We very much appreciate your interest in our museum. The management of Museum Barberini gGmbH attaches great importance to data protection. Should the processing of personal data be required and no legal basis for such processing exists, we generally obtain the data subject’s consent.
The processing of personal data, for example the name, address, e-mail address or telephone number of a data subject always ensues in line with the General Data Protection Regulation and in compliance with the applicable country-specific protection provisions.
We have implemented numerous technical and organisational measures to ensure that the protection of personal data processed on this website is as seamless as possible. Nevertheless, Internet-based data transmissions always harbour the danger of gaps in security, meaning that no absolute protection can be guaranteed. For that reason, each data subject is at liberty to transmit personal data to us by alternative means as well, by telephone, for example.
Beyond the website, we also process personal data within the scope of our business relationship. Information on such data processing and your entitlements and rights under data protection law, which partially also apply to the data processing on our website, may also be found in our DATA PRIVACY NOTICE.
General information: Name and address of controller
Controller in terms of the General Data Protection Regulation, other data protection laws applying to the Member States of the European Union and other provisions of a data protection nature is:
Museum Barberini gGmbH
+49 331 236014-399
You may reach our operational data protection officer at
Museum Barberini gGmbH
Responsible data protection authorities
Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht
(The State Representative for Data Protection and Inspection of Records)
Stahnsdorfer Damm 77
Fon: +49 33203 356-0
Fax: +49 33203 356-49
Each data subject may directly contact our data protection officer with any questions and suggestions on the topic of data protection at any time.
General information: Recording of general data and information
Our website collects a series of general data and information every time it is retrieved by a data subject or an automated system. Such general data and information are then stored in our server’s log files. The following may be collected:
- browser types and versions used,
- operating system used by the accessing system,
- the website from which an accessing system was referred to our website (so-called referrer),
- the sub-web pages activated on our website by an accessing system,
- the date and time of an access to the website,
- an Internet protocol address (IP address),
- the Internet service provider of the accessing system and
- other similar data and information serving to avert danger in case of attacks on our IT systems.
We draw no conclusions regarding the data subject when utilising such general data and information. Instead, such information is used to
- deliver the content of our website correctly,
- optimise the contents of our website as well as the advertisement for the latter,
- guarantee the permanent functionality of our IT systems and the technology of our website as well as
- to provide law enforcement agencies with the necessary information to enforce the law in the event of a cyber-attack.
We thus analyse such anonymously collected data and information statistically on the one hand and with the aim of increasing the data protection and data security in our company on the other hand, in order to ultimately provide an optimal level of protection for the personal data we process. The anonymous server log file data are stored separately from any personal data provided by a data subject.
General information: Registration on our website
The data subject has the possibility of registering on the controller’s website by providing personal data. The personal data that is transmitted to the controller results from the respective input mask used for the registration. The personal data entered by the data subject are collected and stored solely for internal use by the controller and for internal purposes. The controller may instigate the transmission to one or more order processers, for instance a printing company, which also utilises the personal data solely for internal use, which may be ascribed to the controller.
When registering on the controller’s website, the IP address assigned by the data subject’s Internet service provider (ISP), as well as the date and time of registration are stored. Such data are stored against the backdrop that this is the only way to prevent our services being abused and, where necessary, such data allow criminal offences to be resolved. Inasmuch, such data need to be stored for the controller’s protection. Such data will not be transmitted to third parties unless a legal duty to transmit exists or the transmission is in the interests of law enforcement.
The data subject’s registration by means of the voluntary provision of personal data allows the controller to offer the data subject contents or services that may only be offered to registered users due to the very nature of the matter. Registered persons are at liberty to amend the data provided at the time of registration or have them completely erased from the controller’s data at any time.
On request, the controller will at any time provide each data subject with information regarding the personal data stored on the data subject. The controller will also rectify or erase personal data at the data subject’s request or indication, unless this is in conflict with any legal periods of retention. The entire controller’s workforce is available to the data subject as contact persons in this context.
General information: Order processing in the online shop and customer account
We process our customer’s data within the scope of the order processes in our online shop, in order to allow them to select and order the desired products and services, as well as the payment and delivery or execution thereof.
The processed data include inventory data, communication data, contract data, payment data and the data subjects of the processing include our customers, interested parties and other business partners. Processing ensues for the purpose of rendering contractual services within the scope of an online shop operation, settlement, delivery and customer services. To this end, we utilise session cookies to store the shopping basket contents and permanent cookies to store the login status.
Processing ensues on the basis of point (b) (implementation of order processes) and point (c) (legally required archiving) Article 6(1) GDPR. In so doing, the information deemed necessary to establish and fulfil the contract are required. We will only disclose the data to third parties within the scope of delivery, payment or within the scope of legal permissions and duties towards legal advisors and authorities. The data will only be processed in third countries should this be required to fulfil the contract (e.g. at the customer’s request at the time of delivery or payment).
