Data protection is a matter of particular concern to the management of Museen der Hasso Plattner Foundation gGmbH, Museum Barberini. We invariably process personal data in compliance with the General Data Protection Regulation and in accordance with the state-specific data protection rules applicable to Museen der Hasso Plattner Foundation gGmbH, Museum Barberini. By giving you this data protection advice, the Museum Barberini wishes to inform the general public about the type, scope and purpose of the personal data collected, used and processed by us. Furthermore, this data protection declaration serves to advise those affected on the rights to which they are entitled.
With the information below we wish to give you an overview of the way in which we protect and process your personal data and of the rights arising for you from data protection law. Which data are specifically processed and the type of their use essentially depends on the services requested and/or used. Please consider the advice applicable to you.
Who is responsible for data processing and who can I contact?
Controller in terms of the General Data Protection Regulation, other data protection laws applying to the Member States of the European Union and other provisions of a data protection nature is:
Museen der Hasso Plattner Foundation gGmbH
Friedrich-Ebert-Str. 115 115
T +49 331 236014-399
You can reach our operational data protection officer at
Museen der Hasso Plattner Foundation gGmbH
Friedrich-Ebert-Str. 115 115
Responsible data protection authorities
Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht (The State Representative for Data Protection and Inspection of Records)
Stahnsdorfer Damm 77
Fon +49 33203/356-0
Fax +49 33203/356-49
Each data subject may contact our data protection agent directly at any time with all questions and suggestions on the topic of data protection.
General Information: Definitions
The data privacy notice of Museen der Hasso Plattner Foundation gGmbH, Museum Barberini, is based on the terminology used by the European legislator when enacting the General Data Protection Regulation (GDPR). Our data privacy notice should be easy to read and understand for the general public as well as for our customers and business partners. In order to ensure this is the case, we would like to explain the terminology used in advance.
We use the following terms, inter alia, in this data privacy notice:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
Data subject is every identified or identifiable natural person whose personal data are processed by the controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
f) Controller or person responsible for controlling
Controller or person responsible for controlling means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
i) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by another clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Which sources and data do we use?
We process any personal data received from our customers within the scope of the business relationship/services.
Relevant personal data in the processing of interested parties when setting up the master data may be:
• Personal master data (salutation, title, name, address and other contact data, date of birth, nationality)
When concluding the contract and using products/services in the product categories listed in the following, other personal data in addition to the previously cited data may be collected, processed and stored. These essentially comprise:
• Account and payment transactions: Order data (e.g. payment order), data arising from the fulfilment of our contractual obligations (e.g. payment transaction data),
• Customer contact information: Other personal data, e.g. information on contact channel, date, occasion and result, (electronic) copies of correspondence are created within the scope of the business initiation process and during the business relationship, in particular via personal, telephonic or written contacts, whether initiated by yourself or Museen der Hasso Plattner Foundation gGmbH, Museum Barberini. In the event of our vehicle parking service for people with parking permits for the disabled being used, we temporarily store the licence plate of the vehicle authorised entrance.
Why do we process your data (purpose of processing) and on what legal basis?
We process personal data in line with the provisions of the EU General Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz; BDSG)
a) To fulfil contractual obligations (point (b) Article 6(1) GDPR)
The data are processed to conduct business and render services (e.g. implementation of ordering processes) pursuant to our contracts with our customers, which ensue on request. The purposes of data processing are primarily aimed at the tangible product. Further details on the purpose of data processing may be found in the individual contract documents and terms and conditions of business.
