Imprint/ Data privacy
documenta archiv | documenta und Museum Fridericianum gGmbH
T +49 561 70727-0
F +49 561 70727-39
Court of Registry:
AG Kassel, HRB 2154
VAT Identification Number DE 113060585
Director General: Dr. Sabine Schormann
Chairman of the Supervisory Board:
Christian Geselle, Lord Mayor
Responsible for content in accordance with Art. 55, paragraph 2 RStV: Dr. Sabine Schormann
The documenta archiv is operated under the supervision of documenta und Museum Fridericianum gGmbH and its shareholders, the City of Kassel and the State of Hessen.
1. Scope and purpose of the processing of personal data
1.1 Accessing and visiting the website
When this website is accessed, data is automatically sent to the server of this website by the Internet browser used by the visitor and stored for a limited period of time in a log file at our host and service provider for a maximum of two weeks. Until automatic deletion, the following data will be stored without further input by the visitor:
- IP address of the visitor’s terminal device,
- date and time of access by the visitor,
- name and URL of the page accessed by the visitor,
- the website from which the visitor accessed the website (so-called referrer URL),
- the browser and operating system of the visitor’s terminal device and the name of the access provider used by the visitor.
The processing of this personal data is based on our legitimate interests pursuant to Art. 6 para. 1 p. 1 lit. f) General Data Protection Regulation (GDPR). We therefore have a legitimate interest in the processing of data for the purpose of:
- establishing a connection to the website quickly,
- enabling a user-friendly application of the website,
- detecting and ensuring the security and stability of the systems and facilitating and improving the administration of the website.
The processing is expressly not carried out for the purpose of obtaining knowledge about the visitor to the website.
1.2 Contact via e-mail (e-mail client on your computer)
Visitors can send messages to us, in particular via e-mail, voluntarily providing personal data. In order to be able to receive a response from you, it is necessary for you to provide at least a valid e-mail address and your last name. All other information can be given voluntarily by the inquiring person but that person is not obligated to do so. By sending the e-mail, the visitor consents to the transmitted personal data being processed. The data is processed exclusively for the purpose of handling and responding to inquiries. This is done on the basis of the voluntarily consent provided purusant to Art. 6 para. 1 sentence 1 letter a) GDPR. The data received from you via this communication channel and processed by us will be automatically deleted as soon as the request is completed and there are no reasons for further storage (e.g. subsequent commissioning, a donation or the like).
In the framework of correspondence with us by e-mail, your personal data may also be transferred to service providers outside the European Union and the European Economic Area (EEA) through the e-mail service we use, Microsoft Office 365 in the USA. A transfer will only take place on the basis of EU standard contractual clauses as appropriate safeguards to protect your personal data in an insecure country. Information on the processing of your personal data by the controller “Microsoft Corporation” is provided by the latter under the following link: https://privacy.microsoft.com/de-de/privacystatement.
You can request detailed information on this and on the level of data protection at our service providers in third countries using the contact information above.
If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and that you agree to receive the newsletter (a so-called double opt-in). Further data is not collected or only on a voluntary basis. We use this data exclusively for sending the requested information and for related analysis purposes. This processing, of the data entered in the newsletter registration form is based exclusively on your consent (Art. 6 para. 1 sentence 1 letter a) GDPR). We always try to ensure that your information is up to date. You can therefore inform us at any time if your contact details change. To do so, you can contact us at the addresses listed above. You can revoke your consent to the storage of the data, the e-mail address, and their use for sending the newsletter at any time, for example via the “unsubscribe” link in each newsletter. The legality of the data processing operations that have already been carried out remains unaffected by the revocation. Data that has been stored by us for other purposes also remains unaffected by this.
Our dispatch service provider Sendinblue GmbH uses so-called web beacons or tracking pixels. Tracking pixels are extremely small image files, often only 1×1 pixels in size, which are integrated into the newsletter e-mail and thus allow log file recording and log file analysis.
If the user now opens the respective previously loaded email, the tracking pixel is loaded from the Sendinblue server and at the same time some information about the e-mail recipient is transmitted, such as:
- whether the e-mail was opened,
- the time of the call,
- the associated IP address.
We will store the data you provide for the purpose of receiving the newsletter until you unsubscribe from the newsletter, and it will be deleted from our servers and the servers of Sendinblue after you unsubscribe from the newsletter.