Users may optionally create a user account, which in particular allows them to view their orders. Within the scope of registration, the required mandatory information will be communicated to the users. The user accounts are not public and cannot be searched by search machines. If users have cancelled their user account, their relevant user account data will be erased, except when the retention thereof is necessary for commercial or fiscal purposes pursuant to point (c) Article 6(1) GDPR. Information will remain in the customer account until it is erased followed by subsequent archiving in the event of a legal obligation. It is incumbent upon the users to secure their data before the contract ends following a termination.
Within the scope of registration and renewed registrations as well as utilisation of our online services, we store the IP address and the time of the respective user action. Storage ensues on the basis of our justified interests, as well as the users’ interest in protection against abuse and other unauthorised utilisation. In principle, such data will not be transmitted to third parties, unless they are required to pursue our claims or a legal obligation according to point (c) Article 6(1) GDPR exists.
Erasure ensues upon expiry of any legal warranty and comparable obligations, with the necessity of the retention of data being reviewed every three years; in the event of legal archiving obligations erasure will ensue upon the expiry thereof (end of commercial (6 years) and fiscal (10 years) period of retention).
General information: Cookies
Utilising cookies allows us to provide the users of this website with more user-friendly services than would be possible without cookies being set.
Cookies enable the information and offers on our website to be optimised in line with the user. As already mentioned, cookies enable us to recognise our website’s users. The purpose of this recognition is to facilitate the use of our website for the users. For example, users of a website using cookies do not need to re-input their access data every time they visit the website, as this task is assumed by the website and the cookie deposited on the user’s computer system. Another example is the cookie of a shopping basket in the online shop. The latter notes the item that a customer has placed in the virtual shopping basket via a cookie.
The data subject may prevent the setting of cookies by our website at any time by means of a corresponding setting of the utilised Internet browser and thus permanently object to the setting of cookies. Cookies that have already been set may also be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. Should the data subject deactivate the setting of cookies in the Internet browser utilised, it may result in some functions of our website being only partially utilisable.
General information: Contact option via the Internet
Based on legal provisions in the German Telemedia Act (Telemediengesetz; TMG), as well as pursuant to point (f) Article 6(1) GDPR, the website provides a contact form containing particulars allowing electronic contact to be quickly established with our museum as well as allowing direct communication with us, which also includes a general address of the so-called electronic post (e-mail address).
Should a data subject establish contact with the controller via e-mail or via a contact form, the personal data transmitted by the data subject will be automatically stored. Any data transmitted on a voluntary basis by a data subject to the controller will be stored for purposes of processing or of establishing contact with the data subject. Such personal data will not be transmitted to third parties.
General information: Security and SSL encryption
In order to protect your data during transmission, we use the appropriate cutting edge encryption procedure (e.g. SSL) via HTTPS.
We utilise technical and organisational security measures to ensure that your personal data are protected at all times against loss, falsifications and unauthorised access by third parties. All security measures are constantly adapted to comply with technical advancement.
General information: Change in our data protection provisions
We reserve the right to occasionally adapt this data privacy notice, so that it always complies with current legal requirements or in order to implement changes in our services in the data privacy notice, e.g. in the event of new services being introduced. The new data privacy notice will then apply to your next visit.
The following information provides you with details of the content of our newsletter as well as the registration, dispatch and statistical evaluation procedure as well as your rights of revocation. By subscribing to our newsletter, you consent to the receipt thereof and the described procedure.
Newsletter contents: We send newsletters, e-mails and other electronic messages containing information of a commercial nature (hereinafter “newsletters”) solely with the consent of the recipient or of a legal permission. Should the newsletter’s contents be specifically described within the scope of a registration, said contents are the decisive factor for the users’ consent. Apart from that, our newsletters contain information on our services and company.
Double opt-in and logging: Registration to our newsletter ensues in a so-called double opt-in procedure, i.e. after registering you receive an e-mail in which you are requested to confirm your registration. This confirmation is necessary to ensure that nobody can register with other people’s e-mail addresses. Newsletter registrations are logged in order to be able to furnish proof that the registration process took place according to the legal requirements. This includes the storage of the registration and confirmation times as well as the IP address. The changes in your data stored with the dispatch service provider are also logged.
Registration data: In order to register for the newsletter, you only need to provide your e-mail address, as well as your first and last names.
The newsletter and the associated measurement of success are dispatched on the basis of the recipients’ consent pursuant to point (a) Article 6(1), Article 7 GDPR in conjunction with point (3) Section 7(2) German Law against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb; UWG) or, should no consent be required, on the basis of our justified interests in direct marketing pursuant to point (f) Article 6(1) GDPR in conjunction with Section 7(3) UWG.
The registration procedure is logged on a legal basis pursuant to Article 5(2) GDPR. Our interest is geared towards the utilisation of a user-friendly as well as secure newsletter system, which serves our business interests, as well as meeting the users’ expectations and also allowing us to furnish proof of consents.
