Data Protection Declaration

Thank you for your interest in our museum and our offering. We want you to provide you with maximum security when you visit our websites, also with regard to your personal data.

The protection of your personal data is a matter of great importance to us. We consider it a matter of course and an obligation to comply with the statutory regulations on data protection (EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act).

In the following, you can find out when we collect data, which data we collect and how we use it. We have implemented suitable technical and organizational measures that ensure that we, as well as our partners and external service providers, fully comply with data protection regulation.

I. Name and address of responsible entity

The responsible entity under the terms of the GDPR and applicable national data protection acts as well as other data protection statutes is:

Freilichtmuseum Hessenpark GmbH
Laubweg 5
61267 Neu-Anspach
Germany
Phone: +49-6081-588-100
Fax: +49-6081-588-120
Email: service@hessenpark.de
www.hessenpark.de

II. Name and address of of data protection officer

The data protection officer of the responsible entity is:

Florian Marquardt
Laubweg 5
61267 Neu-Anspach
Germany
Phone: +49-6081-588-666
Email: datenschutz@hessenpark.de

III. General information on data protection

1. Scope of processing personal data
Personal data refers to information about your person, including your name, address, phone number and email address, but also your location, IP address or bank details.
As a rule, we only process personal data to the extent necessary to provide a fully functional website and our content and services. Personal data of our users is frequently processed only after acquiring users’ consent. Exceptions apply in cases in which it is not feasible to acquire prior consent for factual reasons and the processing of data is permissible under applicable statutory provisions. This includes, for instance, callback requests, the sending of information material and/or offers, or the answering of individual questions by email. Where required, we will notify you accordingly. Beyond that, we only store and process data provided by you voluntarily or automatically.
If you book one of our offers, we generally only collect data required to perform our services. Personal data is exclusively processed in the context of performing the requested service and to preserve our legitimate business interests.

2. Legal basis for processing personal data
Art. 6 (1a) GDPR provides us with the legal basis for data processing activities, for which the data subject (user) has given consent to the processing of his or her personal data for one or more specific purposes.
In cases where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, Art. 6 (1b) GDPR serves as the legal basis.
In cases where processing is necessary for compliance with a legal obligation to which the controller (responsible entity) is subject, Art. 6 (1c) GDPR serves as the legal basis.
In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 6 (1d) GDPR serves as the legal basis.
In cases where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6 (1f) GDPR serves as the legal basis.

3. Data deletion and storage periods
The personal data of data subjects is deleted or blocked when the purpose of data storage is fulfilled. Storing of data beyond this point may become necessary if longer storage periods are stipulated by European or national authorities in EU regulations, laws or other provisions that apply to the responsible entity. Data is also deleted or blocked when a storage period stipulated in the listed statutes expires, provided that data is no longer required for the conclusion or execution of a contract.

IV. Provision of website and creation of log files

1. Description and scope of data processing
Each time you visit our website, our system automatically collects data and information from the computer system of your end device.

The following data is collected:
(1) browser type and version used
(2) user’s operating system
(3) user’s IP address
(4) date and time of visit
(5) referrer URL (website where a person clicked to link that sent them to our website)
Log files contain IP addresses and other data that can be allocated to a specific user.
Data is stored in our system’s log files. We do not store this data together with other personal data of the user.

2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6 (1f) GDPR.

3. Purpose of data storage
The temporary storing of the IP address on the system is necessary to enable a delivery of the website to the user’s computer. To this end, the user’s IP address must be stored for the duration of the session.
Data is stored in log files to safeguard the website’s operability. Furthermore, the data allows us to optimize our website and guarantee the security of our IT systems. In this context, data is not processed for marketing purposes.
These purposes constitute our legitimate interests in accordance with Art. 6 (1f) GDPR.

4. Storage periods
Personal data is deleted when the purpose of data storage ceases to apply. With regard to data collected to provide the website to the user, this is the case at the end of the respective session.
In the case of data stored in log files, this is the case after seven days at the latest. Longer storage periods may apply. In such cases, however, the IP addresses of users are deleted or anonymized to make it impossible to identify the accessing client.

5. Right to object, right to erasure
The collection of data for delivering the website and its storage in log files is essential to operating the website. Consequently, the user has no option to object to the collection and storage of such data.

