General data privacy statement
The protection of your personal data is a matter of great importance to the Staatliche Kunstsammlungen Dresden. In the following, we would therefore like to inform you in detail about which data are processed when visiting our web portals under the domain name www.skd.museum and the associated sub-pages, and when using the offerings contained there.
Please note that data transmission via the Internet, especially by email, is at present essentially unsecured. The possibility is not ruled out that transmitted data may be accessed by unauthorised persons and may even be falsified.
General data privacy statement
Staatliche Kunstsammlungen Dresden
Staatliche Kunstsammlungen Dresden
P.O. Box 120551
Telephone: 0351 – 4914 2000
When you visit our website under www.skd.museum or our web portals, we collect and use the data that your browser automatically transmits to us, such as:
- the date and time of retrieval of one of our web pages,
- browser settings,
- operating system used,
- page you last visited,
- amount of data transferred and access status (file transfer, file not found, etc.)
- IP address
when using mobile devices also:
- country code
- device name
- name of the operating system and version.
In the case of informational visits, this data will be collected and used in non-personalised form on the basis of Art. 6 (1) e) of the General Data Protection Regulation (GDPR) in conjunction with Section 3 of the Saxon Data Protection Implementing Act (SächsDSDG). This is necessary for the performance of our tasks and is done in order to enable the use of the internet pages you have accessed under www.skd.museum or our web portals. In addition, this data is used for statistical purposes, as well as for improving the website of the SKD. The IP address is only stored for the duration of your visit to the website; no further analysis takes place.
In order to facilitate the use of the SKD web portals, “cookies” are used. Cookies are small text files that can be stored by the browser on the hard drive of the computer or mobile device and are helpful for using a website.
On the basis of Art. 6 (1) e) GDPR in conjunction with Section 3 SächsDSDG, the web portals of the SKD use what are known as session cookies (also called temporary cookies), which are stored only for the duration of your visit to a website. The purpose of these cookies is to keep track of your terminal devices when you switch between pages during a visit to the SKD web portals and to be able to ascertain when your visit ends. Cookies will be deleted as soon as you end your browser session. In this context, no collection or storage of personal data in cookies takes place. Nor is any technology used whereby information generated by cookies is linked to user data.
When you visit the website, you must decide whether you wish to accept or reject technically non-essential cookies. If you do not wish to accept non-essential cookies, you may not be able to make full use of all the functions on our website.
On the basis of Art. 6 (1) e) GDPR in conjunction with Section 3 SächsDSDG, the SKD uses the open-source software “Matomo”, produced by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand (NZBN 6106769), in order to analyse user access information. This software makes it possible to analyse how a website is used and thereby make any necessary improvements to the website. For this purpose, Matomo places cookies. The resulting user information is transmitted to the SKD’s internet servers, along with your IP address, and stored in order to analyse usage data. During this process, your IP address is immediately anonymised, so that there is no possibility of tracing it back to you as the user. The information obtained in this way will not be passed on to third parties.
When you visit the website, you must decide whether you wish to accept or reject technically non-essential cookies. To do this, you only have to click on the box below (opt-in procedure).
You can also decide here whether a unique web analysis cookie can be stored in your browser (browser fingerprinting) in order to enable the operator of the website to collect and analyse various statistical data. If you wish to opt out, click on the following link to place the Matomo deactivation cookie in your browser.
You may choose to prevent this website aggregating and analysing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
Your rights as a data subject
If you have consented to the processing of data in accordance with Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR, you have the right to revoke your consent at any time in writing or by email with effect for the future. In the event of such revocation, we will immediately delete the stored data. This shall not apply if these data are still necessary for performance of the contractual relationship. We shall also be entitled to process and/or use the data in spite of the revocation if this is done within the framework of a contractual relationship or quasi-contractual relationship of trust, and/or insofar as it is necessary in order to safeguard our legitimate interests and, after weighing up the interests on both sides, there is no reason to believe that the user has an overriding legitimate interest in rejecting such processing and/or use.
You are also entitled to the following rights if the legal requirements are met:
- Right to information about the personal data held concerning you (Art. 15 GRPR)
- Right to rectification of inaccurate personal data concerning you (Art. 16 GDPR)
- Right to erasure of personal data held concerning you (Art. 17 GDPR)
- Right to restriction of processing personal data (Art. 18 GDPR)
- Right to object to the processing of personal data (Art. 21 GDPR)
Under Article 77 GDPR, you also have the right to lodge a complaint with the supervisory authority if you consider that the processing of personal data concerning you infringes legal regulations.
