Your contact person as controller within the meaning of the European Data Protection Regulation ("GDPR") and other national data protection laws of the member states as well as other data protection regulations is:
Neues Museum. Staatliches Museum für Kunst und Design Nürnberg
Luitpoldstraße 5, 90402 Nürnberg
0911-2402069
info@nmn.de
(hereinafter referred to as "we", "us" or "our")
You can reach our data protection officer at the following contact details:
Carsten Förster
Bayerische Staatsgemäldesammlungen
Zentrale Dienste der Staatl. Museen und Sammlungen
Landshuter Allee 8
80637 München
Fon: +49 (0)89 23805 136
E-Mail: zd.datenschutz@pinakothek.de
I Website functionality
1) Provision of the website and creation of log files
(a) Legal basis
The legal basis for the processing of your personal data in the context of the provision of the website and the creation of log files is our public duty (Art. 4 para. 1 Bavarian Data Protection Act - BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 General Data Protection Regulation (GDPR)).
(b) Purpose
The temporary storage of your personal data by us is a prerequisite for us to be able to display our website on your computer. For this reason, we store your personal data until the end of the respective session.
The further storage of your personal data in so-called log files by us takes place in order to technically ensure the correct functioning of our Internet presence. Furthermore, the log files are used to check and maintain the proper functioning of the security of our information technology systems.
Your data collected for this purpose will not be processed other than for the aforementioned purposes.
(c) Duration of Storage
We delete your personal data as soon as we no longer need them for the processing purposes we have stated. In the case of processing in the context of providing our website, this is given as soon as you have left our website.
If we store your personal data in our log files, we delete them after 14 days at the latest. If we want or need to store your data beyond this, your data will only be stored or processed anonymously. The anonymization has the consequence that we can no longer assign your data to you.
(d) Possibility of objection and removal
Since the processing of your personal data for the provision of the website and the further storage of your personal data in so-called log files is indispensable for the operation of the website, you do not have the option to object.
II eCommerce
1) Webshop
(a) Legal basis
The legal basis for the processing of your personal data in the context of the webshop is Art. 6 para. 1 lit. b GDPR.
(b) Purpose
We process your personal data in connection with our webshop for the fulfillment of a contract which has been concluded between you and us.
(c) Duration of Storage
We delete your personal data as soon as they are no longer required to achieve the purpose of their processing. With regard to the processing of the aforementioned personal data, this is the case when the contract has been fulfilled on the one hand and on the other hand all contractual claims have become time-barred and/or there are no longer any legal storage and retention periods.
(d) Possibility of objection and removal
We can only process the contract concluded between you and us in connection with the webshop by means of your personal data. Since the processing is therefore mandatory, you do not have the option to object to the processing.
2) Customer account registration
(a) Legal basis
The legal basis for the processing of your personal data in the context of customer account registration is Art. 6 para. 1 lit. b GDPR.
(b) Purpose
When you register on our website, this not only enables us to maintain our customer relationship with you, but also serves to conclude contracts. The processing of your personal data in connection with the registration of your customer account is therefore necessary for the performance of a contract, the implementation of pre-contractual measures and the maintenance of our customer profiles and relationships.
(c) Duration of Storage
We delete your personal data as soon as they are no longer required to achieve the purpose of their processing. This is the case at the latest when you close your customer account with us.
(d) Possibility of objection and removal
If you no longer wish your data to be processed, you can cancel the registration of the customer account on our website at any time. In this case, we will delete your personal data, unless we are prevented from doing so by legal retention periods.
3) Contact form and e-mail contact
(a) Legal basis
The legal basis for the processing of your personal data, which is transmitted in the course of contacting us, is our public performance of duties (Art. 4 Para. 1 Bavarian Data Protection Act - BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 of the General Data Protection Regulation (GDPR)). If, on the other hand, the purpose of your contacting us is to conclude a contract with us, Art. 6 (1) (b) GDPR is relevant as a further legal basis for the processing of your personal data.
(b) Purpose
We process your personal data in connection with your contact to process and respond to your request.
(c) Duration of Storage
We delete your personal data as soon as they are no longer required to achieve the purpose of their processing. Personal data transmitted to us in the context of contacting us will be deleted if your request has been processed by us and no legal retention periods oppose the deletion.
