Privacy Policy
This privacy policy explains the nature, scope and purpose of personal data we collect (hereinafter referred to as “data”) when you are using our services, including our website and links to other sites, as well as functions, content and our external online presence, like e.g. our social media profile (hereinafter these services are referred to as “online presence”). Please refer to the definitions set out in Article 4 of the General Data Protection Regulation (GDPR), regarding the use of terms like “processing” or “controller”.
Below you will also find the privacy policy that applies to the use of our audio guide app.
Please note: German shall be the legal language of these privacy policy, and all parties waive any right to use and/or rely upon any other language, translation or interpretation. In the case of any inconsistencies or interpretation disputes, the German language version shall control.
Controller
Edwin Scharff Museum und Städtische Sammlungen Neu-Ulm
Hermann-Köhl-Straße 12
89231 Neu-Ulm
Deutschland
Dr. Helga Gutbrod
h.gutbrod@neu-ulm.de
edwinscharffmuseum.de
How to contact our Data Protection Officer
Stadt Neu-Ulm
Datenschutzbeauftragter
Augsburger Straße 15
89231 Neu-Ulm
Telephone: +49 731 7050-1200
E-mail: datenschutz@neu-ulm.de
Data we collect
– Identity data (e.g. names, addresses).
– Contact data (e.g. email address, phone numbers).
– Content data (e.g. texts, photos, videos).
– Usage data (e.g. websites visited, interest in contents, access time).
– Meta and communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of our online presence (hereinafter data subjects are also referred to as “user”).
Purpose of data processing
– Providing our online presence, their functions and contents.
– Replying to contact forms and communication with users.
– Security measures.
– Internet audience measurement / marketing
Definitions of the terms we use
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of this natural person.
“Processing” means any operation or any set of operation performed on personal data whether or not with automated means. The definition of the term is very comprehensive and includes any use of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Underlying legal basis
Pursuant to Article 13 of the GDPR, this is to inform you about the legal basis for our data processing. Where there is no information on the legal basis in this privacy policy, the following applies: The legal basis for asking for consent is Article 6 (1) point (a) and Article 7 of the GDPR. Article 6 (1) point (b) of the GDPR serves as the legal basis for processing in order to carry out our services, to perform a contract, and to answer requests. The legal basis for processing in order to fulfil our legal obligations is Article 6 (1) point (c) of the GDPR. If processing is necessary for the purposes of the legitimate interests we pursue, Article 6(1) point (f) of the GDPR serves as the legal basis. Shall the processing of personal data be necessary in order to protect the vital interests of the data subject or another natural person, the legal basis is Article 6(1) point (d) of the GDPR.
Security measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, within the meaning of Article 32 of the GDPR, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
These measures include, in particular, ensuring the ongoing confidentiality, integrity and availability of data by controlling the physical access to the data, including access regarding the data, data entry, the transfer of data, as well as safeguarding the availability and their separation. Furthermore, we implemented procedures to safeguard the rights of data subjects, the erasure of data and the response to unlawful access to data. Moreover, we shall take the protection of personal data into account, at the time of implementation, respectively when choosing hardware and software, as well as appropriate measures according to the principles of data protection by design and by default (as set out in Article 25 of the GDPR).
Collaboration with processors and third parties
We shall only disclose personal data to other natural persons or companies (processors or third parties), including the transfer of or granting access to your data, where processing is lawful (e.g. if the transfer of data to third parties, for example a credit institute authorised with the payment, is required for the performance of a contract, as set out in Article 6(1) point (b) of the GDPR), if you gave your consent, where a legal obligation requires us to do so, or where processing is necessary for the purposes of the legitimate interests we pursue (e.g. the engagement of processors, web hosting services, etc.).
Shall we engage third parties with processing data this is subject to a so-called “processor agreement” according to Article 28 of the GDPR.