Transmission of data to third parties, duration of storage and data security
Your personal data will generally not be passed on to third parties. Your data will only be transmitted if you have expressly agreed to such transmission, or if transmission is necessary for implementing and/or processing your orders, for sending the newsletter, or for responding to your queries. Furthermore, transmission is possible on the basis of a legal or official obligation. The conditions set out in Articles 28, 29 GDPR for data processing by a contracted processor are complied with.
Unless otherwise specified, your personal data will be stored for as long as is necessary for fulfilment of the respective purposes. If the user relationship is terminated, the data in the internal database will be deleted on a regular basis. This shall not include inventory data insofar as these are necessary for the establishment, content or alteration of the contractual relationship.
In order to protect your data, the website www.skd.museum and our web portals are provided using a secure SSL connection between the user’s server and the browser, i.e. the data is transmitted in encrypted form.
Data on our web portals are stored only on servers belonging to the Staatliche Kunstsammlungen Dresden inside the European Union (EU), unless you are informed otherwise.
We explicitly point out that data protection and data security for data transmission in open networks such as the Internet cannot be fully guaranteed given the current state of technology. The user is aware that, from a technical point of view, the provider is able to view the web page data stored on the web servers, and possibly also other data of the user stored there, at any time. The user is fully responsible for the security and safeguarding of the data he or she transmits to the Internet and stores on web servers. We cannot accept any liability for the disclosure of data due to errors or unauthorised access by third parties.
Notes on the web portals
The web portals of the SKD use Youtube, a platform provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, represented by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereafter “Google”) on the basis of Art. 6 (1) e) GDPR in conjunction with Section 3 SächsDSDG in order to present their online services in an attractive way.
Information about the location and about which video has been viewed for how long is used for statistical purposes. These items of information can only be viewed independently of each other and independently of the username. The data is processed for typical museum purposes. The data is stored for the duration for which it is necessary to achieve this purpose and is deleted after the purpose has been fulfilled.
Be careful what information you disclose in comments on these channels. These are visible to other visitors to the site and to administrators as well. Because the pages are generally accessible, information that you share with a page is public data. This means that a comment can also be used outside of Youtube. Bear in mind that this information may be indexed in search engines, including Google.
The web portals of the SKD use Google Maps, a web mapping service developed by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Notes on social media channels
When you visit the SKD’s Facebook page, personal data concerning you is collected on the basis of Art. 6 (1) e) GDPR in conjunction with Section 3 SächsDSDG. The location and, if indicated in the Facebook profile, the age of the user will be used for statistical purposes. Neither the location nor the age can be linked to the username. The data is processed for typical museum purposes. The data is stored for the duration for which it is necessary to achieve this purpose and is deleted after the purpose has been fulfilled.
With regard to the tracking of users via the “Insights” function, Facebook and the SKD are ‘joint controllers’ within the meaning of Art. 26 GDPR. Data subjects may exercise their rights via Facebook Ireland and via the SKD. Pursuant to the GDPR, Facebook takes primary responsibility for processing Insights Data. All obligations arising from the GDPR concerning the processing of Insights Data lie with Facebook. As controller of the SKD fan page, the SKD do not make any decisions regarding the processing of Insights Data or any other information set out in Art. 13 GDPR, including the legal basis, the identity of the person responsible and the storage duration of cookies on user terminals.
Facebook Ireland provides those concerned with the essential information on the following page: www.facebook.com/legal/terms/page_controller_addendum.
When you visit the SKD’s Twitter page, personal data concerning you is collected on the basis of Art. 6 (1) e) GDPR in conjunction with Section 3 SächsDSDG. The location and, if indicated in the Twitter profile, the age of the user will be used for statistical purposes. Neither the location nor the age can be linked to the username. The data is processed for typical museum purposes. The data is stored for the duration for which it is necessary to achieve this purpose and is deleted after the purpose has been fulfilled.