Termination/revocation – You may terminate the receipt of our newsletter at any time, i.e. revoke your consents. A link to terminate the newsletter may be found at the end of each newsletter. We are entitled to store the removed e-mail addresses for up to three years on the basis of our justified interests before erasing them, in order to be able to furnish proof of a formerly provided consent. The processing of such data is restricted to the purpose of a possible aversion of claims. An individual request for erasure may be made at any time, as long as the former existence of consent is confirmed at the same time.
Newsletter: Newsletter tracking
The newsletters contain a so-called “web-beacon”, i.e. a pixel-size file, which is retrieved from our server, or from the server of any dispatch service provider we might utilise, when opening the newsletter. Within the scope of such retrieval, technical information, such as information on your browser and system, is initially collected, as well your IP address and the time of retrieval.
This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their retrieval locations (determinable with the aid of the IP address) or the access times. The statistical surveys also include the determination as to whether the newsletters are opened, when they are opened and which links are clicked. This information may be technically assignable to the individual newsletter recipients. However, neither we, nor any dispatch service provider we might utilise, aspire to observe individual users. Instead, the evaluations allow us to recognise our users’ reading habits and adapt our contents to them or to send different contents in keeping with our users’ interests.
Unfortunately, no separate revocation of the measurement of success is possible, in such case the entire newsletter subscription needs to be terminated.
Newsletter: Data protection provisions on the utilisation and use of MailChimp
The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Treaty and thus guarantees compliance with the European data protection standard (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).
The dispatch service provider is utilised on the basis of our justified interests pursuant to point (f) Article 6(1) GDPR and an order processing contract pursuant to Article 28(3) subparagraph 1 GDPR.
The dispatch service provider may use the recipients’ data in pseudonymised form, i.e. with no assignment to a user, in order to optimise or improve in-house services, e.g. to technically optimise dispatch and presentation of the newsletters or for statistical purposes. However, the dispatch service provider will not utilise our newsletter recipients’ data to contact them personally or to transmit the data to third parties.
You may terminate or revoke the subscription to this newsletter and thus the consent to your data being stored in the future at any time. Details to this end may be found in the confirmation e-mail as well as in each individual newsletter.
The hosting services of which we avail ourselves serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services, as well as technical maintenance services, which we use for purposes of operating this online offer.
To this end we, or our hosting provider (xame GmbH and Giant Monkey Software Engineering GmbH), process inventory data, contact data, content data, contractual data, usage data, meta and communication data of customers, interested parties and visitors to this online offer on the basis of our justified interests in an efficient and secure provision of this online offer pursuant to point (f) Article 6(1) GDPR in conjunction with Article 28 GDPR (conclusion of order processing contract).
Hosting: Access data and log files
We, or our hosting provider, collect data on every access to the server on which this service is located (so-called server log files) on the basis of our justified interest in terms of point (f) Article 6(1) GDPR. Such access data include the name of the retrieved website, file, date and time of the retrieval, transmitted data volume, notification of successful retrieval, browser type plus version, the user’s operating system, referrer URL (the website previously visited), IP address and the querying provider.
Log file information is stored for a maximum duration of 7 days for security reasons (e.g. to resolve cases of abuse or fraud) and then erased. Data needing to be retained longer for purposes of evidence are exempted from erasure prior to the resolution of the respective event.
Social media/Networks: Introduction
We use so-called social plug-ins of various social networks on our web pages. Such plug-ins allow you to further recommend contributions from our Internet offering. Other social network users can then see that you recommend this contribution. Pursuant to point (f) Article 6(1) GDPR, we have a justified interest in promoting the recommendation of contributions on our web pages via social plug-ins.
Social media/Networks: Data protection provisions on the utilisation and use of Facebook
The controller has integrated Facebook components on this website. Facebook is a social network.
A social network is a social meeting place operated on the Internet, an online community, which usually allows the users to communicate with each other and to interact in virtual space. A social network may serve as a platform to exchange opinions and experiences or enable the Internet community to provide personal or business-related information. Facebook enables the social network users, inter alia, to create private profiles, to upload photos and to network friendship requests.
The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. The controller for data subjects living outside the USA or Canada is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Every retrieval of one of the individual pages of this website operated by the controller, and on which a Facebook component (Facebook plug-in) has been integrated, prompts the respective Facebook component to automatically instigate the Internet browser on the data subject’s IT system to download an illustration of the corresponding Facebook component. A complete overview of all Facebook plugins may be retrieved under https://developers.facebook.com/docs/plugins/?locale=de_DE. Within the scope of this technical procedure, Facebook receives information on which tangible subpage of our website is visited by the data subject.
