Data protection

Any collection, use, storage, deletion or other use (hereinafter “processing”) of data serves exclusively to provide our services. Our services have been designed with the aim of using as little personal data as possible. “Personal data” (hereinafter also referred to as “data”) means all individual information about the personal or factual circumstances of a specific or identifiable natural person (so-called “data subject”). The following information on data protection describes what types of personal data are processed when you access our website, what happens to this personal data and how you can object to data processing if necessary.

1. General information about data processing on this website

1.1 Responsible person

The person responsible within the meaning of the EU General Data Protection Regulation (GDPR) is:

Friends of the Nationalgalerie eV

Address: Potsdamer Straße 58, 10785 Berlin, Germany
Telephone: +49 (0)30 26 39 48 80
Email: office@freunde-der-nationalgalerie.de
Homepage: freunde-der-nationalgalerie.de

1.2 Data Protection Officer

The data protection officer is Kemal Webersohn from WS Data Protection GmbH

If you have any questions about data protection, you can contact WS Datenschutz GmbH at the following email address: freunde-der-nationalgalerie@ws-datenschutz.de

WS Data Protection GmbH
Dircksenstrasse 51
D-10178 Berlin

webersohnundscholtz.de

1.3 Protection of your data

We have taken technical and organizational measures to ensure that the regulations of the GDPR are observed by both us and external service providers who work for us.

If we work with other companies, such as email and server providers, to provide our services, we will do so only after an extensive selection process. During this selection process, each individual service provider is carefully selected for their suitability in connection with technical and organizational skills in data protection. This selection process is documented in writing and a contract in accordance with Art. 28 Para. 3 GDPR for the processing of personal data on behalf (AV contract) is only concluded if it meets the requirements of Art. 28 GDPR.

Your information will be stored on specially protected servers. Access to it is only possible for a few specially authorized people.

Our website is SSL/TLS encrypted, which you can recognize by the “https://” at the beginning of the URL.

1.4 Deletion of personal data

We only process personal data for as long as necessary. As soon as the purpose of data processing has been fulfilled, blocking and deletion will take place in accordance with the standards of the local deletion concept, unless legal regulations prevent deletion.

2 Data processing on this website and creation of log files

2.1 Description and scope of data processing

When you visit our website, our web servers temporarily save every access in a log file. The following personal data is collected and stored until it is automatically deleted:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the retrieved file
• Amount of data to be transferred
• Message as to whether the retrieval was successful
• Recognition data of the browser and operating system used

Website from which access is made We use the service provider GRÜN Software Group GmbH as the provider and website manager. The data processing is carried out by: GRÜN Software Group GmbH, Pascalstr. 6, 52070 Aachen, Germany. The collaboration is based on an order processing contract in accordance with the provisions of Art. 28 GDPR.

Additional information on data protection at the service provider can be found at:
www.gruen.net/datenschutz/

2.2 Legal basis for data processing

This data is processed on the basis of Article 6 Paragraph 1 Sentence 1 Letter f) GDPR. Our legitimate interest is based on making our website accessible to you.

2.3 Purpose of data processing

The data processing is carried out for the purpose of enabling the use of the website (establishing a connection). It serves system security, the technical administration of the network infrastructure and the optimization of the Internet offering. The IP address is only evaluated in the event of attacks on our network infrastructure or the network infrastructure of our Internet provider.

2.4 Duration of data storage

The personal data will be deleted as soon as they are no longer required for the purposes mentioned above. This is the case when you close the website. Our hosting provider may use the data for statistical surveys. However, the data is anonymized for this purpose.

2.5 Possibility of removal by the person concerned

If you would like to access, correct, update or request deletion of your personal information, you can do so at any time by sending an email to datenschutz@gruen.net . In addition, you can object to the processing of your personal data, have us restrict the processing of your personal data or request the portability of your personal data. You can also exercise these rights here by sending an email to datenschutz@gruen.net .

2.6 poisonGREEN

We work with the service provider giftGRÜN (giftGRÜN GmbH, Digitalagentur, Pascalstraße 6, 52076 Aachen, Germany), who maintains our website. It cannot be ruled out that personal data, such as IP addresses, may occasionally be visible to giftGRÜN during maintenance of the website. For this purpose, we have concluded an order processing contract with the service provider in accordance with the provisions of Art. 28 GDPR in order to ensure your data security.

3 Use of cookies

3.1 Description and scope of data processing

Our website uses cookies. These are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive, assigned to the browser you use, and through which certain information flows to us or the entity that sets the cookie. Cookies cannot run programs or transmit viruses to your computer. We use them to enable you to log in and to analyze the use of our website in an anonymous or pseudonymized form and to present you with interesting offers on this website. Various data can be transmitted in this way:

• Frequency of website visits
• Which functions of the website you use
• Search terms used
• Your cookie settings
• Your language preference
• Your emoji display settings

When you access the website, a cookie banner informs you about the use of cookies and refers to the data protection declaration.

3.2 Legal basis for data processing

The legal basis for the processing of data through cookies, which do not solely serve the functionality of our website, is Article 6 Paragraph 1 Sentence 1 Letter a) GDPR. The legal basis for data processing for cookies, which solely serve the functionality of this website, is Article 6 Paragraph 1 Sentence 1 Letter f) GDPR.

3.3 Purpose of data processing

Our legitimate interest arises from ensuring a smooth connection setup and comfortable use of our website as well as for reasons of evaluating system security and stability. Data processing also takes place to enable statistical evaluation of website usage.

3.4 Duration of data storage

There are two types of cookies. Both are used on this website:

• Transient cookies (see a)
• Persistent cookies (see b)

a) Transient cookies , they are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the shared session. This allows your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.

b) Persistent cookies , which are automatically deleted after a specified period of time, which may differ depending on the cookie.

3.5 Possibility of removal by the person concerned

You have the option at any time to revoke your consent to data processing through cookies that do not solely serve the functionality of the website. In addition, we only set cookies after you have agreed to the setting of cookies when you access the site. In this way you can prevent data processing via cookies on our website.

You can also delete cookies at any time in your browser's security settings. We would like to point out that you may not be able to use all of the functions of this website. The setting of cookies can also be prevented at any time through the appropriate settings in your internet browser.

3.6 Borlabs cookie banner

3.6.1 Description and scope of data processing

Our website uses the Borlabs Cookie Banner to obtain your consent to store certain cookies in your browser and to document them in accordance with data protection regulations. The Borlabs Cookie Banner uses technically necessary cookies to store your cookie preferences. This data will be

not passed on to the provider of the Borlabs Cookie Banner. Data processing is carried out by: Borlabs GmbH, Hamburger Str. 11, 22083 Hamburg, Germany.

