This data privacy information serves to inform you about our handling of your personal data. To make the processing of your data as transparent as possible, we would like to provide you with the following overview of processing operations. In order to guarantee fair processing, this data privacy information contains general information about our handling of your data as well as information concerning your rights according to the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
We will inform you in detail about
The Stiftung Hamburger Gedenkstätten und Lernorte zur Erinnerung an die Opfer der NS-Verbrechen (hereinafter 'we' or 'us') is the controller of the data processing.
I GENERAL INFORMATION
If you have any questions or feedback concerning this information or wish to contact us to assert your rights, please send your enquiry to
Stiftung Hamburger Gedenkstätten und Lernorte zur Erinnerung an die Opfer der NS-Verbrechen
Jean-Dolidier-Weg 75, 21039 Hamburg
phone +49 40 428131500
fax +49 40 428131501
2. Legal basis
The legal term ‘personal data’ refers to all information relating to an identified or identifiable natural person.
We process personal data in compliance with the data protection regulations, in particular the GDPR and the BDSG. We solely process data with legal permission. We process personal data
3. Period of storage
Unless otherwise stated in the following, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations. In particular, such statutory retention requirements may result from regulations under commercial or tax law.
4. Recipients of data
For certain processing activities, we rely on service providers. These processing activities include, for example, hosting, maintenance and support of IT systems as well as accounting. A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors process data not for their own purposes but solely for the controller and are contractually obliged to implement appropriate technical and organizational measures ensuring data protection.
Apart from that, we may transfer your data to postal and delivery services, our bank, consultants/auditors or the fiscal authority if necessary.
Should your data be transferred to further recipients, you can find this information under the description of the respective processing activity.
5. Processing in the exercise of your rights pursuant to Art. 15 to 22 GDPR
If you exercise your rights pursuant to Art. 15 to 22 GDPR, we process the personal data transferred in order for us to grant you your rights and to acquire proof thereof.
Data stored for the purpose of granting you your right of access and for the preparation thereof will only be processed for this purpose and for the purpose of data protection control. Any further processing is restricted in accordance with Art. 18 GDPR.
These processing operations are based on Art. 6 section 1 letter c) GDPR in conjunction with Art. 15 to 22 GDPR and section 34 para. 2 BDSG.
6. Data transfer to third countries
Our data processing may involve the transfer of certain personal data to third countries, meaning countries where the GDPR does not apply. Such transfer is permissible if the European Commission has determined that the third country in question maintains an adequate level of data protection. If there is no such adequacy decision by the European Commission, personal data are transferred to third countries only if suitable guarantees as defined by Art. 46 GDPR are in place or if one of the prerequisites of Art. 49 GDPR is met.
Unless otherwise specified in the following text, suitable guarantees we accept for the transfer or personal data to third countries are the EU standard protection clauses. You have the option of receiving a copy of these EU standard protection clauses or viewing them. Please use the contact address provided.
If you consent to the transfer of personal data to third countries, the legal basis for the transfer is Art. 49 Section 1 (a) GDPR.
7. Your rights
As the data subject, you are entitled to assert your rights against us. In particular, you have the following rights:
8. Right to object
Pursuant to Art. 21 section 1 GDPR, you have the right to object to processing activities based on Art. 6 section 1 letter e) or letter f) GDPR on grounds relating to your particular situation. If we process your personal data for the purpose of direct marketing, you may object to such processing pursuant to Art. 21 section 2 and section 3 GDPR.
9. Data protection officer
You can contact our data protection officer via the following address:
II. DATA PROCESSING ON OUR WEBSITE
During use of our website, we collect information that you provide yourself. We also automatically collect certain information about your use of the site during your visit to the site. In data protection law, the IP address is also considered personal data. An IP address is assigned to each device connected to the internet by the internet provider so that it can send and receive data.
1. Processing of server log files
When using our website for informative purposes only, general information that your browser transfers to our server is initially stored automatically (not via registration). This includes by default: browser type/-version, operating system used, page called, the previously visited page (referrer URL), IP address, date and time of server request and HTTP status code. The processing is carried out in pursuit of our legitimate interests and is based on Art. 6 section 1 letter f) GDPR. This processing serves the technical administration and security of the website. The data stored is anonymized immediately upon collection unless there is a justified suspicion of illegal use based on concrete indications and further examination and processing of the information is necessary for this reason. We are unable to identify you as a data subject based on the information collected. Art. 15 to 22 GDPR therefore do not apply pursuant to Art. 11 section 2 GDPR, unless you provide additional information to enable your identification in order to exercise the rights set out in these articles.
2. Data transfer to the USA
Visiting our website may involve the transfer of certain personal data to third countries, i.e. countries where the DSGVO is not applicable law. Such a transfer shall be authorised if the European Commission has decided that an adequate level of data protection is ensured in such third country. In the absence of such an adequacy decision by the European Commission, personal data will only be transferred to a third country if appropriate safeguards are in place in accordance with Art. 46 DSGVO or if one of the conditions of Art. 49 DSGVO is met. Unless otherwise stated below, we use as appropriate safeguards the EU standard contractual clauses for the transfer of personal data to processors in third countries. You can find it here.