Transferring your data to third countries
We shall only process data in a third country (i.e. a country outside the European Union (EU) or the European Economic Area (EEA)), if the engagement of third parties requires us to do so, or if the disclosure or transfer of data to third parties is necessary for the performance of (pre)contractual obligations, if you gave your consent, due to legal obligations or based on our legitimate interest. Subject to legal or contractual provisions, we shall only process or allow processing data in a third country subject to the conditions set out in Articles 44 and following of the GDPR. The data shall only be processed, if particular safeguards are in place, for example an officially recognised confirmation that the law relating to the processing of data is regarded by the European Commission as adequate to protect the rights and freedoms of individuals located in the EU (e.g. the “Privacy Shield” in the US) or particular contractual obligations complying with the requirements of the GDPR (so-called “standard contractual clauses”).
Rights of data subjects
Pursuant to Article 15 of the GDPR you have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and where that is the case, obtain information on the data collected and processed and request a copy of this data.
According to Article 16 of the GDPR you have the right to have incomplete personal data completed or obtain the rectification of inaccurate personal data.
You have the right, as set out in Article 17 of the GDPR, to obtain from the controller the erasure of personal data without undue delay or alternatively obtain the restriction of processing your personal data according to Article 18 of the GDPR.
As set out in Article 20 of the GDPR you have the right to receive the personal data you provided and you have the right to have this data transmitted to another controller.
According to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority.
Right to withdraw your consent
Pursuant to Article 7 (3) of the GDPR you have the right to withdraw your consent to the future processing of your personal data.
Right to object
According to Article 21 of the GDPR you have the right to object the future processing of your personal data at any time. You have an absolute right to object where your personal data are processed for direct marketing purposes.
Cookies and the right to object to direct marketing
“Cookies” are small text files stored on the user’s computer. Cookies are used to store different types of information. The main purpose of a cookie is to store user information (respectively information on the device where the cookie is stored) while the user is browsing the website, some cookies will remain on the hard drive after the visit. Temporary cookies, so-called “session cookies” or “transient cookies” will be automatically erased once the user leaves the website and closes the browser. These cookies are used, for example, to save the items in a shopping cart of an online shop or a login status. Permanent or persistent cookies on the other hand, are cookies that will remain on the hard drive after the user closed their browser. This helps the website to remember, for example, the login status, which will still be stored, when the user visits the website again a few days later. Furthermore, these cookies may be used to store user interests, for Internet audience measurement or for marketing purposes. So-called “third-party-cookies” are cookies from other providers other than the controller providing the website (cookies only used by the controller are called “first-party cookies”).
We are using temporary and permanent cookies. Below you will find more information on how to object to the storage and how to delete cookies.
If a user chooses to object to the storage of cookies on their computer, they may deactivate this feature in the settings of their browser. Cookies already stored can be deleted in the browser settings. Deactivating cookies, however, may restrict the functionality of this website.
If you wish to object to cookies used for online marketing purposes in general, there are different options to block the use of these service, like for example tracking. There is an American website: http://www.aboutads.info/choices/ or a European website: http://www.youronlinechoices.com/. You may also object to the storage of cookies, by changing the preferences in your browser settings. Please bear in mind that if you do so, not all functions of our website may be available.
Erasure of data
According to Article 17 and 18 of the GDPR, the data processed shall be erased or processing shall be restricted. Unless stated otherwise in this privacy policy, the stored data shall be erased, if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, and the storage of the data is not legally required. Where data cannot be erased, since processing is still necessary for other purposes or legal obligations, the processing shall be restricted. This means the data shall be made unavailable and shall not be processed for other purposes. This also applies where commercial or tax laws require the storage of the data.
Web and email hosting
We are using hosting services providing the following services: Infrastructure and platform services, server capacity, storage space and database services, email hosting, security services and technical maintenance services, in order to be able to provide our online presence.
We, respectively our hosting provider, are processing identity data, contact data, content data, contract information, usage data, meta and communication data of customers, data on users interested in our services and visiting this website. This is based on our legitimate interest in providing an efficient and secure website in accordance with Article 6 (1) point (f) and Article 28 of the GDPR (conclusion of a processor agreement).
