Data Protection Policy
The following data protection policy of the Klassik Stiftung Weimar outlines the type, scope and purpose of processing of personal data (hereafter referred to as „data“) performed in connection with our online services, linked web pages, functions and content, as well as external platforms, e.g. our presence on social media platforms (hereafter referred to „online services“). With regard to terminology used in this policy, e.g. „processing“ or „controller“, please refer to the definitions provided in Art. 4 of the EU’s General Data Protection Regulation (GDPR).
Klassik Stiftung Weimar
Foundation under public law
Tel.: +49 (0)3643 545-0
The Klassik Stiftung Weimar is legally represented by its president, Mr. Hellmut Seemann.
Types of processed data:
- Personal and master data (e.g. names, addresses)
- Contact data (e.g. email addresses, telephone numbers)
- Content data (e.g. text entries, photos, videos)
- Usage data (e.g. visited web pages, interest in content, access times).
- Meta-/communication data (e.g. device information, IP addresses)
Categories of persons affected by data processing
Visitors and users of our online services (hereafter summarily referred to as „users“)
Purpose of processing
- Provision of online services, functions and content
- Contact and communication with users
- Security measures
- Online tracking analysis/marketing
„Personal data“ is defined as all information that makes reference to identified or identifiable natural persons (hereafter referred to as „data subjects“). A natural person is regarded as identifiable if he/she can be directly or indirectly identified by means of an ID (e.g. a name), an ID number, location data, an online ID (e.g. cookie) or by one or more specific characteristics which convey the physical, physiological, genetic, psychological, financial, cultural or social identity of this natural person.
„Processing“ is defined as any procedure conducted with or without automated assistance, or any sequence of procedures conducted in connection to personal data. The term is broadly applicable and includes practically every case of data handling.
„Pseudonymisation“ refers to the processing of personal data in such a way that the data can no longer be assigned to any specific data subject without the provision of further information, whereby this information is specially safeguarded and is subject to organisational measures which ensure that the personal data cannot be assigned to an identified or identifiable natural person.
„Profiling“ refers to any type of automated processing of personal data with the aim evaluating, analysing or predicting distinctive aspects related to a natural person, especially those related to work performance, financial situation, health, personal preferences, reliability, geographical location or changes in location of this natural person.
The term „responsible controller“ distinguishes the natural or legal person, agency, organisation or other entity which is entitled to make decisions alone or in consultation with others concerning the purposes and means of processing personal data.
The term „processor“ distinguishes a natural or legal person, agency, organisation or other entity who/which processes personal data on behalf of the responsible controller.
In accordance with Art. 13 GDPR, we provide the following information on the legal basis of our data processing activities. If the legal basis is not explicitly stated in the provisions below, the following applies: The legal basis for obtaining consent from the data subject is provided in Art. 6 (1 a) and Art. 7 GDPR; the legal basis for processing data necessary for rendering services and performing contractual obligations, as well as responding to inquiries is provided in Art. 6 (1 b) GDPR; the legal basis for processing data necessary for compliance with our legal obligations is provided in Art. 6 (1 c) GDPR; the legal basis for processing data necessary for pursuing our legitimate interests is provided in Art. 6 (1 f) GDPR. In cases for which processing is necessary to protect the vital interests of the data subject or of another natural person, Art. 6 (1 d) GDPR serves as the legal basis.
In accordance with Art. 32 GDPR and taking into account the latest standards in technology, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of threats to the rights and freedoms of natural persons, we undertake to implement appropriate technical and organisational measures to ensure a level of security appropriate to the given risk.
These measures serve to ensure the ongoing confidentiality, integrity and availability of data by monitoring its physical availability, as well as the respective access, input, transmission, storage and erasure of such data. In addition, we have implemented measures which protect the rights of our users, ensure personal data is erased, and counteract threats to the security of personal data. Furthermore, we take data protection into account when developing or selecting hardware, software and processing methods in accordance with the data protection principles by technical design and privacy-friendly defaults (Art. 25 GDPR).