3.6.2 Purpose of data processing

Our website uses the Borlabs Cookie Banner to obtain your consent to store certain cookies in your browser and to document them in accordance with data protection regulations. The Borlabs Cookie Banner uses technically necessary cookies to store your cookie preferences. This data will not be passed on to the provider of the Borlabs Cookie Banner. Data processing is carried out by: Borlabs GmbH, Hamburger Str. 11, 22083 Hamburg, Germany.

3.6.4 Legal basis for data processing

Data processing is carried out in accordance with Article 6 Paragraph 1 Letter c) GDPR to fulfill our legal obligation in accordance with Article 7 Paragraph 1 GDPR.

3.6.5 Duration of data storage

Unless otherwise specified, personal data will be processed and stored for as long as required by the purpose for which they were collected and may be retained for longer if necessary to comply with a legal obligation or based on the user's consent.

3.6.6 Possibility of elimination by the person concerned

You can contact us at any time and object to further processing of your data. In this case, we unfortunately cannot continue communication with you. In this case, all personal data that was processed by us in the course of contacting you will be deleted, unless the deletion conflicts with legal obligations to store your data.

Further information on data processing can be found in Borlabs' data protection declaration: de.borlabs.io/datenschutz/

4 contact

4.1 Description and scope of data processing

It is possible to contact us via email via our website. For this purpose, various data is required to answer the request, which is automatically saved for processing.

It is also possible to contact us via telephone and fax. The data will not be passed on to third parties.

4.2 Legal basis for data processing

The legal basis used here is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR.

4.3 Purpose of data processing

We process your data exclusively to process your contact request.

4.4 Duration of data storage

We will delete your data as soon as the purpose of data processing has been fulfilled, usually immediately after the request has been answered. In rare cases, however, we may retain your data for a longer period of time. This may arise from legal, regulatory or contractual obligations.

4.5 Possibility of removal by the person concerned

You can contact us at any time and object to further processing of your data. In this case, we unfortunately cannot continue communication with you. In this case, all personal data that was processed by us in the course of contacting you will be deleted, unless the deletion conflicts with legal obligations to store your data.

5 Data processing as part of applications

5.1 Description and scope of data processing

to apply to us via our website via email to jobs@freunde-der-nationalgalerie.de For this purpose, personal data is processed and stored for further processing for the respective application process.

5.2 Legal basis for data processing

The legal basis for data processing is Art. 88 GDPR and Section 26 BDSG.

5.3 Purpose of data processing

We process your data exclusively for the purpose of carrying out the application process.

5.4 Duration of data storage

If the application leads to employment, the personal data will be stored accordingly in compliance with legal regulations. If the application is not taken into account when selecting a potential candidate, it will be deleted in accordance with the rules of the local deletion concept, taking into account the provisions of the AGG, in particular the existing burden of proof in accordance with Section 22 AGG.

This does not apply if legal provisions prevent deletion or if you have given your consent to longer storage. In this case, your personal data will be stored further on the basis of Article 6 Paragraph 1 Sentence 1 Letter c) and Letter a) GDPR.

5.5 Possibility of removal by the person concerned

You can contact us at any time and object to further processing of your data. In this case, all personal data processed by us in the course of the application process will be deleted, unless deletion is contrary to mandatory legal regulations.

6 become a member

6.1 Description and scope of data processing

You have the opportunity to become a member and benefit from our enthusiasm for art. We offer you different membership options:

• Friends
• 2 friends
• Young friends
• Little friends
• Friends of reopening
• Company friends

The application requires various personal data from you. These vary depending on the different memberships. In particular, however, the following personal data must be provided:

• Contribution type
• Amount
• First name
• Last name
• Address
• E-mail address
• Telephone number
• Club-related data (e.g. date of joining the club or changes to the type of membership)
• Bank details (in the case of a SEPA direct debit mandate)

The data is used exclusively to check your membership application and to grant you access to your member profile in the member area, through which you can manage access to events and your data. The member area and the area for registering for it are provided by our service provider GRÜN Software Group GmbH. The data processing is carried out by: GRÜN Software Group GmbH, Pascalstr. 6, 52070 Aachen, Germany. The collaboration is based on an order processing contract in accordance with the provisions of Art. 28 GDPR.

Additional information on data protection at the service provider can be found at: www.gruen.net/datenschutz/

6.2 Legal basis for data processing

Your personal data is processed in accordance with Article 6 Paragraph 1 Sentence 1 Letter b) GDPR due to the fulfillment of the contract for the purpose of membership and in accordance with Article 6 Paragraph 1 Clause 1 Letter f) GDPR due to our legitimate interest in this Purpose of managing and supporting members and to create a member account for you in the member area to manage your membership. The passing on of the email address and name to the Berlin State Museums for the purpose of sending invitations to Nationalgalerie events is subject to consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR. Consent is also requested in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR as to whether the first and last name as well as the profession may be published in the member directory (which can only be viewed by members).

6.3 Purpose of data processing

The data processing takes place in order to be able to check your membership application and, if your membership is confirmed, to give you the opportunity to manage your data in your user account and to take part in our offers.

6.4 Duration of data storage

The data will be deleted as soon as the purpose of data processing has been achieved and no contractual or legal retention periods prevent deletion. This is usually the case one year after a membership has been terminated.

6.5 Possibility of removal by the person concerned

You have the option to revoke your consent at any time or to exercise your rights towards us. To do this, please use the contact details provided above. You also have the opportunity to change and correct your personal data within your user account at any time. If you would like to terminate your membership, please contact us using the contact details provided above.

6.6 Members Area

6.6.1 Description and scope of data processing

Through our member area you have the opportunity to manage your personal data in your membership, book events, manage files, keep a calendar and change your password.

Personal data is processed depending on how you use the member area, for example which events you would like to register for. In addition, our web servers temporarily save every access in a log file. The following personal data is collected and stored until it is automatically deleted:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the retrieved file
• Amount of data to be transferred
• Message as to whether the retrieval was successful
• Recognition data of the browser and operating system used
• Website from which access is made

The member area is provided by our service provider GRÜN Software Group GmbH. The data processing is carried out by: GRÜN Software Group GmbH, Pascalstr. 6, 52070 Aachen, Germany. The collaboration is based on an order processing contract in accordance with the provisions of Art. 28 GDPR.

