sales, networking, agenda management and live streaming. Service provider: Eventbrite, Inc., 155 5th Street, Floor 7, San Francisco, CA 94103, USA. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.eventbrite.com. Privacy policy: https://www.eventbrite.com/privacypolicy/. Commissioned data processing contract: https://www.eventbrite.com/help/en-us/articles/429030/data-processing-addendum-for-organizers/.

As part of our business activities, and while fully observing all legal requirements, we use additional services, platforms, interfaces or plug-ins provided by third parties (‘services’). The use of these services is based on our interest in ensuring the proper, lawful and cost-effective management of our business operations and our internal organisation.

• Types of data processed: Customer data (e.g. full name, home address, contact details, customer number, etc.); payment data (e.g. bank account details, invoices, payment history); contact details (e.g. postal and email addresses or phone numbers); content data (e.g. text or image content from messages and posts as well as related information, such as details about authorship or time of creation); contractual data (e.g. subject of contract, term, customer category); usage data (e.g. page accesses and length of visit, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, persons involved).
• Data subjects: Service recipients and clients; interested parties; business partners and contracting parties; communication partners; users (e.g. website visitors, users of online services).
• Purpose of data processing: Contractual performance and fulfilment of contractual obligations; office and organisational procedures:; business processes and business management procedures; communications; direct marketing (e.g. via email or surface mail); reach measurement (e.g. access statistics, identification of returning visitors); conversion measurement (measurement of the effectiveness of marketing strategies); organisational and administrative procedures; marketing; provisioning of our online services as well as usability.
• Retention and erasure: Erasure in accordance with the particulars given in the section ‘General information about data storage and erasure’.
• Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR).

Other information about processing workflows, procedures and services:

• Craft CMS: Content Management System. Service provider: 20832 SE Humber Ln. Bend, OR 97702 USA. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://craftcms.com. Privacy policy: https://craftcms.com/privacy. Commissioned data processing contract: https://craftcms.com/knowledge-base/dpa.
• SocialHub: Social media and community management, communication with users and analysis functions. Service provider: maloon GmbH, Schütterlettenweg 4, 85053 Ingolstadt, Germany. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://socialhub.io/. Privacy policy: https://socialhub.io/en/privacy/.

We process user data in order to be able to make our online services available to these users. For this purpose, we process the IP address of the user, which is necessary to transfer the content and functions of our online services to the browser or the user device operated by the user.

• Types of data processed: Usage data (e.g. web pages visited, interest in content, access times). Metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purpose of data processing: Provisioning of our online services as well as usability; IT infrastructure (operation and provisioning of information systems and technical devices (computers, servers, etc.)). Security precautions.
• Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR).

Other information about processing workflows, procedures and services:

• Provisioning of online services on rented storage space: For the provisioning of our online services, we use storage space, computing resources and software that we rent or otherwise source from a corresponding server provider (or web hosting service). Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR).
• Collection of access data and log files: Access to our online services is logged in the form of server log files. These server log files can include the address and name of the web pages and files accessed, the date and time of access, the volumes of data transferred, notifications of successful access, browser type and version, the user’s operating system, the referrer URL (i.e. the page visited previously) and, typically, IP addresses and the requesting provider. The server log files can, on the one hand, be used for security purposes, such as to avoid overloading the servers (particularly in the case of mass server accesses known as DDoS attacks) and, on the other hand, to ensure capacity utilisation for servers and their stability. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Data erasure: Log file information is stored for a maximum duration of 30 days and is then erased or anonymised. Data whose further retention is required for evidentiary purposes is excluded from erasure until the final clarification of the respective incident.
• Corpex: Services in relation to the provisioning of information technology infrastructure and associated services (e.g. storage space and/or computing resources). Service provider: Corpex Internet GmbH, Rödingsmarkt 9, 20459 Hamburg, Germany. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.corpex.de. Privacy policy: https://www.corpex.de/.
• Algolia: Website search functionality. Service provider: Algolia, Inc. 301 Howard Street, Suite 300 San Francisco, CA 94105, USA. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://community.algolia.com/places/. Privacy policy: https://www.algolia.com/policies/privacy/. Basis for third-country transfers:  Standard contractual clauses (https://www.algolia.com/pdf/DPA-latest.pdf). We have selected server settings to ensure that data processing is largely carried out within the EU/the EEA. 

When we are contacted (e.g. by surface mail, contact form, email, phone or via social media), and within the context of our existing user and business relationships, details of the requesting party are processed insofar as this is required in order to respond to the contact request and to take any steps as requested.

• Types of data processed: Details (e.g. email, phone numbers); content data (e.g. input made into online forms); usage data (e.g. web pages visited, interest in content, access times). Metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status).
• Data subjects: Communication partners.
• Purpose of data processing: Requests and communication; management of/responses to inquiries; feedback (e.g. collection of feedback submitted via an online form). Provisioning of our online services as well as usability.
• Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR).