Collaboration with processors and third parties
If in the course of processing your data, we should disclose, transmit or allow external persons or firms (processors or third-parties) to gain access to your data, this will only occur on the basis of legal regulations (e.g. when a third party requires data to fulfil contractual terms in accordance with Art. 6 (1 b) GDPR), either by the user’s consent, for the purpose of complying with legal obligations, or in pursuit of our legitimate interests (e.g. when using external service providers, web hosts etc.).
If we commission a third party to process data on the basis of a „data processing agreement“, this will occur in compliance with Art. 28 GDPR.
Transmission of data to third countries
If we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)), or if data is processed by, disclosed or transmitted to third parties in connection to using third-party services, this will only occur if necessary for meeting our (pre-)contractual obligations, if you have provided your consent, for the purpose of complying with legal obligations, or in pursuit of our legitimate interests. Insofar as data transfer does not require special legal or contractual permission, we only process or allow data to be processed in a third country if the specific provisions stipulated in Art. 44 ff GDPR apply. This means that data processing will only take place in accordance with guarantees contained in officially recognised data protection standards which correspond to those of the EU (e.g. the „Privacy Shield“ in the USA) or with specific, officially recognised contractual obligations (so-called „standard contractual clauses“).
Rights of data subjects
The data subject has the right to obtain confirmation whether his/her personal data is being processed, and if so, what the nature of this data is, together with additional information and a copy of the data in accordance with Art. 15 GDPR.
In accordance with Art. 16 GDPR, the data subject has the right to have incomplete personal data completed or incorrect data rectified.
In accordance with Art. 17 GDPR, the data subject has the right to have his/her data immediately erased, or in accordance with Art. 18 GDPR, have the processing of personal data restricted.
In accordance with Art. 20 GDPR, the data subject has the right to obtain all data he/she has provided us, and demand that this data be shared with other website controllers.
In accordance with Art. 77 GDPR, the data subject has the right to lodge a complaint with the responsible supervisory authority.
Right to withdraw consent
The data subject has the right to withdraw previously granted consent to process personal data with immediate effect for the future in accordance with Art. 7 (3) GDPR. If you wish to withdraw your consent, please contact Widerspruch@klassik-stiftung.de.
Right to object
In accordance with Art. 21 GDPR, the data subject has the right to object at any time to having his/her personal data processed with immediate effect for the future. The objection can apply to data processing for direct marketing purposes. If you wish to file an objection, please contact Widerspruch@klassik-stiftung.de.
Cookies / Right to object to direct marketing
„Cookies“ are small files saved on the user’s computer. Cookies may contain a variety of data. The primary purpose of cookies is to store information about the user (or the device on which the cookie is saved) during and, in some cases, after the user’s visit to a website. Temporary cookies, also called „session cookies“ or „transient cookies“, are erased as soon as the user leaves a website and closes his/her browser. Such cookies may contain information regarding the contents of an online shopping cart or one’s login status, for example. „Permanent“ or „persistent“ cookies remain saved on the user’s computer even after the browser is closed. These cookies may contain the user’s login status for up to several days after visiting a specific website. They may also contain information about the user’s interests which could be used for marketing purposes and tracking analysis. „Third-party cookies“ are those which originate from external providers in contrast to those created by the controller of the visited website, which would be designated as „first-party cookies“.
As we employ both temporary and permanent cookies, we wish to inform you about our data protection policy with regard to cookies.
If you do want to have cookies saved on your computer, we recommend deactivating such cookies by selecting the respective option in your browser settings. Cookies already saved on your system can be erased in the same manner. By deactivating cookies, you may not be able to take full advantage of our online services.
Erasure of data
All the personal data we process is either erased or is subject to processing restrictions in accordance with Art. 17 and 18 GDPR. If not explicitly stated otherwise in this data protection policy, we erase all stored personal data as soon as the purpose of storage is no longer necessary, and its erasure does not prevent compliance with our legal obligations regarding data storage. If your data cannot be erased due to other requirements or legal regulations, we shall restrict its processing. This means that your data may not be transmitted, shared or processed for any other purposes. This applies, for example, to data which must be stored for commercial or tax-related reasons.
