We take the protection of your privacy when using our website very seriously. Compliance with legal regulations regarding data protection is a matter of course to us. We only process personal data in accordance with legal provisions and hereby inform you in the following data protection statement.
I. Controller and data protection officer
The controller as defined by the GDPR and other national data protection regulations of the member states as well as other data protection provisions is:
Zentrum für Mittelalterausstellungen e.V.
39104 Magdeburg, Germany
Telephone: +49 391 540 35 80
Fax: + 49 391 540 35 10
II. Visiting our website
We restrict the processing of personal data during visits to our website to a minimum from the outset. We neither use tools to analyse user behaviour nor did we integrate any social media plugins.
1. Log files
Every access to and recall of a file from our website will cause the browser of your end device to automatically transfer information to the server of our website where it will be temporary stored in a log file until it is automatically deleted. Specifically, this information includes the following details:
- Date and time of page request
- Website from which the page was accessed (referrer URL)
- IP address of the requesting end device
- Client software of the requesting computer, generally meaning type and version of the browser used, desired access method/function, type and version of the operating system of your end device
- Name of your access provider
- Access status of the server (such as file transferred, file not found, command not executed), name and URL of the requested file
- Volume of transmitted data
- Possibly transmitted input value (such as search terms you entered)
These data are not combined with data known to us from other sources and are not used to draw conclusions about your person.
Instead, the data are only stored to guarantee seamless connection and provide data security (for example to detect and track spam, viruses or any other attacks of our servers and to analyse system security and stability).
These purposes represent our legitimate interest in data processing for which Art. 6 Para. 1 lit. f GDPR serves as legal basis.
The data are deleted after they are no longer required for the aforementioned purposes, at the latest automatically after 3 days.
A cookie is a small text file automatically created by your browser and stored on your end device. It contains a character sequence which enables a clear identification of your browser when accessing our website and/or the third-party offer again. However, neither we nor the third-party provider receive immediate details regarding your identity.
3. Google Maps
We have integrated Google Maps to our website via an API. That way, we can present you with interactive maps and make additional functions available to you, such as creating directions. The use of Google Maps is based on Art. 6 Para. 1 Clause 1 lit. f GDPR.
You first must manually activate Google Maps before using our website to protect your privacy. Until you do so, no user data will be transmitted. Your voluntary activation is saved in a cookie for a period of one year, so that you will not have consent every time you visit our website. You may decide on this yourself any time as described in Section II. 2.
After activating and when using Google Maps on our website, Google will receive the information that you have accessed the corresponding subpage on our website. In addition, the data specified in Section II. 1. of this declaration are transmitted. Such data are transferred regardless of whether you are logged into a Google account or not. If you are indeed logged into your Google account, such data will be directly matched to your account. If you object to such a reference to your profile with Google, please log out of Google Maps through Google before activating the corresponding button. Google stores your data in the form of profiles, using them for the purposes of marketing, market research and/or customized website design. Such an analysis is especially made (also for users who are not logged in) to present customized advertisements and inform other Google users of your activities on our website. You have the right to object against the creation of such user profiles. To do so, you will have to contact Google directly.
Google processes your personal data in the United States as well and has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
4. Individual communication
You can contact us using the e-mail addresses provided on our website. When you do so, we will save the data you share with us (your e-mail address, possibly your name, other contact as well as any additional information you provided voluntarily) in order to be able to process your request. You can also use our contact data for scientific expert communication.
Data processing for the purposes of contacting us as well for scientific expert communication is defined by Art. 6 Para. 1 Clause 1 lit. a GDPR based on your consent provided voluntarily by sending an e-mail. The same applies for any queries, information and contributions communicated in this manner which are part of scientific expert communication.
We save personal data collected in the context of a general request as long as they are required to process the request. In case of request or a contribution in the context of scientific expert communication, data will be stored until your consent has been withdrawn or you object to such data storage.
III. Data transfers to third parties
We only transfer your personal data to third parties if you have provided an explicit declaration of consent as per Art. 6 Para. 1 Clause 1 lit. a GDPR or if you have intimated that you agree with the data transfer (for example through your request for transfer), if such a data transfer is required for fulfilling the agreement concluded with your or for the implementation of pre-contractual measures as a response to your request as per Art. 6 Para. 1 Clause 1 lit. b GDPR, if there is a legal obligation of transferring such data as per Art. 6 Para. 1 Clause 1 lit. c GDRP and if the transfer is required for the assertion, exercise or defence against legal claims as per Art. 6 Para. 1 Clause 1 lit. f GDPR and there is no reason to assume that you have an overriding protective interest in not transferring such data to third parties.
Your data are not transferred to third parties for any other purposes.