We use platforms and applications from other providers (hereinafter collectively ‘conferencing platforms’) for the purposes of conducting video and audio conferences, webinars, and other types of video and audio meeting (hereinafter collectively ‘conference’). We observe the provisions of the law when selecting conferencing platforms and the services that they provide.

Data processed by conferencing platforms: In the context of participation in a conference, the conferencing platforms process the personal data of participants as stated below. The scope of this processing depends on the data that is required in the context of a specific conference (e.g. specification of login credentials or personal names) and the optional information that is also provided by the participants. Alongside processing as part of hosting the conference, data from participants may also be processed by the conferencing platforms for security purposes or for the purpose of service optimisation. The types of data processed include data about the individual (first name, last name), contact details (email address, phone number), login credentials (login codes or passwords), profile photos, details of the person’s professional position/role, the IP address of the internet connection, details about the user device operated by participants, its operating system, the browser and its technical and language settings, information about the content of communications processes, i.e. input made into chats as well as audio/video data, and the use of other functions made available (e.g. surveys). The content of communications is encrypted to the technical extent made possible by the conference provider. If participants are registered as users on the conferencing platforms, then additional data may be processed in accordance with the agreement made with the respective conference provider.

Logging and recordings: If text input, participant results (e.g. of surveys) and video or audio recordings are made during the conference, full details are provided to participants beforehand and they are asked for their consent, in cases where this is required.

Participant data protection settings: For details of the processing of your data by the conferencing platforms, please read their privacy policies and use the configuration options made available for the conferencing platforms to configure your optimum security and data protection settings. For the duration of a video conference, please also ensure that data and individuals who could be seen in the background of your video stream are appropriately protected (e.g. by informing fellow occupants, closing doors and using features to blur out your background, where available). Links to conference rooms and login credentials must not be shared with unauthorised third parties.

Information about the legal basis: Insofar as we also process user data in addition to data processing by conferencing platforms, and ask users for their consent to the use of the conferencing platforms or certain kinds of features (e.g. consent to the recording of the conference), then the legal basis of processing is this consent given. Our processing may also be necessary for the fulfilment of our contractual obligations (e.g. in participant lists, in the case of editing the outcomes of talks for some other use, etc.). Furthermore, user data is also processed on the basis of our legitimate interest in ensuring efficient and secure communications with our communication partners.

• Types of data processed: Customer data (e.g. names, addresses); contact details (e.g. email, phone numbers); content data (e.g. input made into online forms); usage data (e.g. web pages visited, interest in content, access times). Metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status).
• Data subjects: Communication partners; users (e.g. website visitors, users of online services). People in photos.
• Purpose of data processing: Contractual performance and fulfilment of contractual obligations; contact inquiries and communications. Office and organisational procedures.
• Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR).

Other information about processing workflows, procedures and services:

• Zoom: Conferencing and communications software. Service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://zoom.us. Privacy policy: https://explore.zoom.us/en/privacy/. Commissioned data processing contract: https://explore.zoom.us/en/privacy/ (referred to as Global DPA). Basis for third-country transfers:  EU-US Data Privacy Framework (DPF), standard contractual clauses (https://explore.zoom.us/en/privacy/ (referred to as global DPA)).

We use hosting and analysis services from service providers to listen to our audio content or offer it for download and to receive statistical information about accesses made to audio content.

• Types of data processed: Usage data (e.g. web pages visited, interest in content, access times). Metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purpose of data processing: Reach measurement (e.g. access statistics, identification of returning visitors); conversion measurement (measurement of the effectiveness of marketing strategies); profiles with user-related information (creation of user profiles). Provisioning of our online services as well as usability.
• Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR).

Other information about processing workflows, procedures and services:

• Soundcloud: Soundcloud – music hosting. Service provider: SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website:https://soundcloud.com. Privacy policy: https://soundcloud.com/pages/privacy.

The application procedure requires applicants to provide us with the data needed to assess their abilities and make a selection. The specific information required in each case depends on the job description or, in the case of online forms, on the details entered there.

These particulars will typically include information about the individual, such as their name, address and contact details, as well as documentary evidence of the qualifications required for a particular job. We are also happy to respond to individual queries about the information that is required.

Where provided, applicants can send us their applications using an online form. Data is encrypted according to the latest technical standards before it is sent to us. Applicants can also send us their applications via email. In this case, however, we remind applicants that emails are generally not sent encrypted through the internet. While emails are typically encrypted during their time in transit, they are not encrypted on the servers from/on which they are sent and received. We cannot therefore take any responsibility for applications while in transit from the applicant to final receipt on our server.

For the purposes of applicant searches, the submission of applications and the selection of candidates, we may make use of applicant management or recruitment software and platforms as well as third-party services, while complying with all legal requirements.

Applicants are welcome to contact us to find out about application submission options or send us their application by post.

Processing of special categories of data: Insofar as special categories of personal data (art. 9(1) of the GDPR, such as health data, such as the presence of a serious disability or ethnic origin) are requested from the applicant as part of the application procedure, this data is processed so that the data subject may exercise the rights granted to them as arising from labour law and laws on social security and social protection, and the data controller may fulfil their corresponding duties, or as necessary to protect the vital interests of the applicant or other individuals, or for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.

