Privacy
Data privacy information for kunsthalle-mainz.de
Data privacy information
In the following, we inform you about the processing of personal data by our organization and how we protect your personal rights as part of this. With our data privacy information, we provide you with information in accordance with the applicable EU General Data Protection Regulation (GDPR). You can access the GDPR here.
We have compiled extensive data privacy information for you. To make it easier for you to use it, we have outlined the contents to begin.
1. Name and contact details of those responsible for processing and of the company’s Data Protection Officer
2. Log files from website visits
3. Registration form for supporters under “Friends”
4. Processing for sending the program by mail
5. Integration of our social media representation
6. Contact via e-mail
7. Newsletter subscription
8. Contact by telephone
9. Booking events
10. Use of cookies
11. Third-country transfer
12. Rights of data subjects
12. Right of objection
13. Security
15. Up-to-date nature and amendment of this data privacy information
1. Name and contact details of those responsible for processing and of the company’s Data Protection Officer
This data privacy information applies to data processing by:
Kunsthalle Mainz, as represented by: Kunsthalle Mainz Foundation, public foundation under civil law, c/o Stadtwerke Mainz AG, Rheinallee 41, 55118 Mainz, Germany
E-mail: marquis(at)kunsthalle-mainz.de
Telephone: +49 (0) 6131 126936
Foundation’s Board of Management
Daniel Gahr (Chairman) – Board Member at Stadtwerke Mainz AG
Marianne Grosse – Deputy Mayor for Culture of the City of Mainz
Dr. Denis Alt – State Secretary at the Rhineland-Palatinate Ministry of Science and Health
Data Protection Officer
The organization’s Data Protection Officer can be contacted at datenschutz(at)mainzer-stadtwerke.de.
2. Log files from website visits
- When you access our website, the browser used on your end device automatically sends information to our website’s server. This information is temporarily stored in a so-called logfile. The following information is collected without your intervention and deleted when it is no longer needed to achieve the purpose:
- Type and version of browser
- Operating system used
- Referrer URL (address of the website from which you accessed our site)
- Host name of the accessing computer
- Time of the server request
- IP address
We process the abovementioned data for the following purposes:
- To ensure the connection with the website is established smoothly;
- To enable convenient use of our website;
- To evaluate system security and stability; and
- for other administrative purposes.
The legal basis for the data processing is section 6, para. 1(f) of the GDPR. Our legitimate interests stem from the purposes of data acquisition listed above. Under no circumstances will we use the acquired data to draw conclusions about you as an individual. The data are deleted when they are no longer needed to achieve the purpose.
3. Registration form for supporters under “Friends”
Under the “Friends” section on our website, we provide a form for download which you can use to register as a supporter of the Kunsthalle, specifying a certain supporter contribution. On this form, you can give the Kunsthalle a SEPA direct debit mandate. You can return the completed document to us by fax or mail.
Description and scope of data processing:
To register you as a supporter and to issue a SEPA direct debit mandate, we require certain mandatory information (name, postal address, account details). The mandatory fields are marked on the form. Without entries data, we cannot register you as a supporter or make any debits from your account. However, you are not obliged to issue a direct debit mandate. When the direct debits are carried out, the bank you specify will receive the corresponding payment information.
Purpose of data processing:
The purpose of processing your data is the administration of our sponsors and the execution of direct debits.
Legal basis for data processing:
The legal basis for the data processing is section 6, para. 1(f) of the GDPR.
Duration of storage:
The data are deleted as soon as they are no longer required for the purpose for which they were recorded. In the case of the above-mentioned data, this is the case when the contract with you has ended and payments no longer need to be made. Subject to legal retention periods beyond this point, the data will then be deleted. Legal retention periods of ten years apply for data relevant to accounting.
4. Processing for sending the program by mail
We also process your data for the purpose of sending our program in the mail.
Description and scope of data processing:
We use the data provided in the form, such as first and last names and your postal address, to occasionally send you information about our programs and exhibitions.
Purpose of data processing:
We use such mailings to provide you with information and to promote our offering.
Legal basis for data processing:
Processing for advertising purposes takes place based on our legitimate interest in advertising pursuant to section 6, para. 1(f) of the GDPR.
Duration of storage:
Processing for advertising purposes is initially carried out for an unlimited period until receipt of any objection to advertising from you and with expiry of the purpose.
5. Integration of our social media representation
Our website contains links to online representation on various social media platforms.