Collection of access data and log files
Based on our legitimate interest within the meaning of Article 6 (1) point (f) of the GDPR, we, respectively our hosting provider, are collecting data on any access to the server hosting our website (so-called server log files). The access data includes the name of the website visited, file retrieval, date and time of access, data volume transmitted, confirmation of successful retrieval, type and version of browser, the user’s operation system, referrer URL (website from which the request has come), the IP address and the provider sending the request.
Log file information shall be stored for security reasons (e.g. in order to investigate misuse or fraud) and erased after 7 days at the latest. Data that needs to be stored for evidence, shall not be erased until the incident is clarified.
Use of third-party services and contents
Our website includes third-party services based on our legitimate interest (e.g. interest in analysis, optimisation and efficient operation of our website within the meaning of Article 6(1) point (f) of the GDPR), in order to incorporate their contents and services, e.g. videos or fonts (hereinafter called “content”).
This is under the condition that third parties offering these contents recognise the user’s IP address, since the provider is unable to send the contents to the browser without the IP address. Therefore, the IP address is required for displaying the contents. We are striving to only use such content where the provider only uses the IP address in order to provide the content. Third parties may also use pixel tags (invisible graphic files, also called “web beacons”) for statistical or marketing purposes. “Pixel tags” allow the analysis of information like e.g. website traffic. The pseudonymised information may also be stored in cookies on the user’s devices and may contain technical information about the browser and operation system, referring websites, time and date of access as well as further information on the usage of our website, and furthermore may be connected with such information from other sources.
The German version of the privacy policy was created with the privacy policy generator www.datenschutz-generator.de provided by Dr. Thomas Schwenke
Privacy policy supplement – Registration for the newsletter of the Edwin Scharff Museum
On the website of the Edwin Scharff Museum users are given the opportunity to subscribe to our newsletter. The personal data transmitted to the controller when the newsletter is ordered is specified in the input mask used for this purpose.
The Edwin Scharff Museum informs its customers and business partners at regular intervals by means of a newsletter about events and offers. The newsletter can basically only be received by the data subject, if (1) the data subject has a valid e-mail address and (2) the data subject registers for the newsletter mailing. For legal reasons, a confirmation e-mail will be sent to the e-mail address entered by a data subject for the first time for newsletter dispatch using the double opt-in procedure. This confirmation e-mail serves to verify whether the owner of the e-mail address as the data subject has authorized the receipt of the newsletter.
When registering for the newsletter, we also store the IP address of the computer system used by the data subject at the time of registration, as assigned by the Internet service provider (ISP), as well as the date and time of registration. Saving of this data is necessary in order to be able to trace the (possible) misuse of a data subject’s e-mail address at a later point in time and therefore serves as a legal safeguard for the controller.
The personal data saved in the context of a registration for the newsletter are used exclusively for sending our newsletter. Furthermore, subscribers to the newsletter could be informed by e-mail if this is necessary for the operation of the newsletter service or a registration in this regard, as could be the case in the event of changes to the newsletter offer or changes in the technical circumstances. No personal data saved as part of the newsletter service will be passed on to third parties. The subscription to our newsletter can be cancelled by the data subject at any time. The consent to the storage of personal data that the data subject has given us for the newsletter mailing can be revoked at any time. For the purpose of revoking consent, a corresponding link can be found in each newsletter. Furthermore, it is also possible to unsubscribe from the newsletter mailing directly on our website at any time or to notify us of this in another way.
Newsletter tracking
The newsletters of the Edwin Scharff Museum contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in such e-mails that are sent in HTML format to enable log file recording and log file analysis. This enables a statistical evaluation of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, the Edwin Scharff Museum may see if and when an e-mail was opened by a data subject, and which links in the e-mail were called up by the data subject.
Such personal data collected via the tracking pixel contained in the newsletters are stored and analyzed by the controller in order to optimize the newsletter dispatch and to improve the content of future newsletters to the interests of the data subject. This personal data will not be passed on to third parties. Data subjects are entitled at any time to revoke the separate declaration of consent given in this regard via the double opt-in procedure. After revocation, this personal data will be deleted by the controller. The Edwin Scharf Museum automatically regards a withdrawal from the receipt of the newsletter as a revocation.
