Collection Online

Privacy Policy

Information about data collection and processing

(Status: July 3, 2024)

1. Name and address of the data controller

The responsible authority within the meaning of Art. 4 no. 7 of the General Data Protection Regulation (hereinafter: GDPR), other data protection laws in the Member States of the European Union and other regulations of a data protection nature for the website https://sammlung.kunstsammlung.de is:

Stiftung Kunstsammlung Nordrhein-Westfalen
Grabbeplatz 5
40213 Düsseldorf, Germany
Tel +49 (0)211 8381-204
Fax +49 (0)211 8381-201
www.kunstsammlung.de
E-Mail: service@kunstsammlung.de

2. Name and address of the data security engineer

The controller’s data security engineer is:

Guido Bakenecker
microPLAN IT-Systemhaus GmbH
Spatzenweg 2
48282 Emsdetten, Germany
Tel. +49 (0)2572 9365-77

3. Purposes of processing and legal basis

When you visit our website, our web servers automatically store the IP address, the website from which you visit us, the pages you visit on our website, the time and duration of your visit, and some of the information usually transmitted by the browser. We use this information to help us improve our website and increase its security. We do not associate the information collected with any particular individual, nor do we combine the information with other data sources.

4. Categories of recipients of personal data

We only share information with third parties when necessary to complete the tasks you have assigned to us. We also share information with service providers who host, operate and maintain our website and other IT applications and provide IT support services.

5. Automatically collected data, cookies

We use standard technologies on our website, such as cookies and tracking pixels (invisible graphics). These are used to make our website user-friendly, effective, and secure and to tailor the advertising displayed to your interests. Cookies are small text files that are stored locally in the cache of your Internet browser and allow the browser to be recognized. In addition to so-called session cookies, which are automatically deleted when you log out or close your browser, we also use so-called persistent cookies, which recognize a returning user.

Most browsers are automatically set to accept cookies. However, if you prefer, you can configure your browser to limit or block cookies by changing your browser settings. Detailed information on how to do this on a variety of browsers can be found on the following websites: https://youronlinechoices.eu/, https://thenai.org/ and https://digitaladvertisingalliance.org/. You can also find information on how to delete cookies from your computer and general information about cookies. For information on how to do this on your cell phone browser, please refer to your cell phone manual.

6. Web analysis

We use self-hosted Matomo Analytics with anonymization for web analysis. No cookies are set for analysis or tracking purposes. The use is based on Art. 6 para. 1 lit. f GDPR: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.” The Kunstsammlung has a legitimate interest in analyzing user behavior in order to correct errors and thereby improve the website.

When analyzing with Matomo, we use IP anonymization. This means that your IP address is truncated before analysis so that it can no longer be clearly assigned to you. We host Matomo exclusively on our own servers, so that all analysis data remains with us and is not passed on to third parties.

When individual pages of our website are accessed, the following data is processed: two bytes of the IP address of the accessing system (anonymized), the browser type and version, the operating system used, the website visited, the website from which our website is accessed (referrer URL) – unless prohibited by the browser, the pages and files accessed on our website, if applicable the website visited after ours (when clicking on an external link on our website), the date and time of access, the duration of the visit to the website, the frequency of visits to the website, and the location (country).

7. Contact options

You can contact us using the e-mail address provided. The personal data provided by you will be automatically stored. This storage is solely for the purpose of processing or contacting the data subject.

8. Routine deletion and blocking of personal data

The data will be processed and stored as long as necessary to achieve the purpose. Thereafter, the data will be deleted, unless there is a legal obligation to retain the data. We store your e-mail address as long as you are registered as a recipient of the newsletter. If you revoke your consent to receive the newsletter, we will delete your e-mail address.

9. Right of access

You can request confirmation from us as to whether we are processing personal data relating to you.

If such processing takes place, you can request the following information from the controller:

a) the purposes for which the personal data is being processed;

b) the categories of personal data concerned;

c) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;

d) the intended storage period of the personal data concerning you or, if specific information is not possible, the criteria for determining the storage period;

e) the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;

f) the existence of a right to appeal to a supervisory authority;

g) any available information regarding the source of the data, if the personal data have not been obtained from the data subject;

h) the existence of automated decision-making, including profiling, pursuant to Art. 22 para. 1 and 4 GDPR and, at least in these cases, meaningful information about the logic involved, as well as about the scope and the intended impact of such processing on the data subject.