(d) Possibility of objection and removal
You can object to the processing of your personal data in connection with your contact at any time for the future. However, if you do so, we cannot and will not process your request any further. Provided that there are no legal retention periods to the contrary, all your personal data related to the contact will be deleted in this case.
III Marketing
1) Newsletter
(a) Legal basis
The legal basis for the processing of your personal data within the scope of the newsletter dispatch is your declared consent according to Art. 6 para. 1 lit. a GDPR.
(b) Purpose
We process your personal data to deliver our newsletter to you. The purpose of our newsletter mailing is to inform you about exhibitions and events at the museum. The newsletter also serves to increase our sales through the sale of tickets, services and other goods.
(c) Duration of Storage
We delete your personal data as soon as they are no longer required to achieve the purpose of their processing. In connection with the sending of the newsletter, your personal data will be stored until you have unsubscribed from our newsletter.
(d) Possibility of objection and removal
The revocation of your consent is open to you at any time. To do so, you can either explicitly revoke your consent or select the unsubscribe link included in each of our newsletters to let us know that you no longer wish to receive the newsletter.
IV) Data protection and legislation
1) Data subject submission according to Art. 12 et seq. GDPR
(a) Legal basis
If you request information about our processing of your personal data in the context of a so-called data subject submission, the legal basis for the processing of personal data based on the request is Art. 6 para. 1 lit. c in conjunction with Art. 12 et seq. GDPR. The legal basis of the documentation of your request to be carried out by us is Art. 6 para. 1 lit. f GDPR.
(b) Purpose
In this context, we process your personal data in order to be able to provide you with information about the data protection content requested in the context of your data subject submission. We must then document both your request and our legally compliant information and processing in order to meet our legal accountability obligation under Art. 5 para 2 of the GDPR.
(c) Duration of Storage
We delete your personal data as soon as we no longer need it to respond to your data subject submission or to fulfill our legal accountability obligations.
(d) Possibility of objection and removal
If you do not want us to process your data in connection with your data subject submission, you can object at any time for the future. Please note that in this case it is not possible for us to answer your request and provide you with information.
However, you do not have the right to object to the documentation of your data subject submission and any objection to data processing in the context of the data subject submission, as this is a legal obligation for us.
2) Legal defense and enforcement
(a) Legal basis
If we need to process your personal data in the context of legal defense and enforcement, the legal basis is Art. 6 para. 1 lit. f GDPR.
(b) Purpose
If we need to process your data for the purpose of legal defense and enforcement, this is for the purpose of defending against unjustified claims and the legal enforcement and assertion of claims and rights to which we are entitled.
(c) Duration of Storage
We delete your personal data as soon as they are no longer required for legal defense and enforcement purposes.
(d) Possibility of objection and removal
If we have to process your personal data for these purposes, the processing is mandatory. For this reason, you also have no right or possibility to object to the processing.
I Facebook Insights (Facebook-Fanpage)
1) Joint controllers
We operate our Facebook Fanpage https://www.facebook.com/neuesmuseumnuernberg jointly with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (hereinafter Facebook) in accordance with the decision of the ECJ, as personal data are processed by Facebook and us in connection with our Fanpage or with its content and we contribute to the decision on the purposes and means of this processing.
For this reason, we have concluded a separate agreement with Facebook and divided which of us fulfills which obligations under the GDPR.
You can read the most important contents of this agreement under the following link:
https://www.facebook.com/legal/terms/page_controller_addendum
If you would like to know how Facebook generally processes your personal data, you can find information on this at:
https://www.facebook.com/legal/terms/information_about_page_insights_data
2) Legal basis
Our legal basis for the processing of your personal data in the context of the Facebook Fanpage is our public duty (Art. 4 para. 1 Bavarian Data Protection Act - BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 General Data Protection Regulation (GDPR).
3) Purpose
In order to fill our Facebook fan page with content that is of interest to you, we depend on learning about your user behavior. This is supported by the processing of your personal data, which is collected during the use of our Facebook fan page and evaluated by Facebook. For this purpose, Facebook provides us with page statistics that give us information about visitors and their interactions with our page. Furthermore, our Facebook fan page allows you to communicate directly with us and to respond to our posts and content.
4) Origin of the data
The data collected from you during your use of our Facebook Fanpage will be evaluated by Facebook and made available to us afterwards.
5) Duration of Storage
Your personal data will be deleted by us as far as they are no longer necessary to achieve the purpose. The deletion of your personal data takes place, as far as we are able, at the latest with the discontinuation of our Facebook fan page.