Additional information on data protection at the service provider can be found at: www.gruen.net/datenschutz/

6.6.2 Legal basis for data processing

Data processing is carried out on the basis of our contractual basis within the framework of membership and membership management in accordance with Article 6 Paragraph 1 Sentence 1 Letter b) GDPR and on the basis of our legitimate interest in accordance with Article 6 Paragraph 1 Clause 1 Letter f). GDPR to provide a user interface through which our members have the opportunity to register for the association's events and to manage their membership data independently.

6.6.3 Purpose of data processing

The data processing takes place in order to enable you to have a member area to independently manage events and your data

6.6.4 Duration of data storage

The data will be deleted as soon as the purpose of data processing has been achieved and no contractual or legal retention periods prevent deletion. With regard to your member and usage data, this is usually the case one year after your membership has ended. Log data is deleted when you close the website. Our hosting provider may use the data for statistical surveys. However, the data is anonymized for this purpose.

6.6.5 Opportunity for the person concerned to participate

You have the option to revoke your consent at any time or to exercise your rights towards us. To do this, please use the contact details provided above. You also have the opportunity to change and correct your personal data within your user account at any time. If you would like to terminate your membership, please contact us using the contact details provided above.

7 GRÜN VEWA management software

7.1 Description and scope of data processing

We use GRÜN VEWA to manage and organize our members’ data. The data processing is carried out by: GRÜN Software Group GmbH, Pascalstraße 6, 52076 Aachen, Germany.

Further information on data protection at GRÜN Software Group GmbH can be found here: www.gruen.net/datenschutz/

7.2 Legal basis for data processing

The data processing is based on Article 6 Paragraph 1 Letter f) GDPR. Our legitimate interest lies in the optimal management and organization of our member data.

7.3 Purpose of data processing

The data processing serves to provide clarity in the administration.

7.4 Duration of data storage

The data will be stored until the purpose of data processing has been achieved and no legal, contractual or official retention obligations prevent deletion. Regularly within one year of termination of membership.

7.5 Possibility of removal by the person concerned

You have the opportunity to object to data processing at any time and to exercise your rights to information, deletion or correction of your data. To do this, please contact our data protection officer.

8 member mail

8.1 Description and scope of data processing

If you would like to become a member of us, you have the option of indicating that you would like to receive member mail from us. The personal data provided during registration will be used for this purpose:

• First name
• Last name
• E-mail address
• Address details

This personal data is necessary to send you member mail by email or occasionally by post.

8.2 Legal basis for data processing

You will only receive the member mail if you have become a member of our association. No explicit consent is required on your part for this, as delivery of member mail only takes place within the narrow limits of Section 7 Paragraph 3 UWG, which in the light of Art. 95 GDPR is a mirror image of Art. 6 Paragraph 1 Sentence 1 Letter f). GDPR is to be understood. Our legitimate interest is to inform our members about our events and offers through promotional emails and thus maintain contact with our members. If in special cases you have given us your consent to send members' mail without being a member, the data processing will take place exclusively on the basis of your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR.

8.3 Purpose of data processing

The function of the members' mail is to inform you at regular intervals about offers and news from us.

8.4 Duration of data storage

We only process your data for as long as it is necessary to fulfill the purpose and deletion does not conflict with any legal or official retention obligations. They will be deleted at the latest when the membership is terminated or if you no longer wish to receive member mail and express this objection to us.

8.5 Possibility of removal by the person concerned

You have the option to object to further sending of member mail at any time. To do this, you can click on the unsubscribe link integrated in every newsletter or express your objection to us in another way. If you have given your consent, you can revoke it at any time.

8.6 Shipping service providers

8.6.1 Description and scope of data processing

Members’ mail is sent via email using “CleverReach”, an online marketing platform. Data processing is carried out by: CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany.

Our members' email addresses, as well as their first and last names, are stored on CleverReach's servers in the EU. CleverReach uses this information to send and evaluate the newsletter on our behalf. CleverReach does not pass this data on to third parties. The newsletters contain a so-called “web beacon”, ie a pixel-sized file that is retrieved from the Cleverreach server when the newsletter is opened. As part of this retrieval, information such as information about your system, your IP address and the time of retrieval are collected. The statistical surveys also include determining whether the newsletters are opened, how often they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our nor CleverReach's intention to monitor individual users.

Further information can be found in CleverReach's data protection declaration at the following link: www.cleverreach.com/de/datenschutz/

8.6.2 Legal basis for data processing

The data processing is based on our legitimate interest in ensuring that our member mail is sent reliably in accordance with Article 6 Paragraph 1 Sentence 1 Letter f) GDPR.

8.6.3 Purpose of data processing

We use CleverReach as our shipping service provider to ensure effective sending of emails.

8.6.4 Duration of data storage

The data will be deleted as soon as the purpose of data processing has been fulfilled and no official, contractual or legal retention periods prevent deletion. At the latest when your membership is canceled.

8.6.5 Possibility of removal by the person concerned

You have the option to object to data processing at any time. To do this, please contact our data protection officer. You are also free to use the “opt-out” link at the end of each email at any time, which will result in us deleting your email address from our address list, which is why CleverReach will not process your personal data any further . We ask you to note that in this case we will no longer be able to send you member mail.

9 social media links

We have integrated social media platforms into our services via icons, which mean that the social media providers may receive data from you. If you click on the social media link, the website of the respective social media provider will be accessed. When you access the website of the respective social media provider via our services, the respective reference data is transmitted to the respective social media provider. The social media provider thereby receives the information that you have visited us.

Note on data processing in the USA:
If you click on a social media link, your data may be processed by the respective provider in the USA. According to the ECJ, the data protection standard in the USA is inadequate and there is a risk that your data will be processed by the US authorities for control and surveillance purposes, possibly without any legal remedy. If you do not click on the social media provider's links, no data will be transferred.

Further information on data processing by social media providers can be found here:

• Meta:
  • https://de-de.facebook.com/help/pages/insights,
  • https://de-de.facebook.com/about/privacy,
  • https://de-de.facebook.com/full_data_use_policy
• Instagram:
  • https://help.instagram.com/155833707900388
  • https://www.instagram.com/about/legal/privacy/
• LinkedIn:
  • https://www.linkedin.com/legal/privacy-policy
• YouTube:
  • https://www.google.de/intl/de/policies/privacy/

9.1 YouTube

9.1.1 Description and scope of data processing

We use the provider YouTube to integrate videos on our website. Responsible for data processing together with us is: YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google LLC., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.