V. Use of Cookies

1. Description and scope of data processing
Our website uses cookies. Cookies are small text files sent to your computer and stored in your browser and/or your computer system. When a user visits a website, a cookie may be stored in the user’s operating system. This cookie contains a characteristic character string, which allows us to recognize the browser the next time the user visits our website.
On our website, we use cookies that enable us to analyze users’ web surfing activities.
In this context, the following data is transmitted:

(1) Entered search terms
(2) Frequency of site visits
(3) Use of website features

We apply technical measures to anonymize user data collected in the process that make it impossible to allocate data to a specific user. Such data is not stored together with other personal data of users.
When users visit our website, they are informed about the use of cookies for analysis purposes and referred to this privacy policy through a web banner. Furthermore, we provide information on how to disable the storage of cookies in the browser settings.

2. Legal basis for data processing
The legal basis for the processing of personal data using technically required cookies is Art. 6 (1f) GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes, provided that the user has given consent, is Art. 6 (1a) GDPR.

3. Purpose of data processing
Analysis cookies are used to improve the quality of our website and its content. They enable us to analyze how the website is used and, consequently, to continuously optimize our offering.
These purposes constitute our legitimate interests in accordance with Art. 6 (1f) GDPR.

4. Storage periods, right to object, right to erasure
Cookies are stored on your computer and transmitted to our website. This means that you as the user have full control over the use of cookies. You can change your browser settings to disable or restrict the transfer and use of cookies. Previously stored cookies can be deleted at any time, also in an automated fashion. Please note that blocking or removing cookies may adversely affect your ability to use the website.

VI. Newsletter

1. Description and scope of data processing
Users receive our newsletter because they have registered for it on our website. Our website offers the possibility to subscribe to our free newsletter. If you decide to do so, the data from the input form will be transmitted to us:

(1) Email address
(2) Date and time of registration
(3) First and last name, if applicable (not mandatory)

During the registration process, we ask for your consent to process the data and refer to this privacy policy. Data processed for sending our newsletter is at no point disclosed to third parties but is exclusively used for the purpose of sending the newsletter.

2. Legal basis for data processing
Users receive our newsletter because they have registered for it on our website.
The legal basis for the processing of personal data following the user’s registration, provided that the user has given consent, is Art. 6 (1a) GDPR.

3. Purpose of data processing
The user’s email address is collected for the purpose of sending the newsletter.
Users receive our newsletter because they have registered for it on our website.
We collect other personal data during the registration process exclusively for documentation purposes in order to prevent any misuse of services or the provided email address.
Users are not required to provide their first and last name; their names are exclusively used for a personalized form of address.

4. Storage periods
Data is stored on the servers of our service provider CleverReach® as the external processor; a processing agreement has been signed to secure all data. When the purpose of data storage ceases to apply, personal data is deleted. Consequently, email addresses are stored for as long as the user remains a newsletter subscriber.

5. Right to object, right to erasure
You can cancel your newsletter subscription at any time. An unsubscribe link can be found in every issue of our newsletter.
Users receive our newsletter because they have registered for it on our website.
If you unsubscribe from our newsletter, you can also revoke your consent to the storage of data collected during the registration process.

VII. Email contact

1. Description and scope of data processing
Our website allows you to contact us by sending an email to the provided email address. If you decide to do so, we will store the personal data transmitted with your email.
Data from your contact email is at no point disclosed to third parties and exclusively used to process your query.

2. Legal basis for data processing
The legal basis for the processing of data from contact emails is Art. 6 (1f) GDPR. In case the email contact is aimed at concluding a contract, Art. 6 (1b) GDPR applies as additional legal basis.

3. Purpose of data processing
In the case of email contact, this purpose constitutes our legitimate interests in processing data in accordance with Art. 6 (1f) GDPR.
Other personal data collected during the sending process is collected to prevent any misuse of the contact form and to guarantee the security of our IT systems.

4. Storage periods
Personal data is deleted when the purpose of data storage ceases to apply. In the case of personal data sent by email, this is the case when the exchange with the user is completed. The completion of an exchange is the point at which circumstances clearly indicate that final clarification or a solution has been reached for the issue in question.
Other personal data collected during the sending process is deleted after a period of seven days at the latest.

5. Right to object, right to erasure
You can revoke your consent to the processing of personal data at any time. If you contact us by email, you have the right to object to the storage of personal data at any time. Please note, however, that we will not be able to continue the exchange with you if you decide to do so.
If you want to revoke your consent, please send an email to service@hessenpark.de. In this case, all personal data collected in the course of the email contact will be deleted.