In accordance with legal regulations in Germany, in particular §§ 147 (1) AO, 257 (1, 1 & 4) HGB, such data must be kept for a period of ten years (e.g. accounts, records, status reports, invoices, trade books, tax-relevant documents etc.), and in accordance with § 257 (1, 2 & 3) HGB, for a period of six years (e.g. commercial letters).
Administration, accounting, office management, contact management
We process data in order to carry out our administrative duties, organise our operations, conduct accounting tasks and comply with legal obligations, in particular, archiving requirements. In this context, we process the same data which is processed for the purpose of performing our contractual services. The legal basis for processing this data is provided in Art. 6 (1 c & f) GDPR. Our data processing activities affect our customers, interested parties, business partners and website users. Data processing represents a legitimate interest as it allows us to perform administrative, accounting, office management, data archiving tasks, i.e. tasks which are necessary for sustaining our business activities, fulfilling our responsibilities and delivering our services. The erasure of data with regard to contractual services and contract-related communication corresponds to those processing activities mentioned above.
We disclose and transmit data to accountants, financial advisors, e.g. tax consultants and auditors, as well as other financial authorities and payment service providers.
Furthermore, in keeping with our legitimate business administrative interests, we save data concerning our suppliers, event managers and other business partners, e.g. for purposes of engaging in future contact. As a rule, we permanently save the majority of business-related data.
Provision of our statutory and business services
We process the data of our supporters, interested parties, clients and other persons in accordance with Art. 6 (1 b) GDPR, provided that we offer them contractual services or are engaged with them in an existing business relationship or are the recipient of their services or payments. Furthermore, we process personal data in accordance with Art. 6 (1 f) GDPR on the basis of legitimate interests, e.g. if administrative tasks or public relations activities necessitate such processing.
The processed data, as well as the type, scope, purpose and necessity of processing, are defined by the underlying contractual relationship. This data includes personal and master data (e.g. names, addresses), contact data (e.g. email addresses, telephone numbers), contract data (e.g. services, content and information received, names of contacts) and payment data if fees are charged for delivered services or products (e.g. bank details, payment history etc.).
We erase data as soon as it is no longer required for our statutory and business purposes. Erasure of data is determined in accordance with the respective tasks and contractual relations. In the case of business-related data processing, we store data for as long as might be relevant for completing the business transaction, also with respect to meeting guarantee and liability claims. The necessity of maintaining such data is assessed every three years; assessments are subject to compliance with statutory data retention requirements.
Note: Amazon and the Amazon logo are registered trademarks of Amazon.com Inc., or one of its affiliated enterprises.
Customers can purchase our publications by clicking an external link to https://www.museumshop-weimar.de/. For more information on how Museumshop GmbH Weimar processes personal data and your options for blocking data collection, please read the company’s data protection policy: https://www.museumshop-weimar.de/impressum.
We process applicant data for the purpose and in the context of the application process in accordance with legal regulations. Applicant data is processed in order to fulfil our (pre-)contractual obligations in the context of the application process in accordance with Art. 6 (1 b & f) GDPR, provided that processing such data is necessary, e.g. as part of the legal process (for which § 26 BDSG is also applicable in Germany).
In the application process, the applicant is required to provide us with his/her personal data. „Applicant data“ is designated as such when the user submits an online application and is otherwise indicated in the respective job description. The data includes personal information, postal and email addresses, and application-relevant documents, such as letters of application, CVs and certificates. The applicant may also volunteer additional information.
Upon submission of the application, applicants consent to having their data processed as part of the application process in accordance with the type and scope of processing described in this data protection policy.