Data processing for the European Economic Area and Switzerland is carried out by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Normally, when you access some pages on our website with embedded videos, your IP address is sent to YouTube and cookies are installed on your computer. However, we have integrated YouTube videos with the extended data protection mode. In this case, YouTube still contacts Google's Google Ad Manager - formerly Double Click - service, but according to Google's privacy policy, personal data is not evaluated. This means that YouTube no longer stores information about visitors unless they watch the video. If you click on the video, your IP address will be transmitted to YouTube and YouTube will find out that you have viewed the video. If you are logged in to YouTube, this information is also assigned to your user account. We have no knowledge of and no influence on the possible collection and use of your data by YouTube. For further information on the subject of data protection, we refer to the following data guidelines from YouTube and Google: www.google.de/intl/de/policies/privacy/

9.1.2 Legal basis for data processing

The legal basis for data processing is your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR.

9.1.3 Purpose of data processing

We use social media to make our company better known. We would also like to offer you the opportunity to interact with social media via our website.

9.1.4 Duration of data storage

The data collected by YouTube (Google) via plugins and advertising is deleted by the person responsible after a fixed storage period. According to Google, this time is 9 and 18 months respectively.

9.1.5 Possibility of removal by the person concerned

You have the option to revoke your consent to data processing at any time. Please contact our data protection officer. To prevent data processing by YouTube, you have the option of logging out of YouTube before accessing our website and deleting all cookies from your browser history. Further settings and objections to the use of data for advertising purposes are possible within the YouTube profile settings. The settings are platform-independent, meaning they are applied to all devices, such as desktop computers or mobile devices.

10 donation form spendino

10.1 Description and scope of data processing

If you would like to send us a donation, you can do this using the services of our partner GRÜN spendino. Data processing is carried out by: GRÜN Software Group GmbH, Pascalstraße 6, 52076 Aachen, Germany.

GRÜN spendino is a Software-as-a-Service (SaaS) solution for providing online donation forms and for managing online donations and donors.

If you visit our subpages with an integrated donation form, no data will initially be processed by GRÜN Software Group GmbH because we have integrated the donation form using a so-called two-click solution. Only when you actively click on the donation form will a connection be established with the GRÜN Software Group GmbH servers and user-specific analysis data, such as the form used, as well as technical data, such as the IP address, will be encrypted and transmitted securely. When you use the form, your personal data, such as title, first name, surname, email address, account holder and account details and, if applicable, address, will be processed and stored exclusively for the purpose of collecting donations and managing donations.

Further information on data protection can be found in the provider's data protection regulations: www.gruen.net/spendino/unternehmen/datenschutz/

Only if you would like to receive a donation confirmation from us by post or email will we also process your email or address data for the purpose of sending the donation receipt.

10.2 Legal basis for data processing

The legal basis for processing the donation is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The basis for storing donor data and proof of donations is Art. 6 Para. 1 lit. c) GDPR.

10.3 Purpose of data processing

We process your data exclusively for the purposes of processing and managing donations and fulfilling our legal retention obligations.

10.4 Duration of data storage

We only store your data for as long as is necessary to fulfill the purpose and for as long as we are obliged to retain your data by legal, contractual or official obligations. Your data will be stored for a period of 10 years in accordance with Section 14b Paragraph 1 Sentence 1 UStG (Sales Tax Act). This storage period results from legal regulations and serves to fulfill our tax obligations.

If you cancel the payment process or are unable to make a payment for technical reasons, your data will be deleted after just six weeks.

10.5 Possibility of removal by the person concerned

Data processing is absolutely necessary in order to process your donation, which is why it cannot be dispensed with. You can contact us at any time to assert your further rights.

11 Analysis

To continually improve our website offerings, we use the following analysis tools. Below you can find out which data is processed and how you can contact the respective service providers:

11.1 Matomo

11.1.1 Description and scope of data processing

We use the web analysis service Matomo (formerly PIWIK). Matomo is located in New Zealand, a third country with an adequate level of protection certified by the EU Commission in accordance with Art. 45 Para. 3 GDPR, https://eur-lex.europa.eu/legalcontent/ EN/ALL/?uri=CELEX%3A32013D0065

Matomo sets a cookie. For an explanation of cookies, please refer to the relevant passage above. The following data is stored:

• Two bytes of the IP address of the calling system
• The website accessed
• The website from which you reached the website you accessed (referrer)
• The subpages that are accessed from the website being accessed
• The time spent on the website
• The frequency of visits to the website

The software runs exclusively on the servers of our website. Your personal data will only be stored there. This data will not be disclosed to third parties.

The software is set so that the IP addresses are not saved completely, but rather 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the calling computer. For further information about Matomo's data protection regulations, we refer to the following links: matomo.org/privacy/ and matomo.org/privacy-policy/

11.1.2 Legal basis for data processing

The legal basis for data processing is your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR.

11.1.3 Purpose of data processing

The web analysis service Matomo primarily serves us to optimize the website and for cost-benefit analysis. Matomo is still used to enable an analysis of the flow of visitors to the website. It is in our interest to make our website clear and user-friendly for you.

11.1.4 Duration of data storage

We only process personal data for as long as it is necessary. As soon as the purpose of data processing has been fulfilled, blocking and deletion will take place in accordance with the standards of the local deletion concept, unless legal, official or contractual regulations prevent deletion.

11.1.5 Possibility of removal by the person concerned

You have the option to revoke your consent to data processing at any time. Please contact our data protection officer. The setting of cookies can also be prevented at any time by making the appropriate settings in your internet browser. The cookies that have already been set can also be deleted in the future in the Internet browser settings.

11.2 Facebook Custom Audience / Facebook Pixel

11.2.1 Description and scope of data processing

Our website uses Meta's visitor action pixel (“Facebook pixel”) to measure conversions. Data processing is carried out by: Meta Platforms Ireland Limited, 1 Hacker Way, Menlo Park, CA 94025, USA.

With the help of the Facebook pixel, the behavior of site visitors can be tracked after they visit our website. This allows the effectiveness of the meta advertisements to be evaluated for statistical and market research purposes and future advertising measures to be optimized. Meta receives the following categories of data: the redirect URL, browser information and the person's Facebook user ID if they have a Facebook account and are logged in to Facebook.

The data is stored and processed by Meta so that a connection to the respective user profile is possible and Meta can use the data for its own advertising purposes in accordance with the Meta data usage policy. This allows Meta to enable the placement of advertisements on Meta pages as well as outside of Meta. As the site operator, we cannot influence this use of data.