b) Within the scope of the balancing of interests (point (f) Article 6(1) GDPR)
Where required, we process your data above and beyond the actual fulfilment of the contract to safeguard the legitimate interests of ourselves or third parties. This may, for example, include:
• Guarantee of the museum’s IT security and IT operation,
• Prevention/resolution of criminal offences,
• Measures for business management and further development of services and products
• Marketing purposes (e.g. advertising or market and opinion research) or
• Assertion of legal claims and defence in legal disputes
c) Based on your consent (point (a) Article 6(1) GDPR)
Should you have given us your consent to process personal data for specific purposes (e.g. data transmission, data analysis for marketing purposes, photo ID within the scope of events, newsletter dispatch), the legality of such processing is secured by your consent. You may revoke your consent at any time. This also applies to declarations of consent given to us prior to the GDPR coming into force, i.e. prior to 25 May 2018. The revocation of consent applies only to the future and does not affect the legality of the data processed prior to the revocation.
d) Based on legal requirements (point (c) Article 6(1) GDPR) or in the public interest (point (e) Article 6(1) GDPR)
As a service provider, we are subject to various legal obligations, i.e. statutory requirements (e.g. commercial or fiscal law).
Who receives my data?
The people in Museen der Hasso Plattner Foundation gGmbH, Museum Barberini, who receive access to your data are those requiring access to the latter to fulfil our contractual and statutory obligations. Our commissioned service providers and vicarious agents may also receive data for such purposes, should this in particular safeguard data protection. The latter are companies in the categories of payment performances, IT services, logistics, print services, telecommunications, collection agencies, consultancy as well as distribution and marketing.
With respect to data transmission to recipients outside Museen der Hasso Plattner Foundation gGmbH, Museum Barberini, it should initially be noted that we ourselves maintain secrecy regarding all customer-related facts and evaluations of which we become aware. In principle, we may only ever transmit information on our customers when required by statutory provisions, when the customer has given consent or we are authorised to disseminate. Subject to such prerequisites, recipients of personal data may be, e.g.:
• Public bodies and institutions (e.g. financial authorities or law enforcement agencies) in the event of a statutory or official obligation,
• Credit and finance service providing institutes or comparable institutions to which we transfer personal data for the implementation of our business relationship with you
• Creditors or insolvency administrators who request such personal data within the scope of a judicial execution,
• Third parties involved in the payment process (e.g. valuation-implementing service providers),
• Service providers contacted by us within the scope of order processing circumstances.
Further data recipients may be those bodies for which you have granted us your consent to data transmission.
Will data be transmitted to a third country or an international organisation?
Data is transmitted to bodies in countries outside the European Union (so-called non-member state), provided
• it is necessary to execute your contracts (e.g. newsletter dispatch),
• it is legally prescribed (e.g. fiscal reporting obligations) or
• you have given us your consent.
If service providers in the non-member state are utilised, in addition to written instructions they are also obligated to comply with the European data protection standard by the standard contractual clauses adopted by the EU.
Please refer to our data privacy notice for information on the data which is sent to other countries outside the EU.
How long will my data be stored?
We process and store your personal data as long as it is needed to fulfil our contractual and statutory duties.
Should the data no longer be required to fulfil contractual or statutory duties, the latter will be regularly erased, unless the – limited – further processing thereof is required for the following purposes:
Fulfilment of commercial and fiscal retention periods that may, for example, arise from the German Commercial Code (Handelsgesetzbuch; HGB) or German Fiscal Code (Abgabenordnung; AO). The time period stipulated therein for retention or documentation is usually two to ten years.
Maintenance of evidence within the scope of the statutory limitation periods. According to Sections 195 et sq. of the German Civil Code (Bürgerliches Gesetzbuch; BGB) such limitation periods may be up to 30 years, although the usual limitation period is 3 years.
What data protection rights do I have?
1. Right of confirmation
Each data subject shall have the right granted by the European legislator to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Should a data subject wish to assert such right of confirmation, he or she may contact a person in the controller’s department at any time.
2. Right of access
Each data subject shall have the right granted by the European legislator to obtain from the controller access at any time and free of charge to information concerning the personal data stored on himself or herself and to receive a copy of such information. The European legislator has also allowed the data subject access to the following information:
• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The data subject shall also have the right to access whether personal data have been transmitted to a third country or to an international organisation. Moreover, should that be the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
Should a data subject wish to assert this right to access, he or she may contact an employee in the controller’s department at any time.