If during the application process the applicant voluntarily provides personal data belonging to special categories as put forth in Art. 9 (1) GDPR (e.g. health-related data, physical handicaps or ethnic background), the processing of such data is completed in accordance with Art. 9 (2 b) GDPR. If during the application process we request personal data belonging to special categories as put forth in Art. 9 (1) GDPR, the processing of such data is completed in accordance with Art. 9 (2 a) GDPR (e.g. health-related data if such is required for determining the applicant’s ability to perform the job in question).
If an online form is provided, applicants can submit their applications to us electronically on our website. This data is transmitted to us using state-of-the-art encryption technology.
Applicants may also send their applications to us via email. However, emails are not automatically encrypted when transmitted, which means the applicant must personally ensure that email submissions are adequately encrypted. As we do not assume responsibility for the transmission path between the sender and our server, we recommend using the online application form or sending applications by post. For applicants who wish to forego electronic transmission altogether (via online form or email), sending applications by post is always an option.
If the applicant successfully applies for a position at our organisation, we reserve the right to process his/her provided data further for the purpose of establishing the employment relationship. Should the application fail to result in employment, we shall erase the applicant’s data. The applicant’s data is likewise erased if he/she withdraws his/her application – a choice that every applicant is entitled to make.
If the applicant does not file a justified objection to data storage, the applicant’s data is erased after a period of 120 days in order to respond to any follow-up questions concerning the application and produce evidence demonstrating compliance with the Federal Equal Treatment Act. Invoices for possible travel expense remuneration are archived in accordance with statutory tax regulations.
Comments and contributions
The Klassik Stiftung Weimar collects and saves data in connection with the publication of a blog. This data comprises the user’s name, email address and submitted comment. The data is provided voluntarily. The Klassik Stiftung Weimar does not use this data for any other purpose. The WordPress plugin „Remove IP“ prevents us from saving your IP address when you submit a comment.
All data provided in connection with comments and contributions are stored permanently until the user files an objection.
Antispam Bee plugin
Our website uses „Antispam Bee“ – a simple but highly effective antispam plugin which protects against trackback spam.
The plugin allows us to differentiate between real comments and spam comments. If Antispam Bee identifies a comment as spam, it saves the data on our server and notifies us. According to the software maker, the EU-developed plugin does not store the users’ private data.
For more information on how Antispam Bee collects and uses data, and how the plugin functions, visit: https://wordpress.org/plugins/antispam-bee/
Due to reasons of legitimate interest (i.e. analysing, optimising and efficiently operating our online services in accordance with Art. 6 (1 f) GDPR), we use the plugin „WP Statistics“ (https://wp-statistics.com) in our blog. This add-on software is used for internal statistical assessment, and the data remains on the servers of our service provider (on the basis of a third-party processing agreement). The software measures, for example, how many visitors read a specific article. The statistics are based on information collected during the visit to the blog. To protect the privacy of our users, IP addresses are anonymised prior to statistical analysis and data storage.
When a user contacts us (e.g. via contact form, email, telephone or social media), we process the data provided by the user in accordance with Art. 6 (1 b) GDPR in order to respond to the query and settle the matter accordingly. The user’s data may be stored in a customer relationship management system („CRM system“) or comparable contact management program.
We send newsletters, emails and other electronic messages with advertising information (hereafter summarily referred to as „newsletters“). In the following, we provide information about the content of our newsletters, registration modalities, delivery, statistical analysis and the right to withdraw consent.
Newsletters may only be delivered upon prior consent of the user or by legal authorisation. If the content of a newsletter is concretely described during the registration process, the consent of the user is required. Furthermore, our newsletters contain information about us and the services we provide.
Double opt-in and user log files: We use a double opt-in procedure when users register to receive our newsletters. This method requires the user to confirm receipt of a test email which is sent to their email account. User confirmation is required to ensure that no one else can register with the user’s email address without authorisation. The registration is recorded in a log file in order to document the registration process in compliance with legal regulations. The data in the log file includes the time of registration and subsequent confirmation, as well as the user’s IP address. Any changes made to this data are likewise saved on the server of the delivery provider.