The service provider of the newsletter is:
Sendinblue GmbH
Köpenicker Straße 126
10179 Berlin
+49 (0)30 / 311 995 10
support@sendinblue.com
de.sendinblue.com
Privacy policy supplement – YouTube, Adobe and Google Maps
YouTube with enhanced privacy
This website embeds videos from YouTube. The operator of the pages is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube in the extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the transfer of data to YouTube partners is not necessarily excluded by the extended data protection mode. Thus, YouTube – regardless of whether you watch a video – establishes a connection to the Google DoubleClick network.
As soon as you start a YouTube video on this website, a connection to YouTube’s servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, YouTube can save various cookies on your end device after starting a video or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience, and prevent fraud attempts.
If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no control.
YouTube is used in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time.
For more information about data protection at YouTube, please see their privacy policy at: https://policies.google.com/privacy?hl=de.
Adobe Fonts
This website uses web fonts from Adobe for the uniform display of certain fonts. The provider is Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe).
When you access this website, your browser loads the required fonts directly from Adobe so that they can be displayed correctly on your terminal device. In doing so, your browser establishes a connection to Adobe’s servers in the USA. This enables Adobe to know that your IP address has been used to access this website. According to Adobe, no cookies are stored when providing the fonts.
The storage and analysis of the data is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in the uniform presentation of the typeface on its website. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.adobe.com/de/privacy/eudatatransfers.html.
For more information on Adobe Fonts, please visit:
https://www.adobe.com/de/privacy/policies/adobe-fonts.html.
Adobe’s privacy policy can be found at:
https://www.adobe.com/de/privacy/policy.html
Google Maps
This site uses the map service Google Maps. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission.
The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of the places indicated by us on the website. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.
More information on the handling of user data can be found in Google’s privacy policy: https://policies.google.com/privacy?hl=de.
Additional privacy policy for the use of our audio guide app
INFORMATION ON THE PERSONAL DATA WE COLLECT
(1) This is to inform you about the personal data we collect when you use the app. Personal data includes all data that can be attributed to you personally, e.g. name, address, email address, or user behaviour.
(2) Provider of this app and controller within the meaning of Article 4(7) of the European General Data Protection Regulation (hereinafter referred to as: GDPR):
Edwin Scharff Museum und Städtische Sammlungen Neu-Ulm, Dr. Helga Gutbrod, Hermann-Köhl-Straße 12, 89231 Neu-Ulm, Deutschland. You may contact the data protection officer of the City of Neu-Ulm by email: datenschutz@neu-ulm.de or
by post: Stadt Neu-Ulm, Datenschutzbeauftragter, Augsburger Straße 15, 89231 Neu-Ulm, Deutschland.
(3) If you send an email, we shall store the data provided (e.g. your email address, possibly your name and phone number), in order to respond to your request or answer your questions. We shall delete the data once the storage is no longer required, or we shall restrict processing the data, if the storage of the data is legally required.
COLLECTION OF PERSONAL DATA WHEN USING THIS APP
(1) If you download this mobile app, the necessary information will be transmitted to the app store you are using, in particular, your user name, your email address, the customer ID of your user account, time of the download, payment information, and the IP address of your device. We have no influence on and are not responsible for the collection of this data. We shall only process the data required for downloading the app to your mobile device.
(2) This app shall not collect or process any further personal data.
(3) This app does not use any analytic tools like e.g. Google Analytics. Once the installation and downloading the content of the audio guide have been completed, no Internet connection is required to access the app.
(4) The app does include links to our website. In order to access the linked websites, an Internet connection is required. We shall collect personal data, if you visit these websites. If you only use these websites to retrieve information, that is, if you do not register or provide information, we shall only collect the personal data your browser transmits to our server.
YOUR LEGAL RIGHTS
(1) If your personal data is processed, you have the following legal rights vis-a-vis the controller:
– Right to information,
– Right to rectification or erasure,
– Right to restriction of processing,
– Right to object the processing of your personal data,
– Right to data portability.
(2) Furthermore, you have the right to lodge a complaint with a supervisory authority, regarding our processing of your personal data.