Should the data subject be simultaneously logged in to Facebook, each time the data subject retrieves our website allows Facebook to recognise which tangible subpage of our website the data subject visits for the entire duration of the respective stay on our website. This information is collected by the Facebook component and assigned by Facebook to the data subject’s respective Facebook account. Should the data subject press one of the Facebook buttons integrated on our website, for instance the “Like” button, or should the data subject provide a comment, Facebook assigns this information to the data subject’s personal Facebook user account and stores such personal data.
Facebook is then always informed via the Facebook component when the data subject has visited our website if the data subject is logged in to Facebook at the same time as he or she retrieves our website; this occurs irrespectively of whether or not the data subject clicks on the Facebook component. Should data subjects not want such information to be transmitted to Facebook, they may prevent transmission by logging out of their Facebook account prior to retrieving our website.
The data guideline published by Facebook, which may be retrieved under https://de-de.facebook.com/about/privacy/, provides information on the collection, processing and utilisation of personal data by Facebook. It also explains the setting options Facebook offers to protect the data subject’s private sphere. In addition, various applications are available to suppress any data transmission to Facebook. The data subject may utilise such applications to suppress a data transmission to Facebook.
Social media/Networks: Data protection provisions on the utilisation and use of Instagram
The controller has integrated Instagram components on this website. Instagram is a service to be qualified as an audio-visual platform and allowing users to share photos and videos as well as allowing a dissemination of such data in other social networks.
Operating company for the Instagram services is Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA.
Every retrieval of one of the individual pages of this website operated by the controller, and on which an Instagram component (Insta button) has been integrated, prompts the respective Instagram component to automatically instigate the Internet browser on the data subject’s IT system to download an illustration of the corresponding Instagram component. Within the scope of this technical procedure, Instagram receives information on which tangible subpage of our website is visited by the data subject.
Should the data subject be simultaneously logged in to Instagram, each time the data subject retrieves our website allows Instagram to recognise which tangible subpage of our website the data subject visits for the entire duration of the respective stay on our website. This information is collected by the Instagram component and assigned by Instagram to the data subject’s respective Instagram account. Should the data subject press one of the Instagram buttons integrated on our website, the data and information thus transmitted are assigned to the data subject’s personal Instagram user account where they are stored and processed by Instagram.
Instagram is then always informed via the Instagram component when the data subject has visited our website if the data subject is logged in to Instagram at the same time as he or she retrieves our website; this occurs irrespectively of whether or not the data subject clicks on the Instagram component. Should data subjects not want such information to be transmitted to Instagram, they may prevent transmission by logging out of their Instagram account prior to retrieving our website.
Further information and the applicable data protection provisions of Instagram may be retrieved under https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy/.
Social media/Networks: Data protection provisions on the utilisation and use of Twitter
The controller has integrated Twitter components on this website. Twitter is a multilingual publicly accessible microblogging service, on which users can publish and disseminate so-called tweets, i.e. text messages limited to 280 characters. Such text messages may be retrieved by everyone, i.e. not just by those registered with Twitter. However, the tweets are also displayed to the so-called followers of the respective user. Followers are other Twitter users who follow the tweets of a user. Twitter also allows a wide public to be addressed via hashtags, links or retweets.
Operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
Every retrieval of one of the individual pages of this website operated by the controller, and on which a Twitter component (Twitter button) has been integrated, prompts the respective Twitter component to automatically instigate the Internet browser on the data subject’s IT system to download an illustration of the corresponding Twitter component. More information on the Twitter buttons may be retrieved under https://about.twitter.com/de/resources/buttons. Within the scope of this technical procedure, Twitter receives information on which tangible subpage of our website is visited by the data subject. The purpose of integrating the Twitter component is to allow our users a further dissemination of the contents of this website, to make this website known in the digital world and to increase our number of visitors.
Should the data subject be simultaneously logged in to Twitter, each time the data subject retrieves our website allows Twitter to recognise which tangible subpage of our website the data subject visits for the entire duration of the respective stay on our website. This information is collected by the Twitter component and assigned by Twitter to the data subject’s respective Twitter account. Should the data subject press one of the Twitter buttons integrated on our website, the data and information thus transmitted are assigned to the data subject’s personal Twitter user account where they are stored and processed by Twitter.
Twitter is then always informed via the Twitter component when the data subject has visited our website if the data subject is logged in to Twitter at the same time as he or she retrieves our website; this occurs irrespectively of whether or not the data subject clicks on the Twitter component. Should data subjects not want such information to be transmitted to Twitter, they may prevent transmission by logging out of their Twitter account prior to retrieving our website.
The applicable data protection provisions of Twitter may be retrieved under https://twitter.com/privacy?lang=de.
Social media/Networks: Data protection provisions on the utilisation and use of Pinterest
The controller has integrated Pinterest Inc. components on this website. Pinterest is a so-called social network. A social network is a social meeting place operated on the Internet, an online community, which usually allows the users to communicate with each other and to interact in virtual space. A social network may serve as a platform to exchange opinions and experiences or enable the Internet community to provide personal or business-related information. Pinterest enables the social network users, inter alia, to publish picture collections and individual pictures as well as descriptions on virtual pinboards (so-called pinning), which may then in turn be shared (so-called repinning) or commented by other users.