In order to register for the newsletter, we only require the user’s email address. The user has the option to provide a name so that we can include a personal form of address in the newsletter.
The delivery of the newsletter and its respective measure of success is effected on the basis of the recipient’s consent in accordance with Art. 6 (1 a) and Art. 7 GDPR in combination with § 7 (2 (3)) UWG.
The documentation of the registration process is effected on the basis of our legitimate interest in accordance with Art. 6 (1 f) GDPR. Our interest is served by offering a secure, user-friendly newsletter system which in turn serves our business interests, meets our user’s expectations and permits us to document user consent.
Delivery of our newsletter can be cancelled at any time, i.e. the user may withdraw his/her consent. A cancellation link is included at the end of every newsletter. For reasons of legitimate interest, we can save email addresses used for newsletter delivery for up to three years before erasure in order to prove previously granted consent. The processing of this data is restricted to the defence of potential claims. Users are allowed to specifically request erasure of this data at any time provided that confirmation of former consent exists.
Hosting and email delivery
The hosting services we use provide the following services to our customers: Infrastructure and platform services, computing capacity, storage space and database services, email delivery, IT security services and technical maintenance, all of which serve to ensure the operation of our online services.
In this context, we or our hosting provider (commissioned to perform these tasks on our behalf based on a third-party processing agreement) process personal and master data, contact data, content data, contract data, usage data and meta- and communication data provided by our clients, interested parties and visitors to our website. The collection of this data is pursuant to our legitimate interests in providing efficient and secure online services in accordance with Art. 6 (1 f) GDPR in combination with Art. 28 GDPR.
Access data and server log files
In pursuit of our legitimate interests as provided in Art. 6 (1 f) GDPR, we or our hosting provider collect and store data on every access query made to content saved on our server (so-called „server log files“). These log files contain the name of the accessed web page, file, date and time of the query, transmitted amount of data, report on whether the query was successful, the browser type and version, the user's operating system, referrer URL (i.e. previously visited page), IP address and the querying provider.
For security reasons (e.g. for investigating cases of possible misuse of fraud), log file data is saved for a period 365 days max., after which time it is erased. Data retained as evidence in criminal investigations is exempt from erasure until the respective case is conclusively clarified.
Tracking analysis with Matomo
We maintain online presence in social networks and platforms in order to communicate with active clients, interested parties and users, and provide them with information about our services. When a user accesses these networks and platforms, the terms and conditions of usage and the privacy policies of the respective controllers apply.
If not otherwise indicated in our data protection policy, we process the personal data of users insofar as they communicate with us via these social networks and platforms, e.g. when contributing or sending us messages, for the scope and duration required for the respective purpose.
Integrated third-party services and content
In pursuit of our legitimate interests (e.g. analysing, optimising and efficiently operating our online services as provided in Art. 6 (1 f) GDPR), we integrate third-party content and services into our website so that we can offer content and services provided by these third parties, for example, videos and fonts (hereafter referred to summarily as „content“).
Third-party providers of this content always obtain access to the user’s IP address, for without it, their content could not be transmitted to the user’s browser. In other words, the IP address is necessary for delivering third-party content. We make every effort to integrate third-party content only from those providers who pledge to use IP addresses exclusively for delivering content. Third-party providers can also use pixel tags (hidden graphic elements, also known as „web beacons“) for statistical and marketing purposes. By using pixel tags, providers can analyse information about the user traffic on our web pages. The pseudonymised information can also be saved in cookies on the user’s device. The cookies may contain technical information about the user’s browser and operating system, referral URLs, duration of the visit and other information about the usage of our online services, which can then be aggregated with related information from other sources.