When you visit the SKD’s Instagram page, personal data concerning you is collected on the basis of Art. 6 (1) e) GDPR in conjunction with Section 3 SächsDSDG. The location and, if indicated in the Instagram profile, the age of the user will be used for statistical purposes. Neither the location nor the age can be linked to the username. The data is processed for typical museum purposes. The data is stored for the duration for which it is necessary to achieve this purpose and is deleted after the purpose has been fulfilled.
Notes on contact and booking forms, the online shop and orders made by telephone and email
If you wish to make contact via the contact forms on our web portals or to place a booking request for education and mediation activities, it is necessary that you provide further data. These are the data required for processing your request in each case. They are marked with an asterisk (*). You can provide further information voluntarily.
In compliance with Art. 6 (1) b) GDPR, your data will be collected, stored and used only for performing the service requested by you, e.g. answering your query.
When using or ordering from our online shop or via the ‘Service-Center’ (i.e. making contact by phone or email) within our web portals, the necessary data are collected and stored. These include:
- your first name and surname,
- your email address,
- your address (street, house number, postcode, country)
If you register on our website and create a customer account, we will collect and store the following data:
- your email address,
- your password.
After successful registration, you can edit these data in the settings within your profile at any time.
On the basis of Art. 6 (1) b) GDPR, the data submitted while making purchases in the online shop or at the time of registration will be used via our web portals, and with our support, for the purpose of using the online shop and for performing and processing your requests and orders from the shop.
The postcode given by you when using or ordering from our online shop at www.skd.museum and/or when registering from the online shop and/or using the ‘Service-Center’ (i.e. when making contact by phone or email), and also your customer number, will also be used by us for statistical purposes on the basis of Art. 6 (1) e) GDPR in conjunction with Section 3 SächsDSDG. The data will be processed and used for conducting statistical analyses and drawing up statistical results, in particular in order to optimise our services for users on the basis of these results.
The processing of enquiries and orders in our online shop or via the ‘Service-Center’ (i.e. when you make contact by phone or email) is performed on behalf of the SKD by Avantgarde Sales & Marketing Support GmbH, Atelierstraße 10, 81671 Munich in compliance with the relevant legal requirements. Further information about Avantgarde Sales & Marketing Support GmbH can be obtained, for example, from: www.avantgarde.net
Your required payment data for ordering from the online shop will be processed by the following providers as external payment service providers: Concardis GmbH or PayPal (Europe) S.à r.l. et Cie, S.C.A.
Your delivery address data, which are necessary for the delivery of your order from the online shop, will be processed by the following suppliers as external shipping service providers: Post Modern Media Logistik GmbH or DHL Paket GmbH.
Newsletter; Use of CleverReach
In order to be able to subscribe to one of our email newsletters, we require at least your email address to which the newsletter is to be sent, in addition to your consent. Any further information is voluntary and will be used to address you personally and to be able to customize the content of the newsletter and clarify any questions about the email address. The processing of your data for sending the newsletter will be conducted on the basis of Art. 6 (1) a) GDPR.
For sending newsletters, the SKD use the so-called double-opt-in procedure, i.e. you will not be registered for receiving the newsletter until you have confirmed your registration by clicking on a link in a confirmation email sent to you for this purpose. This is to ensure that only you, as the owner of the email address provided, can subscribe to the newsletter. Your confirmation must be made promptly after receipt of the confirmation email, otherwise your newsletter registration will be automatically deleted from our database.
You can revoke your consent to receiving the newsletter at any time with effect for the future, e.g. via the ‘unsubscribe’ link at the end of each newsletter or by sending an email to firstname.lastname@example.org. Your data will then be immediately deleted.
For the administration of the newsletter recipients, as well as the preparation and distribution of the newsletter, the software produced by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, represented by the company CleverReach Verwaltungs GmbH, represented in turn by the managing directors Christian Schmidt and Jens Klibingat, each of whom is authorised to represent the company alone (hereafter “CleverReach”), is used. The data concerning the newsletter recipients are hosted on a CleverReach server on behalf of the SKD in an area to which the SKD have password-protected access. The contract between SKD and CleverReach is based on the general terms and conditions and the data security policies of CleverReach (www.cleverreach.com/de/agb/). This includes the provision that CleverReach does not access or use the data of the newsletter recipients in any other way.