Operating company of Pinterest is Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103, USA.
Analysis: Data protection provisions on the utilisation and use of Google Analytics (including anonymisation function)
The controller has integrated the Google Analytics component (including anonymisation function) on this website. Google Analytics is a web analysis service. Web analysis is the acquisition, collection and evaluation of data on the behaviour of website visitors. A web analysis service collects data, inter alia, on the previous website from which a data subject has been referred to a website (so-called referrer), which subpages of the website were accessed or how often and for what length of time a subpage was considered. A web analysis is primarily utilised to optimise a website and for the cost-benefit analysis of Internet advertising.
Operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
For web analysis via Google Analytics, the controller uses the suffix "_gat._anonymizeIp". This suffix allows Google to abbreviate and anonymise the IP address of the data subject’s Internet connection when our web pages are accessed from a Member State of the European Union or from another country which is signatory to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse the visitor flows to our website. Google uses the acquired data and information, inter alia, to evaluate the use of our website, in order to compile online reports showing the activities on our website for us and to render other services associated with the use of our website.
Google Analytics sets a cookie on the data subject’s IT system. Cookies have already been explained above. Setting the cookie allows Google to analyse the use of our website. Every retrieval of one of the individual pages of this website operated by the controller, and on which a Google Analytics component has been integrated, prompts the respective Google Analytics component to automatically instigate the Internet browser on the data subject’s IT system to transmit data to Google for the purpose of online analysis. Within the scope of this technical procedure, Google receives personal information, such as the data subject’s IP address, which, among other things, enable Google to track the origin of visitors and clicks and consequently allow commission settlements.
Personal information, for instance the access time, the location from where the access emanated and the frequency of visits to our website by the data subject are stored by means of the cookie. During every visit to our web pages such personal data, including the IP address of the Internet connection utilised by the data subject, are transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may transmit the personal data levied by the technical procedure to third parties.
The data subject may prevent the setting of cookies by our website at any time, as already described above, by means of a corresponding setting of the utilised Internet browser and thus permanently object to the setting of cookies. Such a setting of the utilised Internet browser would also prevent Google setting a cookie on the data subject’s IT system. In addition, a cookie already set by Google Analytics may be deleted at any time via the Internet browser or other software programs.
Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.de/intl/de/policies/privacy/ and under http://www.google.com/analytics/terms/de.html. Google Analytics is explained in more detail under this link https://www.google.com/intl/de_de/analytics/.
Analysis: Data protection provisions on the utilisation and use of MyFonts Counter
Payment method: Introduction
We utilise external payment service providers whose platforms allow the users and ourselves to make payment transactions.
Within the scope of contract fulfilment, we utilise the payment service providers on the basis of point (b) Article 6(1) GDPR. Apart from that, we utilise external payment service providers on the basis of our justified interests pursuant to point (b) Article 6(1) GDPR, in order to offer our users an effective and secure payment option.
The data processed by the payment service providers include inventory data, such as e.g. the name and address, bank details, such as e.g. account or credit card numbers, passwords, TANs and checksums, as well as contract-related information, totals and recipient-related information. The information is required to implement the transactions. However, the input data are processed and stored solely by the payment service providers, i.e. we receive no account or credit card related information and instead only information with confirmation or negative information on payment. Under certain circumstances, the data may be transmitted to credit agencies by the payment service providers. Such transmission is for the purpose of checking identity and creditworthiness. To this end, please refer to the payment service providers’ general terms and conditions of business and data privacy notices.
The terms and conditions of business and the data privacy notices of the individual payment service provider, which are retrievable on the respective websites or transaction applications, apply to payment transactions. We also refer to the latter for the purpose of further information and assertion of rights to revocation, access and other data subject rights.
Payment method: Data protection provisions on PayPal as payment method
The controller has integrated PayPal components on this website. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which constitute private or business accounts. PayPal also offers the option of processing virtual payments via credit cards if a user has no PayPal account. A PayPal account is managed via an e-mail address, which is why no traditional account number exists. PayPal allows online payments to third parties to be triggered or payments to be received. PayPal also assumes fiduciary functions and offers buyer protection services.
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.
Should the data subject select “PayPal” as payment option during the order process in our online shop, automated data of the data subject are transmitted to PayPal. By selecting this payment option, the data subject consents to the transmission of personal data required for payment processing.
The personal data transmitted to PayPal usually consist of first name, last name, address, e-mail address, IP address, telephone number, mobile phone number or other data needed for payment processing. Also needed for processing the purchase contract are personal data associated with the respective order.
The transmission of the data is for the purpose of payment processing and prevention of fraud. The controller will in particular transmit personal data to PayPal if there is a justified interest in the transmittal. Under certain circumstances, the personal data exchanged between PayPal and the controller may be transmitted to credit agencies by PayPal. Such transmission is for the purpose of checking identity and creditworthiness.