Data erasure: In the case of a successful job application, the data made available by applicants may be processed further for the purposes of the employment relationship. In other cases, where the application for a vacancy was not successful, the applicant’s data will be erased. Applicant data is also erased if an application is withdrawn – which applicants are entitled to do at any time. Subject to the legitimate withdrawal of an application, data is erased no later than the expiry of a period of six months, which allows us to respond to any follow-up questions about the application and to fulfil our record-keeping duties that arise from regulations on the equal treatment of applicants. Invoices about reimbursements of travel expenses, for example, are archived according to the provisions of tax law.

Inclusion in an applicant pool: Where offered, inclusion in a pool of applicants always requires consent from the applicant beforehand. Applicants are informed that their consent to be added to the talent pool is voluntary, will have no influence on any ongoing application procedure and can be withdrawn with future effect at any time.

• Types of data processed: Customer data (e.g. names, addresses); contact details (e.g. email, phone numbers); content data (e.g. input made into online forms). Applicant data (e.g. personal details, postal and contact addresses, documents associated with the application and the information contained in these documents such as covering letters, CVs, certificates and other information relating to a specific vacancy or voluntarily provided by applicants about their personal qualities or skills).
• Data subjects: Applicants.
• Purpose of data processing: Application procedure (initiation, and any subsequent establishment and potential later termination of an employment relationship).
• Legal basis: Application procedure as a pre-contractual or contractual relationship (point (b) of art. 6(1) of the GDPR). Processing of special categories of personal data in relation to healthcare, working capacity and social security (point (h) of art. 9(2) of the GDPR). Consent to the processing of special categories of personal data (point (a) of art. 9(2) of the GDPR). Processing of special categories of personal data in order to protect vital interests (point (c) of art. 9(2) of the GDPR).

We send newsletters, emails and other types of electronic message (hereinafter ‘newsletter’) only with the consent of the recipient or as permitted by legal provisions. Where the subscription procedure for a newsletter specifically describes its content, then this content is authoritative for user consent. Otherwise, our newsletters contain information about our services and organisation.

To subscribe to our newsletters, the only piece of information normally required is your email address. However, we may ask you to state a name that we can use to personally address your newsletter or other particulars, insofar as these are necessary for the purposes of the newsletter.

Double opt-in procedure: All subscriptions to our newsletters make use of the procedure known as a ‘double opt-in’. This means that, after completing the registration process, you are sent an email asking you to confirm your subscription. This confirmation step is necessary to prevent people from subscribing with someone else’s email address. All subscriptions to our newsletters are logged, to ensure we have records of the subscription process in accordance with legal requirements. These logs include the time of registration and subscription confirmation, as well as the IP address. Any changes made to your data stored at the newsletter service provider are also logged.

Erasure and restriction of processing:  We may store the email addresses of individuals no longer subscribed to our newsletters for up to three years before we erase this data. The basis here is our legitimate interest in being able to prove that consent had been given. The processing of this data is restricted to the purpose of a potential defence against claims. A personal erasure request is possible at any time: the individual simply needs to confirm that their consent was given in the past. In cases where we are required to honour objections to processing over longer periods of time, we reserve the right to store the email address for this sole purpose in a ‘block list’.

We keep logs of the subscription procedure on the basis of our legitimate interest in providing evidence of this procedure having been completed properly. If we make use of the services of an email newsletter provider, this commission is made on the basis of our legitimate interest in ensuring an efficient and secure mailing system.

Content:

Information about current exhibitions, events and programmes at Haus der Kunst, Munich

Types of data processed: Customer data (e.g. names, addresses); contact details (e.g. email, phone numbers); metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status). Usage data (e.g. web pages visited, interest in content, access times).

• Data subjects: Communication partners.
• Purpose of data processing: Direct marketing (e.g. via email or surface mail). Reach measurement (e.g. access statistics, identification of returning visitors).
• Legal basis: Consent (point (a) of art. 6(1) of the GDPR). Legitimate interest (point (f) of art. 6(1) of the GDPR).
• Right to object (opt-out): You can unsubscribe at any time: this has the effect of withdrawing your consent and opting out of receiving any further newsletters. You will find a link to unsubscribe from the newsletter at the end of every newsletter. Alternatively, you can make use of one of the contact options stated above (email is preferred here).