Unless otherwise stated below, the legal basis for the transmission of your data is section 6, para. 1(f) of the GDPR. Our legitimate interest is to inform you about our services and products and to be able to get in touch with our customers in a straightforward way and to do public relations work.
We use the following services:
Facebook and Instagram:
The company operating the Facebook and Instagram services is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”).
We operate a Facebook page and an Instagram profile for the aforementioned purposes. Meta processes your data when you interact with the service for its own purposes. You can find more information here. We have no knowledge beyond this about the data processing carried out by Meta.
Whenever you interact with our Facebook page or our Instagram profile, we process your data with Meta in so-called joint responsibility according to section 26 of the GDPR for the sake of so-called insights. Here it was agreed that Meta is responsible for informing data subjects as per section 12 and 13 of the GDPR and for fulfilling data subject requests according to section 15–21 of the GDPR and reporting and notification obligations under section 33 and 34 of the GDPR. You can view the agreement here. You can exercise your rights against both data controllers at any time.
The parent company of Meta Platforms Ireland is Meta Platforms, Inc. in the USA. The information generated by Meta is transferred to servers of Meta Platforms, Inc. in the USA and processed there. On July 10, 2023, the EU Commission issued an adequacy decision for the Data Privacy Framework for data transfers to recipients located in the USA. According to this, an adequate level of data protection is assumed for data transfers to certified recipients located in the USA (see also section 11). Meta Platforms, Inc. is a certified company.
6. Contact via e-mail
Scope of processing:
If you provide us with your e-mail address or get in touch with us via e-mail, the personal data transmitted with the e-mail, such as e-mail addresses, technical header information, date and time, as well as the content of the e-mail, will be stored. Data will only be passed on to third parties if this is necessary to respond to your request.
Purpose and legal basis:
The data are processed for the purpose of answering e-mail enquiries. The legal basis for the data processing in this respect is section 6, para. 1(f) of the GDPR. If such contact is aimed at concluding, implementing, or terminating a contract, the additional legal basis for the processing is section 6, para. 1(b) of the GDPR. E-mail addresses will only be used for advertising purposes if you have expressly consented to this (section 6, para. 1(a) of the GDPR).
Duration of processing:
The data is processed only until no further correspondence is expected. If the e-mail correspondence arises in a contractual context, the data will be stored as business letters, generally, in accordance with mandatory regulations under commercial and tax law, for six years, or ten years in the case of content relevant to billing. The processing of data for promotional purposes will be carried out until the time when the underlying consent is revoked.
7. Newsletter subscription
On our website there is the option to subscribe to our free newsletter. As part of this, when you sign up for the newsletter the e-mail address from the input screen is transferred to us. First and last names can be entered for the newsletter subscription but are not mandatory and are merely for the sake of addressing you by name.
Scope of processing:
We use your e-mail address to send you newsletters.
Purpose and legal basis:
E-mail addresses will only be used for advertising purposes if you have expressly consented to this (section 6, para. 1(a) of the GDPR). You can revoke your consent for the future at any time. We process your revocation based on our legitimate interest in effective consent management in accordance with section 6, para. 1(f) of the GDPR.
Duration of processing:
The processing of data for promotional purposes will be carried out until the time when the underlying consent is revoked. Otherwise, we delete your data when the purpose ceases to apply.
8. Contact by telephone
Scope of processing:
In the context of contact over the phone, we generally process the following personal data: telephone number and the time and duration of the phone call.
In the absence of the called party or outside business hours, you can use an answering machine function; this generates digital recordings (voice files) in addition to the previously mentioned data.
As a rule, the contents of the conversation are also recorded electronically in call notes. Such data will generally not be passed on to third parties.
Purpose and legal basis:
The data are processed for the purpose of making calls, both technically and with regard to content, or to enable necessary callbacks in the event of missed calls. Call notes serve for documentation and evidence of the conversations conducted.
The legal basis for the data processing in this respect is section 6, para. 1(f) of the GDPR; our legitimate interest is to be able to respond to your contact. If such telephone contact is aimed at concluding, implementing, or terminating a contract, the additional legal basis for the processing is section 6, para. 1(b) of the GDPR.
Duration of data processing:
The data is processed only until no further telephone contact is expected. Itemized bills for outgoing calls may be relevant for accounting purposes under commercial and tax law and are retained for ten years in this case. The same applies to call notes. Voice files are only stored for a short time until the missed call has been dealt with.
9. Booking events
It is possible to book events through the website, such as a children’s birthday workshop or similar.