Where necessary, PayPal may transmit the personal data to affiliated companies and service providers or subcontractors, should this be required to fulfil the contractual obligations or the data are to be processed in the order.
The data subject has the option of revoking his or her consent to PayPal handling personal data at any time. Such a revocation does not affect personal data that are imperatively required to be processed, utilised or transmitted for (contractual) payment processing.
The applicable data protection provisions of PayPal may be retrieved under https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
Payment type: Bank transfer
If you choose the payment option via bank transfer, we will transfer the contract processing data (legal basis is point (b) Article 6(1) GDPR) to your bank or the credit card company. The data protection provisions of the respective credit institute apply to this end.
Online marketing: Data protection provisions on the utilisation and use of DoubleClick
On the basis of our justified interests (i.e. interest in the analysis, optimisation and economic operation of our online offering in terms of point (f) Article 6(1) GDPR), we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
Google is certified under the Privacy Shield Treaty and thus guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use the Google "Double click" online marketing process to place advertisements in the Google advertising network (e.g. in search results, in videos, on websites, etc.). Double Click is distinguished by the fact that advertisements are displayed in real time on the basis of the users’ presumed interests. This allows us to display advertisements for and within our online offering in a more targeted manner, in order to present users with only those advertisements that may be of potential interest to them. For instance, should a user be shown advertisements for products in which he has expressed an interest in other online offerings, this is called “remarketing”. For such purposes, Google immediately executes a Google code when our website or other websites on which the Google advertising network is active are retrieved, thus integrating so-called (re)marketing tags (invisible graphics or codes, also known as "web beacons") in the website. They assist in storing an individual cookie, i.e. a small file, on the users’ device (similar technologies other than cookies may also be used). This file notes which websites the users visit, in which contents they are interested and on which offerings the users have clicked, as well as technical browser and operating system information, referring websites, visiting time as well as other information on the utilisation of the online offering.
The users’ IP address is also recorded, with the latter being abbreviated within Member States of the European Union or in other countries which are signatories to the Agreement on the European Economic Area and only transmitted in their entirety to a Google server in the USA and abbreviated there in exceptional cases. Google may also combine the previously cited information with such information from other sources. Should the users then visit our web pages, they can be shown advertisements tailored to meet their presumed interests on the basis of their user profiles.
The users’ data are processed pseudonymised within the scope of the Google advertising network, i.e. Google does not e.g. store and process the users’ names or e-mail addresses and instead processes the relevant data cookie-related within pseudonymised user profiles. That in turn means that from Google’s point of view the advertisements are not administered and displayed for a tangibly identified person but instead for the cookie owner, irrespective of who such cookie owner is. This does not apply when a user has specifically allowed Google to process the data without such pseudonymisation. The information collected on the users by Google Marketing Services is transmitted to Google and stored on Google’s servers in the USA.
Further information on data utilisation by Google, as well as setting and objection options, may be found in the data privacy notice of Google (https://policies.google.com/technologies/ads) as well as in the settings for displaying ads settings by Google (https://adssettings.google.com/authenticated).
Content delivery network: Data protection provisions on the utilisation and use of Google AJAX Search API
We utilise AJAX on this pages. Google AJAX Search API is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The tool attains optimised loading speeds. To this end, Google server program libraries are retrieved and the Google CDN (content delivery network) utilised. Should you have previously used jQuery on another Google CDN page, your browser will fall back on the copy deposited in the cache. Should this not apply, a download is required, whereby data from your browser will be transmitted to Google Inc. (“Google”). Your data will be transferred to the USA. You can find out more in the data privacy notice of the provider https://policies.google.com/privacy?hl=de&gl=de
Notes on data privacy
Data privacy notice
We very much appreciate your interest in our museum. The management of Museum Barberini gGmbH attaches great importance to data protection.
The processing of personal data always ensues in line with the General Data Protection Regulation and in compliance with the country-specific data protection provisions applicable to Museum Barberini gGmbH.
By means of this data privacy notice, Museum Barberini would like to inform the general public about the type, scope and purpose of the personal data we collect, utilise and process. Data subjects will also be informed about the rights to which they are entitled by means of this data privacy notice.
The following information is intended to provide you with an overview of the data protection as well as of our processing of your personal data and your rights arising from data protection. The individual data processed and the way in which they are utilised depends largely on the requested or agreed services. Please consider the information applicable to yourself.
Who is responsible for data processing and who can I contact?
Controller in terms of the General Data Protection Regulation, other data protection laws applying to the Member States of the European Union and other provisions of a data protection nature is:
Museum Barberini gGmbH
+49 331 236014-399
You can reach our operational data protection officer at
Museum Barberini gGmbH
Responsible data protection authorities
Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht
(The State Representative for Data Protection and Inspection of Records)
Stahnsdorfer Damm 77
Fon: +49 33203 356-0
Fax: +49 33203 356-49
Each data subject may contact our data protection agent directly at any time with all questions and suggestions on the topic of data protection.