You can find Meta’s data protection information at www.facebook.com/about/privacy/

11.2.2 Legal basis for data processing

The legal basis for using the application is your consent, in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR.

11.2.3 Purpose of data processing

We process your data for the purpose of continuously optimizing our website in line with your needs. This also results in our legitimate interest in data processing.

11.2.4 Duration of data storage

The data will be deleted as soon as it is no longer required for our recording purposes and there are no legal, official or contractual regulations that prevent deletion.

11.2.5 Possibility of removal by the person concerned

You have the option to revoke your consent to data processing at any time. Please contact our data protection officer. You can deactivate the “Custom Audiences” remarketing function in the ad settings area at www.facebook.com/ads/preferences/?entry_product=ad_settings_screen if you have a Facebook account. If you don't have a Facebook account, you can deactivate Meta usage-based advertising on the European Interactive Digital Advertising Alliance website: www.youronlinechoices.com/de/praferenzmanagement/

11.3 Google Ad Manager (formerly Double Click)

11.3.1 Description and scope of data processing

Our website uses Google Ad Manager. Data processing for the European Economic Area and Switzerland is carried out by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ad Manager is used to serve ads when you visit our website. Google Ad Manager uses information about your visits to this and other websites to provide advertisements about products and services that interest you. If you would like to learn more about these methods or what options you have to prevent this information from being used by Google Ad Manager, click here: www.google.de/policies/technologies/ads/ .

11.3.2 Legal basis for data processing

Data processing is based on your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR.

11.3.3 Purpose of data processing

Our interest lies in entering into collaborations with other companies in order to participate economically.

11.3.4 Duration of data storage

The data will be deleted as soon as it is no longer required for our recording purposes and there are no legal, official or contractual regulations that prevent deletion.

11.3.5 Possibility of removal by the person concerned

You have the option to revoke your consent to data processing at any time. Please contact our data protection officer. The setting of cookies can be prevented at any time by making the appropriate settings in your internet browser. The cookies that have already been set can also be deleted in the internet browser settings. We would like to point out that preventing the setting of cookies may mean that not all functions are fully available.

11.4 Google Ads and Google Conversion Tracking

11.4.1 Description and scope of data processing

We have integrated the services of Google Ads (formerly Google AdWords) on this website. Google Ads is an internet advertising service. Data processing for the European Economic Area and Switzerland is carried out by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. If you have reached our website through a Google ad, Google will place a so-called conversion cookie on your system. For explanations on cookies, please refer to the passage on cookies. The conversion cookie is used to create and analyze visit statistics. The conversion cookie stores the IP address when you visit the website. This data is stored in the USA. It is possible that Google also passes on this data to third parties. For further data protection information from Google, please see: www.google.de/intl/de/policies/privacy/

11.4.2 Legal basis for data processing

The legal basis for data processing is your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR.

11.4.3 Purpose of data processing

We use Google Ads to be able to place targeted advertising for our company in Google's search engine results.

11.4.4 Duration of data storage

30 days after the conversion cookie is set, the cookie loses its validity. This means that you can no longer be identified. Within these 30 days, both we and Google can use the conversion cookie to track which sub-pages have been accessed.

11.4.5 Possibility of removal by the person concerned

You have the option to revoke your consent to data processing at any time. Please contact our data protection officer.

The setting of cookies can be prevented at any time by making the appropriate settings in your internet browser. The cookies that have already been set can also be deleted in the internet browser settings. We would like to point out that preventing the setting of cookies may mean that not all functions are fully available.

permanently prevent data processing in your browser using this link www.google.com/settings/ads/plugin As a result, it is possible that functions of our website will no longer be fully available.

It is also possible in the browser settings to object only to cookies for conversation tracking and thus user-related advertising by Google. To do this, please click on the following link: www.google.de/settings/ads . We would like to point out that a new setting will be necessary if you delete the cookies in your browser.

You can also deactivate those user-related ads that are part of the self-regulatory campaign “About Ads” by clicking on the following link. We would like to point out that a new setting will be necessary if you delete the cookies in your browser.

11.5 Google AdSense

11.5.1 Description and scope of data processing

We use Google AdSense on the website. This is an online service that is used for advertising purposes. Google AdSense enables the placement of advertising on third-party websites. Data processing for the European Economic Area and Switzerland is carried out by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When you use Google AdSense, a cookie is set for the person concerned. For information on cookies, please refer to the passage on cookies. The information stored in the cookie can be recorded, collected and evaluated by Google Inc. or third parties. In addition, Google AdSense also uses so-called “WebBacons” (small invisible graphics) to collect information. Simple actions such as visitor traffic on the website can be recorded, collected and evaluated.

The information generated by the cookie and/or web beacon about your use of this website is transmitted to a Google server in the USA and stored there. Google uses the information obtained in this way to evaluate your usage behavior with regard to the AdSense advertisements. Google may also transfer this information to third parties if this is required by law or if third parties process this data on behalf of Google. Google does not associate your IP address with other data stored by Google. For further information about Google AdSense, please refer to the following link: www.google.de/intl/de/adsense/start/

11.5.2 Legal basis for data processing

The legal basis for data processing is your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR.

11.5.3 Purpose of data processing

Our interest lies in improving our awareness by enabling user-specific advertisements. Through advertising we open up a larger circle of users and interested parties. We also increase our level of awareness.

11.5.4 Duration of data storage

The data will be deleted as soon as it is no longer required for our recording purposes and no official, legal or contractual regulations prevent deletion.

11.5.5 Possibility of removal by the person concerned

You have the option to revoke your consent to data processing at any time. Please contact our data protection officer. The setting of cookies and the display of web beacons can be prevented at any time by making the appropriate settings in your internet browser. The cookies that have already been set can also be deleted in the internet browser settings. We would like to point out that preventing the setting of cookies may mean that not all functions are fully available.

11.6 LinkedIn Ads and Conversion Tracking

11.6.1 Description and scope of data processing

We place advertising on LinkedIn. We also use the analysis and conversion tracking technology of the LinkedIn platform to check the effectiveness of this advertising. Data processing is carried out by: LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

LinkedIn places a cookie on your computer from which information is obtained to display advertising. The cookie text files contain information about your visits to our website, in particular the pages you viewed, in order to be able to make specific product recommendations on subsequent visits to our website or third-party websites. The cookie contains a randomly generated alias. If you visit our or LinkedIn's website again within a certain period of time, LinkedIn will recognize you using this alias. However, this information cannot be linked to you personally. Neither we nor LinkedIn combine this information with your personal data and do not pass on any personal data to third parties.