Scope of processing:
As part of this process, the contact details of the contractors (and, if applicable, the persons participating) are collected. Payment is made on site.
Purpose and legal basis:
The purpose of the processing is the booking of events, with the legal basis being section 6, para. 1(b) of the GDPR.
Duration of data processing:
Processing ends with the termination of the contractual relationship, insofar as there are no retention periods to the contrary.
10. Use of cookies
Cookies are text files that are stored in the internet browser or on the user’s computer system by the internet browser. If a user accesses a website, a cookie can be stored on their operating system. This cookie has a specific sequence of characters that permits definitive identification of the browser when the website is accessed again.
11. Third-country transfer
Transfer of personal data to third countries only takes place if the requirements of section 44 et seq. of the GDPR are met.
A third country is a country outside the European Economic Area (EEA) in which the GDPR is not directly applicable. A third country is considered unsafe if the EU Commission has not issued an adequacy decision for that country pursuant to section 45, para. 1 of the GDPR confirming that there is adequate protection for personal data in the respective country.
On July 10, 2023, the EU Commission issued an adequacy decision for the Data Privacy Framework for data transfers to recipients located in the USA. According to this, an adequate level of data protection is assumed for data transfers to certified recipients located in the USA.
Your personal data can only be transferred to recipients located in the USA without certification, or to recipients from third countries without an adequacy decision, if:
- sufficient guarantees are provided by the recipient in accordance with section 46 of the GDPR for the protection of the personal data,
- you have expressly consented to the transfer after we have informed you of the risks, in conformity with section 49, para. 1(a) of the GDPR,
- the transfer is necessary for the performance of contractual obligations between you and us or
- another exception from section 49 of the GDPR applies.
Guarantees according to section 46 of the GDPR can be so-called standard contractual clauses. In these standard contractual clauses, the recipient guarantees to sufficiently protect the data and thus to ensure a level of protection comparable to the GDPR.
12. Rights of data subjects
You have the right:
- in accordance with section 15 of the GDPR, to request information about the personal data we process in relation to you. Specifically, you can request information on the purposes of processing, the category of personal data, the categories of recipients to whom your data is or has been disclosed, the planned storage time, the existence of a right to correction, deletion, limitation of processing, or objection, the existence of a right of complaint, the origin of your data where it is not obtained by us, and the existence of an automated decision-making process including profiling and, where relevant, precise details thereof;
- in accordance with section 16 of the GDPR, to immediate correction in the case of inaccuracies, or completion of the personal data we have stored for you;
- in accordance with section 17 of the GDPR, to request deletion of the personal data we have stored for you, provided that its processing is not necessary for the exercising of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of the public interest or for the assertion or exercise of or the defense against legal claims;
- in accordance with section 18 of the GDPR, to request limitation of processing of your personal data where the accuracy of the data is disputed, its processing is unlawful, you object to its deletion but we no longer require the data, you require this for the assertion or exercise of or the defense against legal claims, or you have lodged an objection to its processing in accordance with section 21 of the GDPR;
- in accordance with section 20 of the GDPR, to obtain the personal data you have provided us with in a structured, commonly usable, and machine-readable format, or to request its transfer to another responsible party;
- in accordance with section 7, para. 3 of the GDPR, to revoke consent previously given to us at any time. This will mean that we will no longer be able to carry out the data processing this consent related to in the future;
- and to complain to a supervisory authority, pursuant to section 77 of the GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office for this purpose.
13. Right of objection
Where your personal data is processed on the basis of legitimate interests, in line with section 6, para. 1(f) of the GDPR, you have the right, in accordance with section 21 of the GDPR, to object to the processing of your personal data where there are reasons for this arising from your specific situation or where you are objecting to direct advertising. In the latter case, you have a general right of objection, which is implemented by us without information on your specific situation.
If you wish to exercise your right of revocation or objection, simply send an e-mail to datenschutz@mainzer-stadtwerke.de.
14. Security
To protect your data transmitted via our online offering, we use TLS encryption. You can recognize these kinds of encrypted connections by the prefix https:// in the address bar of your browser.
Please use only the latest browsers and remember to update regularly.
15. Up-to-date nature and amendment of this data privacy information
This data privacy information is currently valid and was last revised in August 2023. Due to further development of our website and offerings, or based on amendments to statutory or regulatory provisions, it may occasionally be necessary to amend this data privacy information. You can access and print out the current data privacy information on this website at any time.