Other information about processing workflows, procedures and services:

• Measurement of view/click-through rates: Our newsletters contain an object known as a ‘web beacon’: this is a pixel-sized file that is accessed from our server (or from the server of a newsletter service provider we have commissioned) when the newsletter is viewed. Accessing this file triggers the collection of technical data such as information about the browser and your system, your IP address and the point in time the web beacon was accessed. This information is used to make technical improvements to our newsletter based on technical data or the target audience and their reading patterns, based on their access locations (which can be determined with the help of the IP address) or access times. This analysis also includes determining whether the newsletter was viewed, when it was viewed and which links were clicked. This data is associated with the individual newsletter recipients and stored in their profiles until their erasure. These analyses help us to understand the reading patterns of our users and to adjust content to these patterns or to send out varying content that corresponds to the interests of our users. The measurement of view rates and click rates as well as the storage of these measurement results in user profiles and the further processing of this data is based on consent given by users. A separate objection to (opt-out from) this success measurement is unfortunately not possible: in this case, the user must unsubscribe (opt-out) from all further newsletters. In this case, the stored profile data is then erased. Legal basis: Consent (point (a) of art. 6(1) of the GDPR).
• Brevo: Bulk email and automation services. Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.brevo.com/. Privacy policy: https://www.brevo.com/legal/privacypolicy/. Commissioned data processing contract: Supplied by the service provider.

Web analysis (also referred to as ‘reach measurement’) is used to evaluate the visitor flows to our online services, and can encompass behavioural patterns, interests or demographic information about visitors – such as their age or gender, stored as pseudonymous values. As one example, reach analysis can help us to identify the times when our online services (or their functions or content) are most frequently used or invite users to revisit these services. We can also identify any areas that require optimisation.

Alongside web analysis, we can also make use of test procedures, so as to test and optimise different versions of our online services or their integral parts, for example.

Unless otherwise specified below, profiles – i.e. data that summarises a type of usage – can be created for these purposes, and information can be stored in a browser or user device and then subsequently accessed from this browser/device. Data collected in this way includes in particular the web pages visited and elements used on these pages, as well as technical details – such as the browser and computer system used, and details of usage times. If users have given their consent to our collection of their location data or the collection of this data by the providers of the services that we use, then location data may also be processed.

The IP addresses of the users are also stored. However, we use an IP masking technique (i.e. pseudonymisation by truncating the IP address) to protect the user’s identity. As a general rule, web analysis, A/B testing and optimisation work always uses pseudonyms instead of personally identifiable data (such as email addresses or personal names). As a result, neither we nor the providers of the software that we use know the actual identity of these users but only the details stored in their profiles for the purposes of the respective procedures.

• Types of data processed: Usage data (e.g. web pages visited, interest in content, access times). Metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purpose of data processing: Reach measurement (e.g. access statistics, identification of returning visitors); profiles with user-related information (creation of user profiles); tracking (e.g. interest-/behaviour-related profiling, use of cookies). Provisioning of our online services as well as usability.
• Security precautions: IP masking (pseudonymisation of the IP address).
• Legal basis: Consent (point (a) of art. 6(1) of the GDPR). Legitimate interest (point (f) of art. 6(1) of the GDPR).

Other information about processing workflows, procedures and services:

• Matomo: Matomo is an application that is deployed for the purposes of web analysis and reach measurement. As part of the deployment of Matomo, cookies are generated and stored on the user’s device. The user data collected as part of our use of Matomo is processed only by our organisation and is not shared with third parties. Cookies are stored for a maximum period of 13 months: https://matomo.org/faq/general/faq_146/. Legal basis: Consent (point (a) of art. 6(1) of the GDPR). Data erasure: Cookies are stored for a period of no more than 13 months.

• Google Ads Manager: [HK12] We make use of the Google Marketing Platform (and services such as the Google Ads Manager) to place advertising within the Google advertising network (such as in search results, in videos, on websites, etc.). A key feature of the Google Marketing Platform is the ability to show ads in real time based on the presumed interests of the user. This allows us to show ads for and within our online services in a more targeted way, so as to show users only the ads that correspond to their potential interests. If a user is shown ads for products for which the user has already expressed an interest when using other online services, this is referred to as ‘remarketing’. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers:  EU-US Data Privacy Framework (DPF). Other information: Types of processing and data processed: https://privacy.google.com/businesses/adsservices. Data processing conditions for Google advertising products: Information about the services – data processing conditions between the data controller and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms. Where Google acts as a contracted data processor, data processing conditions for Google advertising products and standard contractual clauses for third-country transfers of data: https://business.safety.google/adsprocessorterms.

We process personal data for the purposes of online marketing, which is understood to mean in particular the marketing of advertising space or the presentation of advertising and other content (collectively ‘content’) in relation to potential user interests as well as measurements of the effectiveness of this content.

User profiles are created for these purposes and stored in a file (‘cookie’) or similar procedures are utilised that are capable of storing the relevant user details that are needed for the presentation of the abovementioned content. These user details may include the content viewed, web pages visited and online networks used, in addition to communication partners and technical details, such as the browser and computer system used, as well as details of usage times and the functionality used. If users have given their consent to the collection of their location data, this data may also be processed.

The IP addresses of the users are also stored. However, we use available IP masking techniques (i.e. pseudonymisation by truncating the IP address) to protect the user’s identity. As a general rule, online marketing activities always use pseudonyms instead of personally identifiable data (such as email addresses or personal names). As a result, neither we nor the providers of the online marketing systems we use know the actual identity of these users but only the details stored in their profiles.