General information: Definitions
The data privacy notice of Museum Barberini gGmbH is based on the terminology used by the European legislator when enacting the General Data Protection Regulation (GDPR). Our data privacy notice should be easy to read and understand for the general public as well as for our customers and business partners. In order to ensure this is the case, we would like to explain the terminology used in advance.
We use the following terms, inter alia, in this data privacy notice:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
Data subject is every identified or identifiable natural person whose personal data are processed by the controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
f) Controller or person responsible for controlling
Controller or person responsible for controlling means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
i) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by another clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Which sources and data do we use?
We process any personal data received from our customers within the scope of the business relationship/services.
Relevant personal data in the processing of interested parties when setting up the master data may be:
- Personal master data (salutation, title, name, address and other contact data, date of birth, nationality)
When concluding the contract and using products/services in the product categories listed in the following, other personal data in addition to the previously cited data may be collected, processed and stored. These essentially comprise:
Account and payment transactions
- Order data (e.g. payment order), data arising from the fulfilment of our contractual obligations (e.g. payment transaction data),
Customer contact information
- Other personal data, e.g. information on contact channel, date, occasion and result, (electronic) copies of correspondence are created within the scope of the business initiation process and during the business relationship, in particular via personal, telephonic or written contacts, whether initiated by yourself or Museum Barberini gGmbH. In the event of our vehicle parking service for people with parking permits for the disabled being used, we temporarily store the licence plate of the vehicle authorised entrance.
Why do we process your data (purpose of processing) and on what legal basis?
We process personal data in line with the provisions of the EU General Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz; BDSG)
a) To fulfil contractual obligations (point (b) Article 6(1) GDPR)
The data are processed to conduct business and render services (e.g. implementation of ordering processes) pursuant to our contracts with our customers, which ensue on request. The purposes of data processing are primarily aimed at the tangible product. Further details on the purpose of data processing may be found in the individual contract documents and terms and conditions of business.
b) Within the scope of the balancing of interests (point (f) Article 6(1) GDPR)
Where required, we process your data above and beyond the actual fulfilment of the contract to safeguard the legitimate interests of ourselves or third parties. This may, for example, include:
- Guarantee of the museum’s IT security and IT operation,
- Prevention/resolution of criminal offences,
- Measures for building and installation safety,
- Measures for ensuring domiciliary rights (e.g. video surveillance),
- Measures for business management and further development of services and products
- Marketing purposes (e.g. advertising or market and opinion research) or
- Assertion of legal claims and defence in legal disputes
c) Based on your consent (point (a) Article 6(1) GDPR)
Should you have given us your consent to process personal data for specific purposes (e.g. data transmission, data analysis for marketing purposes, photo ID within the scope of events, newsletter dispatch), the legality of such processing is secured by your consent. You may revoke your consent at any time. This also applies to declarations of consent given to us prior to the GDPR coming into force, i.e. prior to 25 May 2018. The revocation of consent applies only to the future and does not affect the legality of the data processed prior to the revocation.
d) Based on legal requirements (point (c) Article 6(1) GDPR) or in the public interest (point (e) Article 6(1) GDPR)
As a service provider, we are subject to various legal obligations, i.e. statutory requirements (e.g. commercial or fiscal law).
Who receives my data?
The people in Museum Barberini gGmbH who receive access to your data are those requiring access to the latter to fulfil our contractual and statutory obligations. Our commissioned service providers and vicarious agents may also receive data for such purposes, should this in particular safeguard data protection. The latter are companies in the categories of payment performances, IT services, logistics, print services, telecommunications, collection agencies, consultancy as well as distribution and marketing.
With respect to data transmission to recipients outside Museum Barberini gGmbH, it should initially be noted that we ourselves maintain secrecy regarding all customer-related facts and evaluations of which we become aware. In principle, we may only ever transmit information on our customers when required by statutory provisions, when the customer has given consent or we are authorised to disseminate. Subject to such prerequisites, recipients of personal data may be, e.g.:
- Public bodies and institutions (e.g. financial authorities or law enforcement agencies) in the event of a statutory or official obligation,
- Credit and finance service providing institutes or comparable institutions to which we transfer personal data for the implementation of our business relationship with you
- Creditors or insolvency administrators who request such personal data within the scope of a judicial execution,
- Third parties involved in the payment process (e.g. valuation-implementing service providers),
- Service providers contacted by us within the scope of order processing circumstances.
Further data recipients may be those bodies for which you have granted us your consent to data transmission.
Will data be transmitted to a third country or an international organisation?
Data is transmitted to bodies in countries outside the European Union (so-called non-member state), provided
- it is necessary to execute your contracts (e.g. newsletter dispatch),
- it is legally prescribed (e.g. fiscal reporting obligations) or
- you have given us your consent.