You have the right to request information as to whether your personal data is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

10. Right to rectification

You have the right to obtain without undue delay the rectification and/or completion of inaccurate or incomplete personal data concerning you.

11. Right to restriction of processing

You may request the restriction of the processing of your personal data under the following conditions:

a) if you dispute the accuracy of the personal data concerning you for a period of time that enables the controller to verify the accuracy of the personal data;

b) if the processing is unlawful and you object to the deletion of the personal data and instead request the restriction of the use of the personal data;

c) the controller no longer needs the personal data for the purposes of the processing, but you need it in order to assert, exercise or defend legal claims, or

d) if you have objected to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh your reasons.

If the processing of personal data concerning you has been restricted, such data may be processed – except for its storage – only with your consent or for the purpose of asserting, exercising or defending legal claims or for the purpose of protecting the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.

If the processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

12. Right to erasure

12.1 You may request that the personal data concerning you be deleted immediately. The data controller is obliged to delete such data immediately if one of the following reasons applies:

a) Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

b) You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.

c) You object to the processing pursuant to Art. 21 para. 1 GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.

d) The personal data relating to you has been processed unlawfully.

e) The deletion of your personal data is necessary to comply with a legal obligation under Union law or the law of the Member State to which the controller is subject.

f) The personal data concerning you have been collected in connection with information society services provided pursuant to Art. 8 para. 1 GDPR.

12.2 If the data controller has made the personal data concerning you public and is obliged to do so pursuant to Art. 17 para. 1 GDPR, it shall take appropriate measures, taking into account the available technology and the implementation costs, including technical measures, to notify the data controllers who process the personal data that you, as the data subject, have requested that they delete all links to this personal data or copies or replications of this personal data.

12.3 The right to erasure does not apply if the processing is necessary

a) for the exercise of the right to freedom of expression and information;

b) to fulfill a legal obligation that requires processing under the law of the Union or of the Member State to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;

d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes pursuant to Art. 89 para. 1 GDPR, to the extent that the right referred to in para. 1 is likely to render impossible or seriously impair the achievement of the objectives of such processing, or

e) for the assertion, exercise, or defense of legal claims.

13. Right to information

If you have asserted your right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of such rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed by the controller of these recipients.

14. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit such data to another controller without hindrance from the controller to whom the personal data was provided, where

a) the processing is based on consent pursuant to Art. 6 para. 1 lit a GDPR or Art. 9 para. lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and

b) the processing is carried out by means of automated procedures.

In exercising this right, you also have the right to obtain the transfer of your personal data directly from one controller to another, where technically feasible. The freedoms and rights of others must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

15. Right to object

You have the right, at any time, to object, on grounds relating to your particular situation, to the processing of personal data concerning you, which is carried out pursuant to Art. 6 para. 1 lit. e or f GDPR, including profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the assertion, exercise, or defense of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling in connection with such direct marketing.

If you object to the processing of your personal data for direct marketing purposes, your personal data will no longer be processed for these purposes.

Notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object in connection with the use of information society services by means of automated procedures using technical specifications.

16. Right to revoke the data protection declaration of consent

You have the right to revoke your data protection declaration of consent at any time. Revocation of your consent does not affect the lawfulness of the processing that has been carried out on the basis of your consent up to the time of revocation.

17. Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

a) is necessary for the conclusion or fulfillment of a contract between you and the controller,

b) is authorized by Union or Member State law to which the controller is subject and that law provides for appropriate measures to safeguard your rights and freedoms and your legitimate interests, or

c) was made with your explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

In the cases mentioned under a. and c., the controller shall take appropriate measures to protect your rights and freedoms and your legitimate interests, which shall include at least the right to obtain the intervention of a person appointed by the controller, to present one’s own point of view, and to contest the decision.

There is no automated decision-making, including profiling, pursuant to Art. 22 para. 1 and 4 GDPR.

18. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you have your habitual residence or place of work or where the alleged infringement took place, if you consider that the processing of personal data relating to you is in breach of the GDPR.

You also have the right to lodge a complaint with the supervisory authority responsible for us:

North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information
Postfach 20 04 44
40102 Düsseldorf, Germany
Tel.: +49 (0)211 38424-0
Fax: +49 (0)211 38424-10
E-mail: poststelle@ldi.nrw.de

The supervisory authority to which the complaint was submitted shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.

19. Data security

We secure our website and other systems through technical and organizational measures against loss, destruction, access, modification, or distribution of your data by unauthorized persons.

Data protection declaration for download

Document as pdf