The details in these profiles are typically stored in cookies or with the aid of similar procedures. As a general rule, these cookies can also be accessed on other websites using an identical online marketing system and analysed for the purposes of presenting content, and may also be supplemented with additional data and stored on the server operated by the online marketing system provider.

Exceptionally, personally identifiable data may be associated with these profiles. This is the case if users are members of a social network whose online marketing system we are using, for example, and this network integrates the user profiles with the aforementioned user details. It should also be noted that users may conclude supplementary agreements with providers, such as by giving consent during the registration process.

As a general rule, we only receive access to aggregated data about the success of advertisements we have placed. However, statistics known as ‘conversion measurements’ do allow us to determine which of the online marketing systems we use has led to a ‘conversion’ – e.g. to the conclusion of a contract with our organisation. Conversion measurement is utilised solely to analyse the success of our marketing strategies.

Unless otherwise specified, it should be assumed that the cookies we use are stored for a period of two years.

• Types of data processed: Usage data (e.g. web pages visited, interest in content, access times). Metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purpose of data processing: Reach measurement (e.g. access statistics, identification of returning visitors); tracking (e.g. interest-/behaviour-related profiling, use of cookies); marketing; profiles with user-related information (creation of user profiles). Conversion measurement (measurement of the effectiveness of marketing strategies).
• Security precautions: IP masking (pseudonymisation of the IP address).
• Legal basis: Consent (point (a) of art. 6(1) of the GDPR). Legitimate interest (point (f) of art. 6(1) of the GDPR).
• Right to object (opt-out): We refer the reader to the privacy policies from the respective providers and the options for objecting to processing (opting out) made available by these providers. In cases where no explicit option for opting out has been specified, one possibility is simply to deactivate cookies in your browser settings. However, this may result in restrictions to the functionality offered by our online services. We therefore recommend also making use of the following opt-out options, which are designed as catch-all solutions for the respective regions given: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) International: https://optout.aboutads.info.

Other information about processing workflows, procedures and services:

• Google ads and conversion measurement: Online marketing system for the purpose of placing content and ads within the advertising network operated by the service provider (e.g. in search results, in videos, on websites, etc.), so that these can be displayed to users that have a presumed interest in such advertisements. In addition, we measure the ‘conversion’ of these advertisements, i.e. whether the user has used them as an occasion to interact with the advertisements and to make use of the services as advertised. However, we only receive anonymous information and not any personally identifiable data about individual users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Consent (point (a) of art. 6(1) of the GDPR), legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://marketingplatform.google.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers:  EU-US Data Privacy Framework (DPF). Other information: Types of processing and data processed: https://privacy.google.com/businesses/adsservices. Data processing conditions between the data controller and standard contractual clauses for third-country transfers of data: https://business.safety.google/adscontrollerterms.

We maintain profiles within social networks and process user data as part of these activities, so as to communicate with users active in these networks or to offer information about our organisation.

Please be advised that this may involve the processing of user data outside the territory of the European Union. This may result in risks for users, because the assertion of user rights may be made more difficult as a result of this processing.

Furthermore, user data is also typically processed within social networks for the purposes of market research and advertising. User profiles may be created, for example, based on user behaviour and the user interests that can be derived from these patterns of use. In turn, these user profiles may be used to display advertising both inside and outside these networks, and in a way that is presumed to correspond to the user’s interests. For these purposes, cookies are typically stored on the user device. These cookies contain data about user behaviour and interests. In addition, these user profiles can be used to store user data independently of the devices used (in particular, in cases where users are members of the respective platforms and are logged in to their user account there).

For full details of the types of processing used and options for objecting to this processing (opt-out), we refer the reader to the privacy policies and particulars given by the operators of the respective networks.

As regards requests for information and the assertion of rights of the data subject, please be advised that these kind of requests are most effective when made directly to social network providers. Only these providers have full access to the respective user data, and can intervene or provide information directly and as appropriate. You are of course welcome to contact us if you still need help.

• Types of data processed: Details (e.g. email, phone numbers); content data (e.g. input made into online forms); usage data (e.g. web pages visited, interest in content, access times). Metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purpose of data processing: Requests and communication; feedback (e.g. collection of feedback submitted via an online form). Marketing.
• Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR).