3. Registration form
Our website features a calendar of events with a registration form that you can use to register for our events and guided tours. Any data you enter in the form is transferred in encrypted form (as indicated by the ‘https’ in your browser’s address line). We collect the data for three reasons: firstly, to comply with our obligations under the current Hamburg SARS-CoV-2 Containment Order; secondly, to collect your contact data to facilitate the tracing of chains of infection; thirdly, to forward such data to the relevant authorities where required. The legal basis is Article 6 (1) (c) of the General Data Protection Regulation. We also process the data to be able to plan and organise our events and guided tours formats. The basis on which we establish this processing of your data is our legitimate interest in accordance with Article 6 (1) (f) of the General Data Protection Regulation.
All the data fields are mandatory for the purposes outlined above. Failure to provide us with the data means we are unable to consider your registration. Any data you submit will be stored for four weeks after the end of the event and then deleted.
4. Archive request
On our website we offer a contact form via which you may send us an archive request. Your data is transferred encrypted (note the ‘https’ in the address bar in your browser). Filling out all fields marked as mandatory is necessary for us to process your request. Failure to fill in the mandatory fields results in our inability to process your request. The transfer of this data is voluntary. Alternatively, you may send us a message via the contact email address. We process your data in order to process your request. We release the data from our archive in compliance with Hamburg’s archive law (HmbArchG).
We process your data in pursuit of our legitimate interest to reply to requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.
If you order a product via our website, we process personal data exclusively to execute the contract or to be able to provide you with the product you have ordered. During the ordering process, we only process data which you have entered into the order form and payment details if you chose to pay in advance by bank transfer. To enable delivery of the products you ordered, we transfer the data required for delivery to one of our shipping service providers. The legal basis for the processing is Art. 6 section 1 letter b) GDPR. All data fields marked as mandatory must be filled in to enable us to process your order. Failure to fill in the mandatory fields results in our inability to process your order. The provision of further data is voluntary. The data will be deleted after the statutory retention requirements have expired.
On our website you have the option to subscribe to our newsletter. We regularly inform subscribers of the newsletter on news about our services. A valid email address is required to register for the newsletter. In order to verify your email address, you will first receive a registration email in which you may confirm your registration by clicking on a link (double opt in). If you subscribe to the newsletter on our website, we process personal data such as your email address and your name based on the consent you have given us. This is based on the Article 6 section 1 letter a) GDPR. You can withdraw the consent you have given at any time with effect for the future, e.g. by clicking on the “unsubscribe”-link in the newsletter or by reaching out to us via one of the communication channels mentioned above. Such withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to its withdrawal. Furthermore, we collect your IP address, the date and the time of the registration. This is necessary to prove that consent has been given. The legal basis for this arises from our legal obligation to document the consent (Art. 6 section 1 letter c), Art. 7 section 1 GDPR).
We use the web analysis service Matomo. Matomo is an open source software for website optimization which analyses website visits without using cookies. The IP address processed for this is anonymised immediately after processing and before storing. No further data is processed for the use of Matomo. Matomo does not create user profiles and does not transfer data to third parties. This processing activity is carried out in pursuit of our legitimate interest in measuring coverage and statistical analysis of our website. The processing is based on Art. 6 section 1 letter f) GDPR. This processing serves the purpose to optimize our service but refraining from processing personal data.
You can object to the data processing as a whole at any time by preventing Matomo from processing the data by clicking the following link. In this case, a so called opt-out cookie is saved in your browser. As a consequence, Matomo will not collect any session data. If you delete the cookies in your internet browser, the opt-out cookie is deleted as well. Therefore, it must be reactivated when visiting the website again.
8. Google Maps
On our website, we use Google Maps, a service provided by Google Ireland Limited (Ireland, EU) to display maps. For the integration of the maps, we use a two-click solution. With the two-click solution, no connection to the third-party provider is initially established; instead, a placeholder from our own server is loaded. This can be a preview image of the integrated maps or videos. Contact to the “third-party server” is only established after another click on the respective placeholder. Thus, your IP address is not transferred until you confirm by clicking.
The data are processed based on our legitimate interest and Art. 6 Section 1 (f) GDPR. Further information on Google’s data protection is available in their Privacy Statement at https://www.google.com/policies/privacy.
9. Google Fonts
On our website, we use Google Web Fonts, a service provided by Google Ireland Limited (Ireland, EU) to display fonts. For this integration, it is technologically necessary to process your IP address, so that the content can be sent to your browser. Your IP address is thus transferred to Google. You can object to this form of data processing any time via your browser settings or certain browser extensions. Please note that this can cause limited functionality on the website.
Your data are processed based on Art. 6 Section 1 (f) GDPR and our legitimate interest in the optimisation and efficient operation of our website.