Detailed information on the functions of Sendinblue can be found at the following link: https://de.sendinblue.com/blog/email-tracking/.
The website uses so-called cookies. These are data packets that are exchanged between the server of our website and the visitor’s browser. They are stored by the respective devices used (PC, notebook, tablet, smartphone, etc.) when the website is visited. Thus, cookies cannot cause any damage to the devices used. In particular, they do not contain viruses or other malware. In the cookies, information is stored that arises in each case in connection with the specific terminal device used. We can therefore in no way obtain direct knowledge of the identity of the visitor(s) to the website.
Temporary cookies are used to improve user-friendliness. They are stored on the visitor’s device for a temporary period of time. When the website is visited again, it is automatically recognized that the visitor has already called up the page at an earlier point in time and which entries and settings were made in the process. As a result, these do not have to be repeated.
Please refer to the list below for the different types of cookies (e.g. cookies that are technically necessary for displaying the website, or cookies that serve statistical and marketing purposes) that are set on your terminal device when you visit our website, as well as further information on these cookies (e.g. provider, purpose, storage period, etc.).
For cookies that are not technically mandatory, we obtain your consent (via the information window that opens at the beginning of your visit to our website) in accordance with Art. 6 Para. 1 lit. a GDPR. The processing associated with the setting of technically mandatory cookies is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR.
3. Web analysis by Matomo (formerly PIWIK)
3.1 Scope of the processing of personal data
We use the open source software tool Matomo (formerly PIWIK) on our website to analyze the surfing behavior of our users. The software stores a cookie on the user’s computer (for cookies, see above). If individual pages of our website are called up, the following data is stored:
- two bytes of the IP address of the calling system of the user(s),
- the website called up,
- the website from which the user has reached the website called up (referrer),
- the subpages called up from the website that has been called up,
- the time spent on the website,
- the frequency with which the website is called up.
The software runs on the servers of our website. Personal data of the users is stored only there. The data is not passed on to third parties.
The software is set so that the IP addresses are not stored in full, but 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to assign a shortened IP address to the calling computer.
3.2 Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is the consent of each user pursuant to Art. 6 para. 1 lit. a GDPR. The consent is realized and stored by means of a cookie banner (information window at the beginning of the visit to the website).
3.3 Purpose of data processing
The processing of our users’ personal data enables us to analyze their surfing behavior. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. By anonymizing the IP address, the interest of users to protect their personal data is adequately taken into account.
3.4 Duration of storage
The data is deleted immediately as soon as it is no longer required for our recording purposes.
3.5 Removal option
4. Links to other websites
On our website, we link to the online offerings of the social networks Instagram, Facebook, Twitter, YouTube, Soundcloud, Xing and LinkedIn, on which documenta und Museum Fridericianum gGmbH maintains its online presence (see 5. presence and offerings on social networks and online platforms).
On our website, we also link to the online services of Deutsche Bahn, Google Maps, and Kasseler Verkehrs-Gesellschaft (KVG). documenta und Museum Fridericianum gGmbH does not pass on any personal data to the respective site operators. The respective site operators are responsible for the processing of your personal data.
5. Appearances and offers on social networks and online platforms
In order to make our cultural offerings and related information accessible to a large number of people, we are active on social networks. We would like to point out that the social media we use operate on a global scale and therefore it cannot be ruled out that your personal data will also be processed outside the EU. To ensure that your data protection rights are also protected in the event of a transfer to third countries, a transfer will only take place in accordance with Art. 44 et seq. GDPR and Art. 49 GDPR. Furthermore, we would like to draw your attention to the fact that the respective platform operators may in part independently process personal data from you and merge it into user profiles. This may also occur in part if you do not maintain a user account with the respective social network. If you are registered as a user with one of the networks, the deployment of the content provided by us will be evaluated and assigned to your profile. This happens regardless of the terminal devices with which you use the media. The tracking and profiling is done for the purpose of offering you an optimal user experience and to provide you with tailored advertising—both within and outside the network. You can find out which techniques the respective operator uses to process your personal data and which opt-out options you have in this regard in the corresponding data protection declarations of the social network as well as in the further information (see below). If you wish to exercise your data subject rights, we recommend that you contact the respective operator of the social network directly. As a rule, documenta und Museum Fridericianum gGmbH does not have access to the personal data processed by the respective operators. documenta und Museum Fridericianum gGmbH receives personal data from the operators of social networks to the extent that you permit this through the settings you have made with the network. The social network operator may provide us with information such as your name, user ID, profile picture, network, gender, username, age or age group, language, country, friends list, followers list, and any other information that you have consented to provide to us or that the social network provides to us (e.g., reports on interactions with our website, etc.). documenta und Museum Fridericianum gGmbH processes the personal data you provide in order to share your opinions with your friends, followers or contacts on the associated social network and to optimize its presence and reach in social media. The processing is thus based on our legitimate interests in reporting on our cultural work and carrying out public relations / PR in general.