If service providers in the non-member state are utilised, in addition to written instructions they are also obligated to comply with the European data protection standard by the standard contractual clauses adopted by the EU.
Please refer to our data privacy notice for information on the data which is sent to other countries outside the EU.
How long will my data be stored?
We process and store your personal data as long as it is needed to fulfil our contractual and statutory duties.
Should the data no longer be required to fulfil contractual or statutory duties, the latter will be regularly erased, unless the – limited – further processing thereof is required for the following purposes:
Fulfilment of commercial and fiscal retention periods that may, for example, arise from the German Commercial Code (Handelsgesetzbuch; HGB) or German Fiscal Code (Abgabenordnung; AO). The time period stipulated therein for retention or documentation is usually two to ten years.
Maintenance of evidence within the scope of the statutory limitation periods. According to Sections 195 et sq. of the German Civil Code (Bürgerliches Gesetzbuch; BGB) such limitation periods may be up to 30 years, although the usual limitation period is 3 years.
What data protection rights do I have?
- Right of confirmation
Each data subject shall have the right granted by the European legislator to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Should a data subject wish to assert such right of confirmation, he or she may contact a person in the controller’s department at any time.
- Right of access
Each data subject shall have the right granted by the European legislator to obtain from the controller access at any time and free of charge to information concerning the personal data stored on himself or herself and to receive a copy of such information. The European legislator has also allowed the data subject access to the following information:
Should a data subject wish to assert this right to access, he or she may contact an employee in the controller’s department at any time.
- Right to rectification
Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Should a data subject wish to assert this right to rectification, he or she may contact an employee in the controller’s department at any time.
- Right to erasure (right to be forgotten)
Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, where one of the following grounds applies and unless processing is required:
Should one of the above-cited reasons apply and a data subject would like to instigate the erasure of personal data stored with us, he or she may contact an employee in the controller’s department at any time. Our employee will ensure that the request for erasure is fulfilled without undue delay.
Where we have made the personal data public and our company is obliged as controller to erase the personal data pursuant to Article 17(1) GDPR, we will take reasonable steps, taking account of available technology and cost of implementation, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such other controllers of all links to, or copies or replications of, such personal data, unless processing is required. Our employee will take the necessary steps in individual cases.
- Right to restriction of processing
Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
Should one of the above reasons apply and a data subject would like to obtain the restriction of personal data stored with us, he or she may contact an employee in the controller’s department at any time. Our employee will instigate the restriction of processing.
- Right to data portability
Each data subject shall have the right granted by the European legislator to receive the data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He or she shall also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In exercising his or her right to data portability pursuant to Article 20(1) GDPR, the data subject shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible and where the rights and freedoms of other persons are not adversely affected as a result.
The data subject may contact an employee to assert the right to data portability at any time.
- Right to object
Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR.
We will no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where we process personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. Where the data subject lodges an objection with us to processing for direct marketing purposes, we will no longer process the personal data for such purposes.
Where personal data are processed by us for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, the data subject, on grounds relating to his or her particular situation, shall also have the right to object to processing of personal data concerning him or her, unless such processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject may contact any employee in order to exercise the right to object. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject shall also be at liberty to exercise his or her right to object by automated means using technical specifications.
- Automated individual decision-making
Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, which produces legal effects concerning him or her or similarly significantly affects him or her, where the decision
Where the decision
- is not necessary for entering into, or performance of, a contract between the data subject and a data controller; or
- is based on the data subject's explicit consent, we will implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Should the data subject wish to assert any rights with regard to automated decisions, he or she may contact an employee in the controller’s department at any time.
- Right to revoke consent under data protection law
Each data subject shall have the right granted by the European legislator to revoke his or her consent to the processing of personal data at any time.
Should the data subject wish to assert his or her right to revocation of consent, he or she may contact an employee in the controller’s department at any time.
You may revoke any consent you have given us to the processing of personal data at any time. This also applies to declarations of consent given to us prior to the GDPR coming into force, i.e. prior to 25 May 2018. Please note that the revocation applies only to the future and does not affect data processed prior to the revocation.
- Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or place of the alleged infringement if you consider that the processing of personal data relating to you is unlawful.
Do I have a duty to provide data?
Within the scope of our business relationship, you are obliged to provide those personal data required for the establishment, implementation and termination of a business relationship and to fulfil the associated contractual duties or to the collection of which we are legally bound. Without such data, we will usually not be in the position to conclude, execute and terminate a contract with you.
To what extent does automatic decision-making take place?
In principle, we do not use a fully automated decision-making system pursuant to Article 22 GDPR in order to establish and implement the business relationship. Should we use this process in individual cases, you will be separately informed of that fact and of your relevant rights, where prescribed by law.
Should you desire information, which is not available in this data privacy notice, or if you would like further information on a specific point, please contact the data protection officer of Museum Barberini gGmbH.