VIII. Applicant data

1. Description and scope of data processing
You can apply to Freilichtmuseum Hessenpark via the email address personal@hessenpark.de provided on our website. Your personal data will be collected and stored as part of the application process, irrespective of whether you send your information by email or postal mail, and whether you send us an unsolicited application or reply to a specific job offer. Your data will only be made available and processed by the relevant department and staff at Freilichtmuseum Hessenpark GmbH.

2. Legal basis for data processing
Art. 6 (1b) GDPR applies as the legal basis for processing applicant data transmitted by email and aimed at concluding a contract.

3. Purpose of data processing
In the case of an application, data processing serves the purpose of performing the tasks involved in the application process and of concluding an employment contract. We use the pool of applicants who have send us unsolicited applications to search for suitable candidates.

4. Storage periods
Data is deleted after the completion of the application process and the expiration of the required storage period (generally six months). Data from unsolicited applications is deleted after a period of six months at the latest.

5. Right to object, right to erasure
Applicants have the right to revoke their consent to the processing of personal data at any time. If you contact us by email, you have the right to object to the storage of personal data at any time by sending an email to personal@hessenpark.de. Please note, however, that we will not be able to continue the application process if you decide to do so. In this case, all personal data collected in the course of the email contact will be deleted.

IX. Matomo (formerly PIWIK) web analysis

Scope of data processing

We use Matomo (formerly PIWIK) web analysis software (www.matomo.org) for our website. This service is provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (“Matomo”). The software places a cookie on the user’s end device (see above for information on cookies). If you access individual pages of our website, the following data is stored:

(1) two bytes of the IP address of the user’s system
(2) accessed website
(3) referrer URL (website where a person clicked to link that sent them to our website)
(4) subpages visited from the accessed website
(5) duration of the website visit
(6) frequency of website visits

The Matomo software exclusively runs on the servers of our website. No personal data of users is collected. The software is set to not store full IP addresses but anonymize two bytes of an IP address (e.g. 192.168.xxx.xxx). This makes it impossible to allocate the abbreviated IP address to the accessing end device.

X. Matterport

Our website uses the services of Matterport Inc., 352 E Java Dr, Sunnyvale, CA 94089, USA, for our virtual tours. Visiting one of our pages equipped with a Matterport space will establish a connection to Matterport’s servers. This means your IP address, browser version and displaying device, source and destination URL and the respective 3D tour’s ID are all shared with Matterport’s servers in the USA.

Matterport services are used in the interest of presenting our online offering in an attractive manner. This constitutes a legitimate interest under Art. 6 Sec. 1(f) GDPR.

Further information on how users’ data is handled can be found in Matterport’s privacy statement at: https://matterport.com/de/privacy-policy

XI. Rights of data subjects (users)

If we process your personal data, you are considered a data subject under the terms of the GDPR. As a data subject, you have the following rights in dealing with the responsible entity:

1. Right of access

The data subject shall have the right to obtain from the controller (responsible entity) confirmation as to whether or not personal data concerning him or her is being processed.

Where that is the case, you have the right of access to the following information:

(1) the purposes of the processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data has been or will be disclosed;
(4) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data is not collected from the data subject, any available information as to their source;
(8) the right of access to information whether personal data is transferred to a third country or an international organization. Where personal data is transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification or completion of inaccurate or incomplete personal data concerning him or her.

3. Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(1) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defense of legal claims;
(4) the data subject has objected to processing pursuant to Article 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to the conditions stated above shall be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation to erase
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(1) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
(2) the data subject withdraws consent on which the processing is based pursuant to Article 6 (1a) or Article 9 (2a) GDPR and where there is no other legal ground for the processing;
(3) the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR;
(4) the personal data have been unlawfully processed;
(5) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) personal data has been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
b) Information to third parties
Where the controller has made the personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, the personal data.
c) Exceptions
The right to erasure shall not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health pursuant to Article 9 (2h) and (2i) as well as Article 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defense of legal claims.

5. Notification obligation

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17 (1) and Article 18 GDPR to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
The controller shall inform the data subject about those recipients if the data subject requests it.

6. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where:

(1) the processing is based on consent pursuant to Article 6 (1a) or Article 9 (2a) or on a contract pursuant to Article 6 (1b) GDPR; and
(2) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This right shall not adversely affect the rights and freedoms of others.
That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 (1e) or (1f) GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

8. Right to withdraw informed consent

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.