Further information on Google’s data protection is available in their Privacy Statement at policies.google.com/privacy.
III DATA PROCESSING ON OUR SOCIAL MEDIA
We operate company pages on multiple social media platforms via which we offer further opportunities to obtain information about our company and for exchange. We operate company pages on the following social media platforms:
Visiting a company page on social media can result in your personal data being processed. The information in your social media account constitutes personal data. This also encompasses messages and statements made with the account. Additionally, certain information about your visit to a company page is often collected automatically during your visit.
1. Data processing during the visit of a social media page
To ensure that all such interactions on our social media channels are fair and amicable at all times, please observe the following rules of our social media guidelines: Netiquette
b. Facebook and Instagram page
Certain information about you is processed relating to your visit to our Facebook or Instagram page on which we present our company or individual products. Meta Platforms Ireland Ltd. (Ireland/EU) is the sole controller of this processing. Further information about the processing of personal data by Meta is available via https://www.facebook.com/privacy/explanation.
Meta provides the opportunity to object to certain processing activities; corresponding information and opt-out-methods are available via https://www.facebook.com/settings?tab=ads.
Meta provides us with anonymised statistics and insights for our Facebook and Instagram page, which enable us to gain knowledge about the ways in which people interact with our page (so called ‘insights’). These insights are created based on certain information about persons who have visited our page. Meta and we are joint controllers of this processing. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. This finds its legal basis in Art. 6 section 1 letter f) GDPR. It is impossible to match the information obtained via insights to individual accounts which interact with our Facebook page. We have concluded an agreement with Meta on joint controllership in which the data protection duties are allocated between Meta and us. Details of the processing of personal data for the creation of insights and of the agreement we concluded with Meta are available via https://www.facebook.com/legal/terms/information_about_page_insights_data. Regarding these processing activities, you may also exercise your rights (see above ‘Your Rights’) against Meta directly. Further information is available in Meta’s privacy statement via https://www.facebook.com/privacy/explanation.
Please note that user data is also processed in the USA and other third countries according to Meta’s data protection guidelines. Meta only transfers user data to countries for which the European Commission has made an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR. Meta Platforms Inc. is certified under the EU-US Privacy Shield and, thus, provides an adequate level of data protection pursuant to Art. 45 GDPR.
Generally, Twitter Inc. (USA) is the sole controller of the processing of your personal data relating to your visit to our Twitter account. Further information on the processing of personal data by Twitter Inc. is available via https://twitter.com/de/privacy.
d. TikTok profile
TikTok Technology Limited (Ireland/EU) is the sole responsible party for the processing of personal data when you visit our TikTok profile. For more information about the processing of personal data by TikTok, please visit https://www.tiktok.com/legal/privacy-policy?lang=de.
e. Vimeo profile
Vimeo LLC (USA) is the sole responsible party for the processing of personal data when you visit our Vimeo profile. Further information about the processing of personal data by Vimeo can be found at https://vimeo.com/privacy.
2. Processing of data you share with us via our company pages
Additionally, we process information which you provide us with via the respective social media platform. Such information can include the username, contact details or a message to us. Generally, we only process this personal data if we have expressly requested you to share this data with us like, for example, in connection with a survey. We are the sole controller of such processing activities.
We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.
Additionally, we might process such data shared with us for purposes of evaluation or marketing. Such processing is based on Art. 6 section 1 letter f) GDPR and serve our legitimate interest to develop our product range and inform you about our product range. Further data processing can take place if you have consented (Art. 6 section 1 letter a) GDPR) or if this serves to fulfil a legal obligation (Art. 6 section 1 letter c) GDPR).
We use a software to operate our company pages. When users ask certain questions on one of our company pages which are determined in the software, the software displays the text as well as the username of the user. In the course of this, this data is transferred to the provider of the software. The text and the username will be deleted as soon as the request has been processed.
IV FURTHER DATA PROCESSING
1. Contact by e-mail, phone or fax
If you send us a message to the provided contact e-mail address, call us by phone or send us a fax, we will use the transferred data for the purpose of answering your inquiry. We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.
2. Kulturvermittler*innen (cultural mediators)/Guides
To carry out events and to convey to you the best of our exhibits, we work with freelance Kulturvermittler*innen (cultural mediators). They guide you through the events and communicate sound and unique cultural knowledge. We transfer personal data to the cultural mediators only if this is necessary for fulfilling the contract, for example to the cultural mediator assigned to run the event. We have established a contract with all cultural mediators which guarantees that they process the personal data of participants only according to our instructions and in compliance with the GDPR.
We provide the respective cultural mediator with none but the following data: Name of group leader, size of the group, age group, if applicable the institution, name of the institution, phone number, e-mail address, postal address, which event was booked, and for school groups the grade level.
The data processing is based on Art. 6 Section 1 (b) GDPR, which permits the processing of data to fulfil a contract or pre-contractual measures.