We integrate videos via the video sharing platform „YouTube“, owned and operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, in a privacy-enhanced mode. This means that if the user visits a website with an embedded YouTube video player but does not click to play the video, YouTube will not automatically save cookies in the user’s browser. However, once the user clicks on a YouTube video player, YouTube may save a cookie in the user’s browser. However, no personal data is contained in the cookie information when the user clicks an embedded video. (Source: YouTube „Enable the privacy-enhanced mode for embedded videos“). Privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
We use „Google fonts“, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, on our website. Privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
We integrate „Google maps“, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, into our website. The data processed by Google can include the user’s IP address and location data. However, Google may only collect data with the user’s prior consent (usually granted via the settings on their mobile devices). The data can be transmitted and processed in the USA. Privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
Usage of social media plugins
Data-protected sharing functions
We use data-protected share buttons. This solution was developed by Lombego based on the Shariff model which improves online privacy and replaces the conventional „share“ button typically used on social networks. Instead of establishing a link to the user’s browser, the software forms a connection between the controller’s server (on which the share button is integrated) and the respective social media platform. It then queries the number of likes etc. The user remains anonymous.
In pursuit of our legitimate interests (e.g. analysing, optimising and efficiently operating our online services as provided in Art. 6 (1 f) GDPR), we use plugins provided by the social media network facebook.com, operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereafter referred to as „Facebook“). The plugins can include interactive elements or content (e.g. videos, graphics and/or texts) and are recognisable by the Facebook logo (white „f“ on a blue tile, the words „Like“ or a „thumb’s up“ symbol) or are distinguished by the appendage „Facebook social plugin“. For a list and graphic representation of the Facebook social plugins, visit: https://developers.facebook.com/docs/plugins/.
Facebook is certified under the Privacy Shield Framework agreement which guarantees compliance with the European General Data Protection Regulation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
When a user activates a function on this website which contains such a plugin, the user’s device establishes a direct connection to the servers at Facebook. The content of the plugin is directly transmitted to the user’s device which integrates it into the website. The processed data can be used to create a user profile. Consequently, we have no influence on the scope of data collected by Facebook with the aid of this plugin.
The plugin allows Facebook to know that the user has accessed the respective page on our website. If the user is logged on to Facebook, Facebook can assign information collected during the visit to the user’s Facebook account. When multiple users interact via plugins, e.g. by clicking the „Like“ button or submitting comments, the information is directly transmitted from the user’s device to Facebook and stored on its server. Even if a user is not a registered Facebook member, Facebook has the capability of collecting the user’s IP address and saving it. According to Facebook, IP addresses collected in Germany are anonymised before they are saved.
If a user is a Facebook member but does not want Facebook to collect data about the visit to our website and assign it to his/her Facebook account data, the user must log out of Facebook before visiting our website and delete the respective cookie on his/her device. To prevent data collection for advertising purposes, you can change the settings to your Facebook user profile here: https://www.facebook.com/settings?tab=ads or visit the American ad blocking site: http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings apply universally, i.e. apply to all devices, e.g. desktop computers and mobile devices.
Our website occasionally integrates functions and content provided by the messaging service Twitter, owned and operated by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. These can include photos, videos, texts and buttons, with which users can express whether they like the respective content. If the user is a member of Twitter, Twitter can assign information concerning the content and functions accessed by the user to the user’s respective Twitter profile. Twitter is certified under the Privacy Shield Framework agreement which guarantees compliance with the European General Data Protection Regulations (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active) Privacy statement: https://twitter.com/de/privacy, opt-out: https://twitterfcom/personalization.
Our website occasionally integrates functions and content provided by the social networking service Instagram, owned and operated by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. These can include photos, videos, texts and buttons, with which users can express whether they like the respective content. If the user is a member of Instagram, Instagram can assign information concerning the content and functions accessed by the user to the user’s respective Instagram profile. Instagram privacy statement: http://instagram.com/about/legal/privacy/.
Our website may include functions and content provided by the Google+ platform, owned and operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“hereafter referred to as “Google”). These may comprise photos, videos, texts and buttons with which users can share our website content with others through Google’s social media services. If the user is a member of the Google+ platform, Google can assign the user’s individual query of content and functions to the user’s personal profile.