11.6.2 Legal basis for data processing

Data processing is based on your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR.

11.6.3 Purpose of data processing

It is in our interest to inform you about our offer and to make it clear and user-friendly for you. This also represents the purpose of data processing.

11.6.4 Duration of data storage

The data will be deleted as soon as it is no longer required for our recording purposes and no legal, contractual or official regulations prevent deletion.

11.6.5 Possibility of removal by the person concerned

You have the option to revoke your consent to data processing at any time. Please contact our data protection officer. You can prevent the storage and use of data in a LinkedIn cookie by visiting the link www.linkedin.com/psettings/guest-controls/retargeting-opt-out and selecting “Reject”. If you select this option, A new cookie (opt-out cookie) is set in your browser, which informs LinkedIn that no data about your browser behavior may be stored. Please note that the setting must be made for all browsers you use. If all your cookies are deleted in a browser, LinkedIn's opt-out cookie will also be affected.

12 Other third-party tools

We also use third-party providers who help us with the page display and functionality of the website. These are listed below:

12.1 Google Maps

12.1.1 Description and scope of data processing

This website uses the Google Maps product from Google LLC. Data processing for the European Economic Area and Switzerland is carried out by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you access a page, your browser loads the required geo-information into your browser cache in order to display the map correctly. For this purpose, the browser you use must connect to Google's servers. This gives Google knowledge that our website was accessed via your IP address and which map was displayed. The terms of use of Google Maps can be found at www.google.com/intl/de_de/help/terms_maps.html

12.1.2 Legal basis for data processing

The legal basis is your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR.

12.1.3 Purpose of data processing

Using Google Maps makes it easier for you to find our location and to interact with it in various ways, for example by planning routes.

12.1.4 Duration of data storage

The data will be deleted as soon as it is no longer needed for the purpose of data processing, unless legal, official or contractual regulations prevent deletion.

12.1.5 Possibility of removal by the person concerned

You have the option to revoke your consent to data processing at any time. To do this, please contact our data protection officer.

If you do not want to use Google Maps, parts of our website cannot be used.

12.2 Self-hosted Google Web Fonts

12.2.1 Description and scope of data processing

We use so-called web fonts on the website to display fonts uniformly. When you access a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly. We have integrated the web fonts locally on our own website so that Google does not become aware that our website was accessed via your IP address. If your browser does not support web fonts, your computer will use a standard font.

12.2.2 Legal basis for data processing

The legal basis is based on our legitimate interest in accordance with Article 6 Paragraph 1 Sentence 1 Letter f) GDPR.

12.2.3 Purpose of data processing

The purpose of data processing is the uniform display of fonts on this website in order to be able to offer a visually interesting and user-friendly website.

12.2.4 Duration of data storage

No data is saved.

12.2.5 Possibility of removal by the person concerned

You can set your browser so that it does not support web fonts. In this case, a standard font from your computer is used.

12.3 Yoast SEO

12.3.1 Description and scope of data processing

We use the services of Yoast SEO on our website. Data processing is carried out by: Yoast BVDon, Emanuelstraat 3, 6602 GX Wijchen, Netherlands.

We use the Yoast SEO plugin. This plugin takes care of the complete technical optimization of our websites for search engines. It also helps in content development. The plugin uses cookies.

Further information about the service provider’s data protection can be found here: yoast.com/privacy-notice/

12.3.2 Legal basis for data processing

The data processing is based on Article 6 Paragraph 1 Letter f) GDPR. Our legitimate interest lies in the technical optimization of our websites for search engines.

12.3.3 Purpose of data processing

The data processing serves the purpose of being able to optimally transmit page information to search engines in order to technically optimize our website for search engines.

12.3.4 Duration of data processing

The data will be stored until the purpose of data processing has been achieved and no legal, contractual or official retention obligations prevent deletion.

12.3.5 Possibility of removal by the person concerned

You can prevent the storage of cookies by setting your browser software accordingly. However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

13 Online shop (ticket system (visitate.net))

13.1 Description and scope of data processing

If you shop with us, you will be referred via a link to our online shop, which has a separate data protection declaration ( Museum & Service (visitate.net) ) that provides information about data processing in the online shop. If you buy from us here and a delivery is arranged, we process the following categories of data:

• contact details
• Billing Details
• Registration credentials

When parcel deliveries are made, we also pass on your name, address, telephone number and email address to our contractually bound processors and service providers.

13.2 Legal basis for data processing

The legal basis for the associated data processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR, i.e. the processing of your data is necessary for the fulfillment of the purchase contracts and delivery agreements.

13.3 Purpose of data processing

We process your data in order to conclude the purchase contract including delivery agreement with you, to process the purchase contract including invoicing by email or post and receipt of payment, to ensure punctual delivery and to inform you about delivery dates and/or changes to delivery. We pass on your data to our service providers so that they can process the delivery and, if necessary, communicate with you to announce and coordinate the delivery of your ordered goods.

13.4 Duration of data storage

Your data will only be stored for as long as is necessary to fulfill the purpose and as long as we are obliged to retain your data by legal, contractual or official obligations.

13.5 Possibility of removal by the person concerned

Data processing is absolutely necessary in order to be able to process your purchase contract, which is why it cannot be dispensed with. There is therefore no possibility of elimination.

13.6 Credit Card

13.6.1 Description and scope of data processing

If you would like to pay for your order via our online shop with your credit card, we need data to process the payment. In particular, questions are asked about:

• names,
• Address,
• E-mail address,
• credit card number,
• Name of the credit card holder and
• the validity period of the credit card.

We check the data entered together with the data of your order.

13.6.2 Legal basis for data processing

The legal basis for the associated data processing is Article 6 Paragraph 1 Sentence 1 b) GDPR, i.e. the processing of your data is necessary to fulfill the agreement on payment by credit card.

13.6.3 Purpose of data processing

We process this data in order to detect misuse of the credit card or the payment option by credit card at an early stage and, after successful verification, use the data to process the agreed payment by credit card.

13.6.4 Duration of data storage

Your data will only be stored for as long as is necessary for purchase processing and invoicing, unless legal or contractual storage periods prevent your data from being deleted.

13.6.5 Possibility of removal by the person concerned

Data processing is absolutely necessary in order to be able to process your payment by credit card, which is why it cannot be waived if you have chosen this payment method. There is therefore no possibility of elimination.