Other information about processing workflows, procedures and services:

• Instagram: Social network. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website:https://www.instagram.com. Privacy policy: https://instagram.com/about/legal/privacy.
• Facebook pages: Profiles within the Facebook social network – we are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (‘fan page’). This data includes information about the type of content that users view or with which they interact, or the actions taken by the user on the site (see ‘Things that you and others do and provide’ in the Facebook privacy policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see ‘Device information’ in the Facebook privacy policy: https://www.facebook.com/policy). As explained in the Facebook privacy policy under ‘How do we use this information?’, Facebook also collects and uses information to provide analysis services, known as ‘Page Insights’, to page operators, so that these operators can receive insights into how people interact with their pages and the content integrated into these pages. We have concluded a special agreement with Facebook (‘Information about Page Insights’, https://www.facebook.com/legal/terms/page_controller_addendum) that, in particular, sets out the security measures that Facebook must observe and in which Facebook has declared its commitment to fulfilling data subject rights (which means users can contact Facebook directly to obtain information or submit requests for erasure). The agreements made with Facebook do not restrict the rights of users (particularly in relation to information, erasure, objection and lodging a complaint with a competent supervisory authority). Further details can be found in the ‘Information about Page Insights’ (https://www.facebook.com/legal/terms/information_about_page_insights_data). Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.facebook.com. Privacy policy:https://www.facebook.com/about/privacy. Basis for third-country transfers:  EU-US Data Privacy Framework (DPF), standard contractual clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Other information: Agreement on joint responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data. This joint responsibility is limited to the collection of data by and the transfer of data to Meta Platforms Ireland Limited, a company domiciled in the EU. The further processing of this data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses agreed between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
• Facebook groups: Interest groups within the Facebook social network – we use the ‘Groups’ function on the Facebook platform in order to create interest groups that Facebook users can join with the aim of interacting with one another or with our organisation and exchanging information. For this purpose, we process personal data from users of our groups insofar as this is necessary for the purpose of group usage and group content moderation. Our policies within these groups may contain other rules and information about the use of the respective group. This data encompasses details such as first and last names, as well as published or privately shared content, and figures reflecting the status of group membership or group-related activities, such as joining or leaving a group, as well as timestamps for the data already mentioned. Please also be advised that data from users is also processed by Facebook itself. This data includes information about the type of content that users view or with which they interact, or the actions taken by the user on the site (see ‘Things that you and others do and provide’ in the Facebook privacy policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see ‘Device information’ in the Facebook privacy policy: https://www.facebook.com/policy). As explained in the Facebook privacy policy under ‘How do we use this information?’, Facebook also collects and uses information to provide analysis services, known as ‘Insights’, to group operators, so that these operators can receive insights into how people interact with their groups and the content integrated into these groups. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/about/privacy. Basis for third-country transfers:  EU-US Data Privacy Framework (DPF).
• Facebook events: Event profiles within the Facebook social network – we use the ‘Events’ function provided by the Facebook platform to advise users about events and other dates, so as to engage with users (participants and potential participants) and in order to exchange information. For this purpose, we process personal data from users of our event pages insofar as this is necessary for the purpose of managing the event page and content moderation. This data encompasses details such as first and last names, as well as published or privately shared content, and figures reflecting participation status, as well as timestamps for the abovementioned data. Please also be advised that data from users is also processed by Facebook itself. This data includes information about the type of content that users view or with which they interact, or the actions taken by the user on the site (see ‘Things that you and others do and provide’ in the Facebook privacy policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see ‘Device information’ in the Facebook privacy policy: https://www.facebook.com/policy). As explained in the Facebook privacy policy under ‘How do we use this information?’, Facebook also collects and uses information to provide analysis services, known as ‘Insights’, to event hosts, so that these hosts can receive insights into how people interact with their event pages and the content integrated into these pages. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.facebook.com. Privacy policy:https://www.facebook.com/about/privacy. Basis for third-country transfers:  EU-US Data Privacy Framework (DPF).
• LinkedIn: Social network. Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.linkedin.com. Privacy policy: https://www.linkedin.com/legal/privacy-policy. Commissioned data processing contract: https://legal.linkedin.com/dpa. Basis for third-country transfers:  Standard contractual clauses (https://legal.linkedin.com/dpa). Right to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• X: Social network. Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Privacy policy:https://twitter.com/privacy, (settings: https://twitter.com/personalization).
• YouTube: Social network and video platform. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Privacy policy:https://policies.google.com/privacy. Basis for third-country transfers:  EU-US Data Privacy Framework (DPF). Right to object (opt-out): https://adssettings.google.com/authenticated.
• Xing: Social network. Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.xing.de. Privacy policy: https://privacy.xing.com/en/privacy-policy.

We integrate functional and content elements into our online services that are sourced from the servers of their respective providers (hereinafter ‘third party providers’). Examples of these include graphics, videos or city maps (hereinafter collectively ‘content’).

For this kind of integration, the third-party providers of the content must process the user’s IP address, as this IP address is required in order to send the content to the user’s browser. Accordingly, the IP address is required in order to display the content or functions. We make every effort to ensure that we only use content whose providers use the IP address only for the purpose of delivering the content. Furthermore, third-party providers may use ‘pixel tags’ (invisible graphics, also referred to as ‘web beacons’) for statistical or marketing purposes. These pixel tags can be used to analyse information such as visitor traffic on the pages of this website. In addition, the pseudonymous information may be stored in cookies on the user’s device and may contain data that includes technical information about the browser and the operating system, about referring web pages, about visit time and other details of use of the online service, and may also be aggregated with similar data from other sources.