6) Possibility of objection and removal
If you do not want Facebook to collect your data, you can object at any time for the future. If you object to the processing of your personal data by Facebook, we will forward this objection request to Facebook.
II Instagram
1) Joint Controllers
We operate our Instagram page https://www.instagram.com/neues_museum_nuernberg/ jointly with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (hereinafter Facebook) in accordance with the decision of the ECJ, as personal data are processed by Facebook and us in connection with our fan page or with its content and we contribute to the decision on the purposes and means of this processing.
For this reason, we have concluded a separate agreement with Facebook and divided which of us fulfills which obligations under the GDPR.
You can read the most important contents of this agreement under the following link:
https://help.instagram.com/519522125107875
If you would like to know how Facebook generally processes your personal data, you can find information on this at:
https://www.facebook.com/legal/terms/information_about_page_insights_data
2) Legal basis
Our legal basis for processing your personal data within the framework of our Instagram page is our public duty (Art. 4 para. 1 Bavarian Data Protection Act - BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 General Data Protection Regulation (GDPR).
3) Purpose
Our Instagram page allows you to react to our posts, comment on them and send us private messages. The evaluation of this data is essential for us to improve the user experience for the future and to make the content more attractive. Furthermore, we receive anonymized or pseudonymized statistics from Facebook, which provide us with insights into the visitors to our Instagram page and their interactions with our Instagram page and its content.
4) Origin of the data
The data collected from you during your use of our Instagram page will be evaluated by Facebook and made available to us afterwards.
5) Duration of Storage
Your personal data will be deleted by us as far as they are no longer necessary to achieve the purpose. The deletion of your personal data takes place, as far as we are able, at the latest with the discontinuation of our Instagram page.
6) Possibility of objection and removal
If you do not want Facebook to collect your data, you can object at any time for the future. If you object to the processing of your personal data by Facebook, we will forward this objection request to Facebook..
III Threads
1) Extent of processing
We operate an information channel at https://www.threads.net/@neues_museum_nuernberg and use the technical platform and services of Meta Platforms Inc, 1 Meta Way, Menlo Park, CA 94025, USA (hereinafter referred to as Threads) for this purpose. Threads is a microblogging service on which registered users can send telegram-like messages.
The use of Threads by us does not imply any unrestricted endorsement of this medium or of the company or the privacy policy of Threads. The following applies to Threads users: The Threads short message service offered and its functions are used under your own responsibility. This applies in particular to the use of the interactive functions. We expressly point out that Threads stores the data of its users (e.g. personal information, IP address, etc.) in accordance with its data usage guidelines and uses it for business purposes. We have no influence on this data collection and the further use of the data by Threads.
More information on the privacy policy of threads can be found at
https://help.instagram.com/769983657850450/?helpref=uf_share
and the privacy policy of Meta Platforms Inc (https://privacycenter.instagram.com/policy)
With regard to the possibility of viewing information about the data stored about you, we refer you to https://privacycenter.instagram.com/guide/collection/
You can request information via the Meta Platforms Inc. data protection form or archive requests at https://www.facebook.com/help/contact/1650115808681298
2) Legal basis
The legal basis for the processing of your personal data is our public duty (Art. 4 para. 1 Bavarian Data Protection Act - BayDSG in conjunction with. Art. 6 para. 1 lit. e in conjunction with. Art. 6 para. 3 p. 1 General Data Protection Regulation (GDPR).
3) Purpose
We use your personal data, in particular your username and the content you publish, to share your messages and posts, to reply to them or to write our own threads that refer to your account or messages. In this way, we also make your data available to our other followers. We use other data, including likes, reactions, etc., in relation to our messages to make our content more relevant to you.
4) Origin oft he data
The personal data you provide when using our Threads channel is not collected by us directly, but is rather provided to us by Threads.
5) Duration of Storage
We will delete your personal data if it is no longer required to achieve the aforementioned purposes. Your data will be deleted at the latest, insofar as we can influence this, when we close our Threads channel.
6) Possibility of objection and removal
If you do not want Threads to collect your data, you can object at any time for the future. If you object to the processing of your personal data by Threads, we will forward this objection request to Threads.