The annual ticket is personal and non-transferable. Therefore, a digital photo is taken for verifying the holder’s identity; this is printed on the annual ticket and is stored along with other data (name, image data, address, email address where applicable). Use of the image data for any other purpose than identity verification during a visit to the museum or a further issue of the annual ticket (replacement or follow-up card) is ruled out.
The customer data collected at the time of the purchase of the annual ticket are stored by the Staatliche Kunstsammlungen Dresden and its Visitor Services department on the basis of Art. 6 (1) b) GDPR for producing the annual ticket, for customer administration and care, and for controlling access, and they are deleted after expiry of the annual ticket. In addition, further data (postcode, age) are collected and evaluated by the Staatliche Kunstsammlungen Dresden on the basis of Art. 6 (1) e) GDPR in conjunction with Section 3 SächsDSDG for the purpose of visitor research and statistics; they are deleted after fulfilment of their purpose.
Notes on video surveillance
Video surveillance of the entrance areas and the objects in the exhibition rooms is carried out on the basis of Art. 6 (1) e) GDPR in conjunction with Section 13 SächsDSDG. The purpose is for the SKD to exercise its authority to enforce house rules. Video footage is stored for 3 days and then completely deleted. Recorded images are only passed on with legal justification at the request of and into the custody of state investigative bodies.
Notes on filming and photography
The photographing and filming of visitors during museum opening hours and during public and private events, and the publication of these photographs/films for the purpose of public relations in the exercise of official duties, are carried out on the basis of Art. 6 (1) e) GDPR in conjunction with Section 3 (1) SächsDSDG and Section 12 II No. 2 of the Saxon Administrative Organisation Act (Sächsisches Verwaltungsorganisationsgesetz, SächsVwOrgG). Visitors are informed about this by means of notices at the entrances. In the afore-mentioned photographs, the visitors are incidental (‘Beiwerk’) within the meaning of the Kunsturhebergesetz (KUG), the German law governing copyright in art; no portrait shots are taken. Objections against the processing of personal data may be lodged on the basis of Art. 21 GDPR.
Procurement, Loans, Export licences
The performance of procurement procedures necessitates information, including personal data. The data provided by you will be collected, organised, stored, used and deleted in compliance with Art. 6 (1) b) GDPR. The data will be used only for the purposes of verification and decision-making in the context of the procurement procedure as well as for the possible conclusion of a contract. Data is not generally used in any other way or transmitted to third parties. Exceptions to this are any disclosure to national or European inspection authorities or to the supervisory authority where required by law. The data will also be transmitted to an external consultant commissioned by the SKD to scrutinise the offer. Unless otherwise specified, the personal data will be stored as long as it is necessary for the fulfilment of the stated purposes and will be deleted after the expiry of the statutory retention periods.
In the course of loan procedures, personal data (name, address, telephone number, email address where applicable) of the lenders and borrowers are collected, passed on to parties involved in the procedures, such as the forwarding agent, and stored. The processing and transmission of data for the appropriate and secure conduct of the procedures is based on Art. 6 (1) e) GDPR in conjunction with Section 3 SächsDSDG. Any further storage for scientific and research purposes is based on Art. 6 (1) e) GDPR in conjunction with Section 12 SächsDSDG. The personal data will be stored as long as it is necessary for the fulfilment of the stated purposes and will be deleted after the expiry of the statutory retention periods.
For the processing by the SKD of applications for export licences and for the preparation of notifications, personal data (name, address, email address where applicable) concerning applicants, recipients, representatives of the applicant and the owners of the cultural property, are collected, processed and stored on the basis of Art. 6 (1) e) GDPR in conjunction with Section 77 of the Act to Protect German Cultural Property against Removal (Kulturgutschutzgesetz, KGSG). The data will be deleted after fulfilment of the stated purposes and expiry of the statutory retention periods.
Journalists in the press mailing list
Personal data concerning journalists (name, email address, phone number, mobile number, fax number) are collected and stored in the press mailing list on the basis of Art. 6 I e) GDPR in conjunction with Section 3 (1) SächsDSDG and Section 12 II No. 2 SächsVwOrgG. The purpose of processing is to perform public relations work as part of the official duties of the SKD. The data will be deleted after fulfilment of the said purposes. Objections to the processing of these data may be lodged on the basis of Art. 21 GDPR.