13.7 PayPal

13.7.1 Description and scope of data processing

We offer PayPal as a possible payment service. PayPal is a virtual account model and means of payment. In order to use the payment service using PayPal, you must first register with PayPal. The data processing is carried out by: PayPal (Europe) S.à.rl & Cie. SCA, 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If you use PayPal as a payment method, your personal data will be transmitted to PayPal. The personal data is:

• Surname,
• Last name,
• Address,
• E-mail address,
• IP address,
• telephone number,
• if applicable, mobile number and
• other data required for final payment processing.

In addition to passing on the data to credit agencies, it is also possible that PayPal may pass on the personal data to affiliated companies, including subcontractors, if this is necessary to fulfill the contractual obligations. The same applies to order processing. PayPal uses binding internal data protection regulations (Binding Corporate Rules): www.paypal.com/de/webapps/mpp/ua/bcr to secure data processing.

Regarding PayPal's data protection information, please refer to the following link: www.paypal.com/de/webapps/mpp/ua/privacy-full

13.7.2 Legal basis for data processing

The legal basis is based on Article 6 Paragraph 1 Sentence 1 Letter b) GDPR.

13.7.3 Purpose of data processing

The transmission of the data is necessary to prevent any misuse. We inform you that PayPal may transmit personal data to credit agencies. This is because PayPal reserves the right to check your identity and creditworthiness.

13.7.4 Duration of data storage

Your data will only be stored for as long as is necessary for purchase processing and invoicing, unless legal or contractual storage periods prevent your data from being deleted.

13.7.5 Possibility of removal by the person concerned

Data processing is absolutely necessary in order to be able to process your payment via PayPal, which is why it cannot be waived if you have chosen this payment method. There is therefore no possibility of elimination.

14 social media appearances

14.1 Responsible for social media together with us

We operate the following social media presences:

Facebook: https://www.facebook.com/freundedernationalgalerie/

Instagram: https://www.instagram.com/freundedernationalgalerie/

LinkedIn: https://de.linkedin.com/company/freunde-der-nationalgalerie-ev

YouTube: https://www.youtube.com/c/freundedernationalgalerie

We use the services of

• Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA or Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“ Facebook ”)
• Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA or Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“ Instagram ”)
• LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland or LinkedIn Corporation, 1000 W. Maude Ave., Sunnyvale, California 94085, USA (“ LinkedIn ”)
• YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“ YouTube ”) represented by: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA,

Data processing within the European Economic Area and Switzerland is carried out by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“ Google ”)

back.

Due to the ruling of the European Court of Justice of June 5, 2018 (available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=298398 ), operators of social media sites and the operators of the social media themselves are considered jointly responsible for data processing.

We would like to point out that you use our social media presence and its functions on your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating). Alternatively, you can also access the information we provide on social media on our own website.

14.2 Data Protection Officer

You can reach the data protection officers of the respective social media via the respective social media.

the data protection officer of Facebook and Instagram using the following linked contact form: https://www.facebook.com/help/contact/540977946302970

LinkedIn's data protection officer via the following linked contact form: https://www.linkedin.com/help/linkedin/ask/TSO-DPO

the data protection officer of Google and YouTube using the following linked contact form: https://twitter.ethicspointvp.com/custom/twitter/forms/data/form_data.asp

14.3 Data processed by social media

When you visit our social media sites, the social media operators collect, among other things, your IP address and other information that is available on your PC in the form of cookies. This information is used to provide us, as the website operator, with statistical information about the use of the site. The data collected about you in this context will be processed by the social media operators and, if necessary, transferred to countries outside the European Union. What information the operator of the respective social network receives and how it is used is described in the data protection declarations of the respective social networks. There you will also find information about contact options.

You can find more information about this under the following links:

• Facebook:
  • https://de-de.facebook.com/help/pages/insights
  • https://de-de.facebook.com/about/privacy
  • https://de-de.facebook.com/full_data_use_policy
• Google and YouTube:
  • https://www.google.de/intl/de/policies/privacy/
• Instagram:
  • https://help.instagram.com/155833707900388
  • https://www.instagram.com/about/legal/privacy/
• LinkedIn:
  • https://www.linkedin.com/legal/privacy-policy

How the social media operators use data from visits to our social media presence for their own purposes and to what extent activities

the social media appearances are assigned to individual users, how long the operators store this data and whether data from a visit to the social media appearances is passed on to third parties is not conclusively and clearly stated by the social media operators and is not known to us .

When you access our social media presence, the IP address assigned to your device is transmitted to the operator of the respective social network. The social networks also store information about users’ devices (e.g. as part of the “login notification” function); This may allow social media operators to assign IP addresses to individual users.

If you as a user are currently logged in to the respective social network, there is a cookie on your device with your individual identifier in this social network. This allows the operator of the social network to see that you have visited a particular page and how you used it. This data can be used to tailor content or advertising to your previous website visits.

If you want to avoid this, you should log out of the respective social network or deactivate the "stay logged in" function, delete the cookies on your device and close and restart your browser. In this way, registration information that can be used to directly identify you will be deleted. This allows you to use our social media presence without your user ID being revealed. When you access interactive functions of the site (like, comment, share, news, etc.), a login screen appears. After you have logged in, you will again be recognizable as a specific user for the social network you are using.

For information on how to manage or delete existing information within the social network, please visit the social network support pages listed above.

14.4 Data we process

14.4.1 Type and scope of data processing

The data you enter on social networks, in particular your user name and the content published under your account, will be processed by us in order to respond to your messages if necessary. In addition, your published posts, ratings and comments refer to your account in the respective social network. If you mention us using an @ or # or similar, this mention may be published on our site under your username. The data you freely publish and distribute on the respective social network may be included by us in our offer and made available to other users of the respective social network. If you mark our presence on social media with “Like” or “Follow” or a similar interaction, the respective social network will inform us of this with your user name and link to your account.

As an information service provider, we do not collect or process any data from your use of our social media presence.

14.4.2 Legal basis for processing

Data processing on our part is based on Art. 6 Paragraph 1 Sentence 1 Letter f) GDPR. Our legitimate interest arises from the advertising function of social media. We use this to increase the awareness of our company.

14.4.3 Purpose of processing

The data you provide in this context and which may be accessible to us (e.g. user name, images, interests if applicable, contact details) will be processed by us exclusively for the purpose of communicating with customers and interested parties. Our legitimate interest is to offer you a platform on which we can show you current information and with the help of which you can address your request to us and we can respond to your request as quickly as possible.