You also have the option of restricting the processing of your personal data yourself. You can do this in the general settings of your personal Threads account and under ‘Data protection and security’. On mobile devices, you have the option (depending on the operating system used) to restrict access to contact and calendar data, photos, location data, etc., among other things. You can find further information at https://help.instagram.com/1207185479989246/?helpref=uf_permalink&parent_cms_id=179980294969821
Within our authority or the museum, your personal data will only be passed on to the units that need them to fulfill their tasks. For activities that we cannot perform within our company in terms of personnel or content, we use reliable and trustworthy service providers. A transfer of your personal data to these recipients is therefore also conceivable. The following categories of third-party service providers come into consideration in particular: Banks, payment service providers, POS system developers and support, tax consultants, law enforcement and security services, server hosting companies, media agencies, mailing and flyer distribution services, and social media managers.
In principle, we process your data within the Federal Republic of Germany or the territory of the EU/EEA. In exceptional cases, however, we may also transfer your data to trusted service providers and entities in third countries. The GDPR defines third countries as all countries outside the European Union or the European Economic Area.
We ensure that the service providers in third countries can guarantee us that your personal data is processed at a level that at least meets the requirements of the GDPR.
Furthermore, a transfer to third countries will only take place if an adequacy decision has been issued by the European Commission for that third country (see the current list of adequacy decisions here) or, in the absence of such a decision, on the basis of standard contractual clauses and if we have provided appropriate safeguards, such as standard contractual clauses, and enforceable rights and effective remedies are available to you
Please note: If you use our social media channels on Facebook, Instagram or Threads, personal data will be transmitted to the operators in the USA. Access to your personal data by US authorities cannot be ruled out.
According to the GDPR, you are entitled to the following data subject rights:
I Right of access
You can request access to your personal data processed by us in accordance with Art. 15 DS-GVO. In your request for access, you should specify your request in order to make it easier for us to compile the necessary data. Please note that your right to access information may be restricted under certain circumstances in accordance with the statutory provisions (in particular Section 34 BDSG and Art. 10 BayDSG).
If a right to access exists, we will inform you about:
• the purposes of the processing
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed
• the envisaged period for which the personal data will be stored
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing as well as the right to lodge a complaint with a supervisory authority
• where the personal data are not collected from you, any available information as to their source
• the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you
II Right to rectification
If the information concerning you is not (or no longer) accurate, you may request a rectification in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.
III Right to restriction of processing
Within the framework of the specifications of Art. 18 GDPR, you have the right to demand a restriction of the processing of the data concerning you if one of the following conditions is met:
• If you contest the accuracy of your data, for a period of time that allows us to verify the accuracy of the personal data
• the processing of your personal data is unlawful
• Our purpose has ceased to exist, but you need the data to assert, exercise or defend legal claims
• You have objected to the processing pursuant to Art. 21 para 1 GDPR and we are reviewing it
IV Right to erasure
You can request the erasure of your personal data under the conditions of Art. 17 GDPR. Your right to erasure depends, among other things, on whether the data concerning you is still needed by us to fulfill our legal duties.
Your claim exists in particular if
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• you have withdrawn your consent on which the processing was based and we lack any other legal basis for the processing
• you have objected to the processing and there are no overriding legitimate grounds for the processing
• the personal data have been unlawfully processed
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which we are a subject
• the data was collected from you as a minor under the age of 16 for offers of information society services
V Right to notice
If you have exercised one of the aforementioned rights, we will also inform other recipients of your personal data in this regard.
VI Right to data portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that the legal requirements of Art. 20 GDPR are met.
VII Right to object
According to Art. 21 GDPR, you have the right to object to the processing of data relating to you at any time for reasons arising from your particular situation. However, we are not always able to comply with this, e.g. if legal provisions oblige us to process data within the scope of our official task fulfillment.
If we process your personal data for the purpose of direct marketing, you have the right to object at any time.
VIII Right to revocation
You have the right to revoke any consent given to us at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
IX Right to complain to a supervisory authority
If you are of the opinion that we have not complied with data protection regulations when processing your data, you may, without prejudice to any other administrative or judicial remedy, lodge a complaint with the supervisory authority responsible for us.
The supervisory authority responsible for us is:
Bavarian State Commissioner for Data Protection
(Bayerischer Landesbeauftragter für den Datenschutz)
Wagmüllerstr. 18
80538 München, Germany
Fon.: +49-89-2126720
E-Mail: poststelle@datenschutz-bayern.de