Types of data you process when visiting social networks (depending on the setting and network):
- master data (e.g. user name, name),
- contact data (e.g. e-mail address),
- usage data (e.g. usage times, activities),
- content data (e.g. data provided by you, such as comments, images or videos),
- metadata (device ID, network and connection, cookie data).
Persons affected by data processing:
The respective user of the social network or the device owner with whose device the service is used.
- public relations / PR in general,
- tracking (e.g. provision of measurements, analyses of surfing and user behavior),
- reach measurement (e.g. access figures, calls).
5.1 Legal basis (depending on how you relate to the respective operator of the social network):
Our legitimate interests or the legitimate interests of third parties (e.g., the platform providers) (see above) (Art. 6 para. 1 p. 1 lit. f. GDPR). If you have a user account with a social network and have consented to the transfer of your data to third parties as part of your data protection settings, the legal basis for this is the consent to tracking (Art. 6 para. 1 lit. a GDPR).
5.2 Services used and service providers (recipients of your personal data):
Within the scope of our online presence and for the dissemination of our offer and our content, we consequently also make use of external services and service providers, including online platforms. Below you will find important information on the processing of your personal data within the scope of these services and service providers. The specific processing of personal data within the scope of the respective services below depends on several factors (e.g. provider, users’ own privacy settings and activities). If you have any questions about the processing in a specific individual case, you are welcome to contact us or our company data protection officer.
5.2.1 Instagram (social network)
5.2.2 Facebook (social network)
Joint responsibility of documenta and Facebook
5.2.3 YouTube (social network, media portal)
Our website uses plugins from the YouTube site operated by Google. YouTube sets cookies on the terminal device you use, which can also be used to analyze usage behavior for market research and marketing purposes. In the process, the YouTube server is informed which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. The basis for the use of the YouTube plugins is your consent pursuant to Art. 6 para. 1 lit. a GDPR. Please note that without your consent, it is not possible to play the embedded YouTube videos. If you have not given your consent in our cookie banner, you have the option to do so directly via a lock screen in the embedded video. In addition, you can manage your consents at any time via the “Cookie settings” link at the very bottom of this page. If you wish to revoke the consent you have given, you can also do so via the same route.
5.2.4 Twitter (social network, short message service)
5.2.5 XING / New Work SE (professional network)
5.2.6 LinkedIn (professional network)
5.2.7 SoundCloud (social audio platform)
We process the data provided to us by the social media network operators (e.g. reports) in the social media management software “Hootsuite.” We have a legitimate interest in using this software pursuant to Art. 6 (1) lit. f GDPR. The transfer to Hootsuite in Canada is covered by an adequacy decision of the EU Commission.
Hootsuite enables us to manage multiple social media accounts. Posts can be prepared, scheduled, published, liked, and shared in it. At the same time, the channels of the different services can be tracked within Hootsuite in order to follow discussions on the social web that are relevant for us.
6. Data protection during applications and the application process
The primary purpose of data processing is to carry out and process the application process and to assess the extent to which you are suitable for the position in question. As a result, the processing of your applicant data is necessary to be able to decide on the establishment of an employment relationship and thus on the hiring. The primary legal basis for this is Art. 6 (1) lit. b) GDPR in conjunction with. Section 23 (1) HDSIG. The processing of special categories of personal data—insofar as necessary for the decision on recruitment—is based on Art. 9 (1) GDPR in conjunction with. Section 23 (3) HDSIG. If you have voluntarily provided us with special categories of personal data whose processing is not necessary for the decision on recruitment, the collection and processing will be based on your consent given with the submission. We also collect and process personal data of applicants on the basis of legitimate interests for the defense of legal claims (in particular from the General Equal Treatment Act (AGG) pursuant to Art. 6 para. 1 p.1 lit. f GDPR. The processing may also take place electronically. This is particularly the case if an applicant sends us the relevant application documents electronically, for example by e-mail. We have set up a special e-mail address for applications by e-mail [firstname.lastname@example.org]. If we conclude an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If no such contract is concluded with the applicant, the application documents will be automatically deleted no later than 6 months after notification of the decision regarding rejection, provided that no other legitimate interests on our part prevent deletion. An example of an “other legitimate interest” in the sense just mentioned is, for example, the obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG).