14.4.4 Duration of storage

As far as we can, your data will be deleted when our social media presence is discontinued.

15 Data transfer to a third country

In order for us to be able to provide our services, we rely on the support of service providers from Europe and third countries. In order to ensure the protection of your personal data even in the event of data transfer to a third country, we conclude special order processing contracts with each of the carefully selected service providers. All service providers we use have sufficient evidence that they ensure data security through appropriate technical and organizational measures. Our service providers from third countries are either located in countries that have an adequate level of data protection recognized by the EU Commission (Article 45 GDPR) or have provided appropriate guarantees (Article 46 GDPR).

Adequate level of protection: The provider comes from a country whose adequate level of data protection has been recognized by the EU Commission. Further information can be found at: Adequacy decisions (europa.eu)

EU standard contractual clauses: Our provider has submitted to the EU standard contractual clauses to ensure secure data transfer. Further information can be found at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en

Binding Corporate Rules: Article 47 of the GDPR provides for the possibility of ensuring data protection when data is transferred to a third country via binding internal data protection regulations. These are checked and approved by the responsible supervisory authorities as part of the consistency procedure in accordance with Art. 63 GDPR.

Consent: In addition, data transfer to a third country without an adequate level of protection will only take place if you have given us your consent in accordance with Article 49 Paragraph 1 Letter a) GDPR or if another exception in accordance with Article 49 GDPR is relevant for the data transfer is.

16 Your rights

You have the following rights towards us regarding personal data relating to you:

16.1 Right to revoke consent (see Art. 7 GDPR)

If you have given your consent to the processing of your data, you can revoke this at any time. Such a revocation affects the permissibility of the processing of your personal data in the future after you have expressed it to us. It can be made to us verbally or in writing by post or email.

16.2 Right to information (see Art. 15 GDPR)

In the event of a request for information, you must provide sufficient information about your identity and provide proof that the information is yours. The information concerns the following information:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the planned duration of storage of the personal data concerning you or, if specific information is not possible, criteria for determining the storage period;
• the existence of a right to rectification or deletion of personal data concerning you, a right to restrict processing by the controller or a right to object to this processing;
• the existence of a right to lodge a complaint with a supervisory authority;
• all available information about the origin of the data if the personal data is not collected from the data subject;
• the existence of automated decision-making including profiling in accordance with Article 22 Paragraphs 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject.

16.3 Right to correction or deletion (see Articles 16, 17 GDPR

You have the right to rectification and/or completion from us as the controller if the processed personal data relating to you is incorrect or incomplete. The person responsible must make the correction immediately.

You can also request the deletion of personal data concerning you if one of the following reasons applies to you:

• The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
• You revoke your consent on which the processing was based in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) or Article 9 Paragraph 2 Letter a) GDPR and there is no other legal basis for the processing.
• You object to the processing in accordance with Art. 21 Para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing in accordance with Art. 21 Para. 2 GDPR.
• Your personal data has been processed unlawfully.
• The deletion of personal data concerning you is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.
• The personal data concerning you was collected in relation to information society services offered in accordance with Article 8 Para. 1 GDPR.

If we have made the personal data concerning you public and we are obliged to delete it in accordance with Article 17 Paragraph 1 of the GDPR, we will take all reasonable measures to inform other persons responsible for data processing,

that you have requested the deletion of all links to, or copies or replications of, that personal data.

The right to deletion does not exist if the processing is necessary:

• to exercise the right to freedom of expression and information;
• to fulfill a legal obligation requiring processing under Union or Member State law to which the controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the field of public health in accordance with Article 9 Paragraph 2 Letters h and i and Article 9 Paragraph 3 GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR, insofar as the above-mentioned law is likely to make the achievement of the objectives of this processing impossible or seriously impair it, or
• to assert, exercise or defend legal claims.

16.4 Right to restriction of processing (see Art. 18 GDPR)

You can request that we restrict the processing of your personal data under the following conditions:

• if you contest the accuracy of your personal data for a period enabling us to verify the accuracy of your personal data;
• the processing is unlawful and you refuse the deletion of the personal data and instead request the restriction of the use of the personal data;
• we no longer need the personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims, or
• if you have objected to the processing in accordance with Article 21 Para. 1 GDPR and it is not yet clear whether our legitimate reasons outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.

16.5 Right to information (see Art. 19 GDPR)

If you have asserted your right to correction, deletion or restriction of data processing against us, we are obliged to inform all recipients of your personal data of the correction, deletion or restriction of data processing. This only applies to the extent that this notification does not prove impossible or would involve disproportionate effort.

You have the right to know which recipients have received your data.

16.6 Right to data portability (see Article 20 GDPR)

You have the right to receive your personal data from us in a common, machine-readable format in order to have it forwarded to another person responsible, if necessary

• the processing is based on consent in accordance with Art. 6 Para. 1 Sentence 1 lit. a) GDPR or Art. 9 Para. 2 lit. a) GDPR or on a contract in accordance with Art. 6 Para. 1 Sentence 1 lit. b) GDPR is based and
• the processing takes place using automated procedures.

When exercising your right to data portability, you have the right to have the personal data transmitted directly from us to another person responsible, to the extent that this is technically feasible.

The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

16.7 Right to object to processing (see Art. 21 GDPR)

If we base the processing of your personal data on our legitimate interest (according to Art. 6 Para. 1 Sentence 1 Letter f) GDPR), you can object to the processing. The same applies if we base data processing on Art. 6 Paragraph 1 Sentence 1 Letter e) GDPR.

If you exercise such an objection, we will ask you to explain the reasons why we should not process your personal data as we do. In the event of your justified objection, we will examine the situation and will either stop or adjust data processing or show you our compelling legitimate reasons on the basis of which we continue processing.

16.8 Right to complain to the responsible supervisory authority (see Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you are of the opinion that the processing of personal data concerning you is contrary to violates the GDPR.

The supervisory authority to which the complaint was submitted will inform you of the status and results of the complaint, including the possibility of a legal remedy in accordance with Art. 78 GDPR.

17 How you exercise these rights

To exercise these rights, please contact our data protection officer:

Kemal Webersohn from WS Data Protection GmbH

freunde-der-nationalgalerie@ws-datenschutz.de

or by post:

WS Data Protection GmbH
Dircksenstrasse 51
D-10178 Berlin

18 Subject to change

We reserve the right to change this data protection declaration in compliance with the legal provisions.

As of May 2024