• Types of data processed: Usage data (e.g. web pages visited, interest in content, access times); metadata, communications and procedural data (e.g. IP addresses, details of times, identification numbers, consent status); customer data (e.g. names, addresses); contact details (e.g. email, phone numbers); content data (e.g. input made into online forms). Images and/or video content (e.g. photographs or video recordings of an individual).
• Data subjects: Users (e.g. website visitors, users of online services). People in photos.
• Purpose of data processing: Provisioning of our online services as well as usability. Office and organisational procedures.
• Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR).

Other information about processing workflows, procedures and services:

• Google Fonts (sourced from Google servers): [HK13] Fonts (and symbols) for the purposes of the technically reliable, maintenance-free and efficient use of fonts and symbols with respect to currency and loading times, their uniform presentation, and taking into account potential restrictions on use based on licensing terms. The font provider is informed of the user’s IP address, so that the fonts can be delivered to the user’s web browser. In addition, various technical data (language settings, screen resolution, operating system, hardware used) is also transferred, which is necessary to deliver the fonts depending on the devices being used and the technical environment of this usage. This data may be processed on a server operated by the font provider in the USA – when visiting our online service, the user’s browser submits its browser HTTP requests to the Google Fonts Web API (i.e. a software interface that is used to access these fonts). The Google Fonts Web API provides users with the cascading style sheets (CSS) used by Google Fonts together with the fonts that are specified within these CCS. These HTTP requests include (1) the IP address that is being used by the respective user for their internet access; (2) the URL requested from the Google server; and (3) the HTTP headers, including the User Agent (which describes the browser and operating system versions used by the website visitor), and the Referrer URL (i.e. the web page on which the Google font should be displayed). IP addresses are neither logged by nor stored on Google servers and are not analysed. The Google Fonts Web API logs details about HTTP requests received (requested URL, User Agent and Referrer URL). Access to this data is restricted and strictly monitored. The requested URL identifies the font families from which the user wants to load their fonts. This data is logged, so that Google can determine how often a specific font family has been requested. With the Google Fonts Web API, the User Agent needs to adjust the font that is generated for the respective browser type. The User Agent is primarily logged for debugging purposes and used in order to generate aggregated usage statistics that can be analysed to measure the popularity of font families. These aggregated usage statistics are published on the ‘Analytics’ page provided by Google Fonts. Lastly, the Referrer URL is logged so that the data can be used for production maintenance purposes and an aggregated report listing the top integrations – based on the number of font queries received – can be generated. According to information provided by Google itself, the company does not use information collected by Google Fonts to create end-user profiles or for targeted advertising. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website:https://fonts.google.com/. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers:  EU-US Data Privacy Framework (DPF). Further information:https://developers.google.com/fonts/faq/privacy?hl=en.
• YouTube videos: Video content. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR) or consent (point (a) of art. 6(1) of the GDPR). Website: https://www.youtube.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers:  EU-US Data Privacy Framework (DPF). Right to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for the presentation of adverts: https://adssettings.google.com/authenticated.

Our website uses plug-ins from Google’s YouTube service. YouTube sets cookies on the device that you use: these cookies can also be used to analyse usage behaviour for market research and marketing purposes. In the process, the YouTube server is informed about the pages on our website that you have visited. If you are logged into your YouTube account, this means that YouTube can link your online activities directly to your personal profile. You can prevent this happening by logging out of your YouTube account. The legal basis for the use of YouTube plugins is your consent pursuant to point (a) of art. 6(1) of the GDPR. Please note that embedded YouTube videos cannot be played without your consent. If you have not given your consent by interacting with our cookie banner, you have the option of doing this afterwards on the lock screen shown for the embedded video. You can also use the ‘cookie banner’ to manage the types of consent you have given. If you want to withdraw a particular consent that you have given, you can also use this link to do so.

• Google Photos: Online service for storing photos and videos. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interest (point (f) of art. 6(1) of the GDPR). Website: https://www.google.com/photos/about/. Privacy policy: https://policies.google.com/privacy.

We process the personal data that you provide to us during the registration process for the purposes of preparing and organising the respective event as well as for capacity planning. The legal basis here is your consent as given during registration pursuant to point (a) of art. 6(1) of the GDPR and, depending on the type of event, contract conclusion pursuant to point (b) of art. 6(1) of the GDPR. You may withdraw your consent as given at any time with future effect. As a result of your withdrawal of consent, we will no longer be able to use your personal data for the event – which nonetheless requires registration – and you will therefore be unable to participate in the event.

If necessary, we will also process your data for purposes not requiring your consent pursuant to point (f) of art. 6(1) of the GDPR, namely to protect our legitimate interests or those of third parties, such as when organising a defence against legal action. Please note that photographs and video recordings are taken during our events, and that this image and video material about the respective event may be published online on websites operated by Stiftung Haus der Kunst München gemeinnützige Betriebsgesellschaft mbH or by its business partners. Such materials may also be published in social media and/or in one of the publications issued by Stiftung Haus der Kunst München gemeinnützige Betriebsgesellschaft mbH or its business partners as part of public relations work (and in relation to press coverage in particular).