7. Data protection information for participation in events/exhibitions
We process the personal data you provide to us as part of the registration process for the purpose of preparing and holding the respective event as well as for capacity planning on the basis of your consent granted through registration pursuant to Art. 6 (1) lit. a GDPR and, depending on the type of event, on the basis of a contract pursuant to Art. 6 (1) lit. b GDPR. You can revoke your consent at any time with effect for the future. A revocation has the consequence that we can no longer use your personal data for the event—which requires registration—and your participation in the event is therefore excluded.
To the extent necessary, we process your data beyond your consent in accordance with Art. 6 (1) p. 1 lit. f GDPR to protect our or third parties’ legitimate interests, such as for the defense in legal disputes.
Please note that photographs or video recordings will be made at our events and the image or video material may be published on the Internet, on the sites operated by documenta und Museum Fridericianum gGmbH or its cooperation partners, or on social media and/or in one of the publications of documenta und Museum Fridericianum gGmbH or its cooperation partners, for the purpose of public relations (in particular reporting) on the respective event.
By participating in the event, you consent to the publication of photographs and video recordings made during the event (§§ 22, 23 KUG). The collection, i.e. the photographic recording and its processing, is carried out for the purpose of an illustrated report on the basis of Art. 6 para. 1 p. 1 lit. f GDPR. We would like to point out that you may object to this processing pursuant to Art. 21 (1) GDPR for reasons arising from your particular situation. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
The objection should be sent to the above address.
We would like to point out that the documentation of the event may also result in data worthy of archiving, which may be transferred to the holdings of the documenta archiv. Should archival records contain personal data about you, we will process these data on the basis of Art. 6 para. 1 lit. c GDPR in conjunction with. § 7, 8, and 11 HArchivG. We process the special categories of personal data that may be processed in this context on the basis of Section 25 HDSIG.
8. Your rights
You have rights vis-à-vis us with regard to the personal data concerning you. Special legal regulations may prevent the fulfillment of general data protection rights. If you assert a corresponding right and special legal regulations prevent us from fulfilling it, we will inform you of this, stating the specific reasons. You are entitled to the data protection rights listed below:
Pursuant to Art. 15 GDPR, you may request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it was not collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details.
Pursuant to Art. 16 GDPR, you can immediately request the correction of incorrect data or the completion of your personal data stored by us.
Pursuant to Art. 17 GDPR, you have the right to request the deletion of your personal data stored by us, unless processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the assertion, exercise, or defense of legal claims.
8.4 Restriction of processing
Pursuant to Art. 18 GDPR, you may request the restriction of the processing of your personal data, insofar as you dispute the accuracy of the data, the processing is unlawful, but you object to its deletion and we no longer need the data, or you need it for the assertion, exercise, or defense of legal claims, or you have objected to the processing pursuant to Art. 21 GDPR.
8.5 Data portability
Pursuant to Art. 20 GDPR, you may receive the personal data you have provided to us in a structured, common, and machine-readable format or request that it be transferred to another controller.
Pursuant to Art. 7 (3) GDPR, you have the right to revoke the consent you have given to us at any time (e.g. in writing or by e-mail). This has the consequence that we may no longer continue the data processing based on this consent for the future.
Pursuant to Art. 77 GDPR, you may complain about our processing of your personal data to the responsible supervisory authority at any time. The supervisory authority responsible for us (The Hessian Commissioner for Data Protection and Freedom of Information) is based at Gustav-Stresemann-Ring 1, 65189 Wiesbaden.
8.8 Objection to the processing of your data
To the extent that we base the processing of your personal data on our legitimate interest pursuant to Art. 6 (1) p. 1 lit. f GDPR, you may object to the processing, in particular if the processing is carried out for advertising purposes. This is the case if the processing is not necessary, in particular, for the performance of a contract with you, which we show in each case in the following description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of a justified objection on your part, we will review the situation and either discontinue or adjust the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing.
Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time.
You can inform us of your objection using the contact details above.
Amendment of the data protection statement
(as of March 5, 2021).