IV. Data security
Insofar as we process personal data, such data are subject to strict regulations of data security. We guarantee this through the implementation of technical and organisational measures. For example, we use SSL encryption on our website.
V. Your rights
As the data subject, you have the following rights according to the GDPR:
1. Right of access
You may request confirmation whether we process your personal data. If the data are indeed being processed, you may request the following information:
(1) purposes for which the personal data are being processed;
(2) categories of personal data being processed;
(3) recipients or categories of recipients to whom the relevant personal data was disclosed or is to be disclosed;
(4) planned duration of storage of the personal data or, if it is not possible to provide specific information, criteria for determining the storage duration;
(5) existence of the right to rectification or deletion of your personal data, the right to restrict processing of the data by the controller or the right to object against such processing;
(6) existence of the right to lodge a complaint with a supervisory authority;
(7) all available information about the origin of the data if the personal data were not collected from the data subject directly;
(8) automated decision-finding including profiling as per Art. 22 Para. 1 and 4 GDPR and – in most cases – significant information about the logic involved as well as the importance and the anticipated consequences of such processing for the data subject.
You have the right to request information about the fact whether your personal data are being transferred to a third country or to an international organization. You may request to be informed about appropriate safeguards as per Art. 46 GDPR.
2. Right to rectification
You have a right to rectification and/or completion if the personal data we process are incomplete or incorrect. We will implement such rectifications immediately.
3. Right to restriction of processing
You may request a restriction of processing of your personal data under the following conditions:
(1) if you contest the accuracy of the personal data for a period enabling us to verify the accuracy of the personal data;
(2) if the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) if we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims, or
(4) if you have objected to processing pursuant to Article 21 Para. 1 GDPR pending the verification whether our legitimate grounds override your grounds.
Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the processing has been restricted as specified by the above requirements, you shall be informed by us before the restriction of processing is lifted.
4. Right to erasure
a) Erasure obligations
You have the right to demand from us the erasure of your personal data without undue delay and we shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(1) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw consent on which the processing is based according to Art. 6 Para. 1 lit. a or Art. 9 Para. 2 lit. a GDPR, and where there is no other legal ground for the processing.
(3) You object to the processing pursuant to Art. 21 Para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 Para. 2 GDPR.
(4) The personal data have been unlawfully processed.
(5) The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) The personal data have been collected in relation to the offer of information society services referred to in Art. 8 Para. 1 GDPR.
b) Information to third parties
Where we have made the personal data public and are obliged pursuant to Art. 17 Para. 1 GDPR to erase the personal data, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you as the data subject have requested the erasure by us of any links to, or copy or replication of, the personal data.
The right to erasure shall not apply to the extent that processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 Para. 2 lit. h and Art. 9 Para. 3 GDPR
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art, 89 Para. GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
(5) for the establishment, exercise or defence of legal claims.
5. Right to information
If you have asserted the right to rectification, erasure or restriction of the processing towards us, we shall be obligated to inform all recipients to whom the personal data was provided of this correction or erasure of the data or the restriction of processing, unless it is impossible or associated with unreasonable efforts. You have the right towards us to be informed about such recipients.
6. Right to data portability
You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit these data to another controller without hindrance from us where:
(1) the processing is based on consent pursuant to Art. 6 Para. 1 lit. a (a) GDPR or Art. 9 Para. 2 lit. a GDPR or on a contract pursuant to Art. 6 Para. 1 lit. b GDPR, and
(2) the processing is carried out by automated means.
In exercising this right to data portability, you shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Art. 6 Para. 1 lit. e or f GDPR, including profiling based on those provisions.
We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of your personal data for such marketing purposes, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to withdraw the data protection consent declaration
You have the right to withdraw your data protection consent declaration at any time. Withdrawal of the consent shall not affect the processing carried out until the withdrawal of the consent.
If you would like to assert your right to withdrawal or objection as per Section 7, an e-mail to firstname.lastname@example.org will be sufficient. Naturally, you can also submit your declaration through other means (for example by telephone or in writing).
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for you or similarly significantly affects you. This shall not apply if the decision
(1) is necessary for entering into, or performance of, a contract between yourself and the controller
(2) is authorized by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
(3) is based on your explicit consent.
Decisions referred to in Art. 9 Para. 2 lit. a or g GDPR shall not be based on special categories of personal data referred to in Art. 9 Para. 2 lit. a unless Art. 9 Para. 2 lit. a or g GDPR apply and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority if you are of the opinion that the processing your personal data violates the GDPR. The supervisory authority with which the complaint has been lodged shall inform you on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
The supervisory authority for Saxony-Anhalt is:
State Representative for Data Protection Saxony-Anhalt, Leiterstrasse 9, 39104 Magdeburg, Germany, PO Box 1947, 39009 Magdeburg, Germany.
Version: 13 December 2018