By participating in the event, you give your consent to the publication of photographs and video materials recorded during the respective event (s. 22, 23 of the German Artistic Copyright Act, KUG). The collection of this data, namely photographic records and their processing, is made for the purpose of pictorial press coverage on the basis of point (f) of art. 6(1) of the GDPR. Please be advised that you may withdraw your consent to this processing for reasons resulting from your particular individual situation on the basis of art. 21(1) of the GDPR. In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for this processing that override your interests, rights and freedoms, or where this processing is required for the establishment, exercise or defence of legal claims. Your notice of withdrawal should be directed to the address given above.

If you have any questions about this information, including questions about your (privacy) rights, you can also contact our Data Protection Officer: datenschutz@hausderkunst.de.

 The following information gives you a simplified overview of what happens to your personal data when you visit our website and use our online shop. Personal data is defined as any data that could be used to identify you as an individual.

Data types processed and source: One way in which your data is collected is when you provide us with these details. These details may include the kinds of data that you enter into registration/order forms (account details, name, address, type of order, comments made on the order placed). If you have already registered an account with us, then the details as stored in your account are used as the basis for the respective order placed. Other data is collected automatically by our IT systems or after you have given your consent when visiting our website. This includes technical data in particular (e.g. web browser, operating system or the time the page was accessed). These kinds of data are collected automatically when you visit this website. 

Legal basis: When you want to place an order with our online shop, you will need to enter your personal data that we require for the purpose of processing your order and concluding a contract of sale according to German law. Any details that are required to process these contracts are marked accordingly, while other details can be given voluntarily. 

For the purposes of payment, you can provide your payment details to our payment service providers. Please be advised that these third parties are respectively responsible for payment processing. The legal basis for this processing is point (b) of art. 6(1) of the GDPR.

You may also register a customer account, so that we can save your data for any purchases made subsequently. When you register an account under ‘My profile’, the details that you enter are stored until you request a restriction of processing or the deletion of your account.

We may also process the data that you provide us with in order to inform you about other interesting products from our portfolio or to provide you with emails of a technical nature.

Data erasure:

If your data is no longer required for the fulfilment of contractual, legal and internal processing purposes, this data will be erased. Typically however, we are required to retain personal data (for example, the kinds of data contained in invoice documents/purchase orders, such as your address data, payment details and order data) past the end of the contractual relationship as a result of obligations arising from commercial and tax law. This retention period can be up to ten years. The reader is referred to the corresponding laws, particularly s. 257 of the German Commercial Code, s. 147 of the German Fiscal Code.

Our ticket shop is operated by our contracted data processor, München Ticket GmbH, Seidlstraße 30, 80335 Munich. Website: https://www.muenchenticket.de/. Privacy policy (in German): https://www.muenchenticket.de/tickets/datenschutz

Payment service provider:

Our website makes use of third-party payment service providers (PSPs). When you make a purchase from our website, your payment details (e.g. name, payment amount, bank account details, credit card number) are processed by the payment service provider for the purpose of payment processing. These transactions are governed by the respective contractual and data protection terms of the respective PSP. The legal basis for utilising the services of the PSP is point (b) of art. 6(1) of the GDPR (contract performance), and our interest in ensuring that the payment procedure is as smooth, convenient and secure as possible (point (f) of art. 6(1) of the GDPR). Where your consent is requested for certain activities, the legal basis of data processing is point (a) of art. 6(1) of the GDPR; consent given can be withdrawn at any time with future effect. We use the following payment services/payment service providers as part of operating this website: 

PayPal: The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg (hereinafter ‘PayPal’). Data transfers to the USA are based on the standard contractual clauses from the EU Commission.

For details, please see: https://www.paypal.com/us/legalhub/pocpsa-full. For details, please see the PayPal privacy policy: https://www.paypal.com/uk/legalhub/privacy-full.

Mastercard: The provider of this payment service is Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (hereinafter ‘Mastercard’). Mastercard may transfer data to its parent company in the USA. Data transfers to the USA are based on the Binding Corporate Rules from Mastercard. 

For details, please see: https://www.mastercard.co.uk/en-gb/vision/terms-of-use/commitment-to-privacy/privacy.html and https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf. 

VISA: The provider of this payment service is Visa Europe Services Inc., London Office, 1 Sheldon Square, London W2 6TT, UK (hereinafter ‘VISA’). The United Kingdom is considered to be a secure third country for the purposes of data protection law. This means that the UK maintains a level of data protection equivalent to the level of data protection provided in the European Union. VISA may transfer data to its parent company in the USA. Data transfers to the USA are based on the standard contractual clauses from the EU Commission.

For details, please see: https://www.visa.co.uk/legal/global-privacy-notice.html. For further information, please see the VISA privacy policy: https://www.visa.co.uk/legal/privacy-policy.html.