3. Right to rectification
Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Should a data subject wish to assert this right to rectification, he or she may contact an employee in the controller’s department at any time.
4. Right to erasure (right to be forgotten)
Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, where one of the following grounds applies and unless processing is required:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) or Article 9(2) GDPR, and where there is no other legal ground for the processing;
the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
Should one of the above-cited reasons apply and a data subject would like to instigate the erasure of personal data stored with us, he or she may contact an employee in the controller’s department at any time. Our employee will ensure that the request for erasure is fulfilled without undue delay.
Where we have made the personal data public and our company is obliged as controller to erase the personal data pursuant to Article 17(1) GDPR, we will take reasonable steps, taking account of available technology and cost of implementation, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such other controllers of all links to, or copies or replications of, such personal data, unless processing is required. Our employee will take the necessary steps in individual cases.
5. Right to restriction of processing
Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification of whether the legitimate grounds of the controller override those of the data subject.
Should one of the above reasons apply and a data subject would like to obtain the restriction of personal data stored with us, he or she may contact an employee in the controller’s department at any time. Our employee will instigate the restriction of processing.
6. Right to data portability
Each data subject shall have the right granted by the European legislator to receive the data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He or she shall also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In exercising his or her right to data portability pursuant to Article 20(1) GDPR, the data subject shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible and where the rights and freedoms of other persons are not adversely affected as a result.
The data subject may contact an employee to assert the right to data portability at any time.
7. Right to object
Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR.
We will no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where we process personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. Where the data subject lodges an objection with us to processing for direct marketing purposes, we will no longer process the personal data for such purposes.
Where personal data are processed by us for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, the data subject, on grounds relating to his or her particular situation, shall also have the right to object to processing of personal data concerning him or her, unless such processing is necessary for the performance of a task carried out for reasons of public interest. The data subject may contact any employee in order to exercise the right to object. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject shall also be at liberty to exercise his or her right to object by automated means using technical specifications.
8. Automated individual decision-making
Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, which produces legal effects concerning him or her or similarly significantly affects him or her, where the decision is not necessary for entering into, or performance of, a contract between the data subject and a data controller; is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or is based on the data subject’s explicit consent.
Where the decision is not necessary for entering into, or performance of, a contract between the data subject and a data controller; or is based on the data subject’s explicit consent, we will implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Should the data subject wish to assert any rights with regard to automated decisions, he or she may contact an employee in the controller’s department at any time.
9. Right to revoke consent under data protection law
Each data subject shall have the right granted by the European legislator to revoke his or her consent to the processing of personal data at any time.
Should the data subject wish to assert his or her right to revocation of consent, he or she may contact an employee in the controller’s department at any time.
You may revoke any consent you have given us to the processing of personal data at any time. This also applies to declarations of consent given to us prior to the GDPR coming into force, i.e. prior to 25 May 2018. Please note that the revocation applies only to the future and does not affect data processed prior to the revocation.
10. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or place of the alleged infringement if you consider that the processing of personal data relating to you is unlawful.
Do I have a duty to provide data?
Within the scope of our business relationship, you are obliged to provide those personal data required for the establishment, implementation and termination of a business relationship and to fulfil the associated contractual duties or to the collection of which we are legally bound. Without such data, we will usually not be in the position to conclude, execute and terminate a contract with you.
To what extent does automatic decision-making take place?
In principle, we do not use a fully automated decision-making system pursuant to Article 22 GDPR in order to establish and implement the business relationship. Should we use this process in individual cases, you will be separately informed of that fact and of your relevant rights, where prescribed by law.
Information about cookies and tracking
Detailed information on cookies used, tracking, scripts can be found in our Cookie Consent Tool.
Should you desire information, which is not available in this data privacy notice, or if you would like further information on a specific point, please contact the data protection officer of Museen der Hasso Plattner Foundation gGmbH, Museum Barberini.