English Version | Deutsche Version
English Version | Deutsche Version
The data controller as defined in the EU General Data Protection Regulation (hereinafter referred to as “GDPR”), other national data protection legislation of the member states and other data protection rules is:
Am Sandtorpark 14
20457 Hamburg / Deutschland
Tel.: +49 (0)40 325 30833
1) Scope to which personal data is processed
a) Personal data is composed of all data relating to you personally, e.g. your name, address, e-mail address and browsing history.
b) Special categories of personal data as defined in Article 9 of the GDPR include data concerning your racial or ethnic origin, your political opinions, your religious or philosophical beliefs, trade union membership, your health data or data on your sex life or orientation.
c) We process our users’ personal data only to the extent that this is required to provide a fully functioning website and for our content and services. We regularly only collect and process our users’ personal data if we have their consent to do so. This does not apply in cases in which it is not possible to obtain the user’s consent for objective reasons prior to the data being processed and processing of the data is permitted by law.
2) Legal basis for processing personal data
a) Where we request data subjects’ consent to process personal data, we do so on the basis of Article 6 (1) a of the EU General Data Protection Regulation (GDPR).
b) The legal basis for processing personal data which is necessary for the performance of a contract to which the data subject is party is Article 6 (1) b of the GDPR. This also applies to any processing required for the execution of any precontractual activities.
c) If processing is necessary for compliance with a legal obligation to which the data controller is subject, the legal basis for this is Article 6 (1) c of the GDPR.
d) If processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis for this is Article 6 (1) d of the GDPR.
e) If processing of personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, the legal basis for this is Article 6 (1) f of the GDPR.
3) Deletion of data and duration of storage
The data subject’s personal data will be deleted or blocked upon the purpose for which it is stored ceasing to apply. Personal data may be stored beyond this period if this is provided for by European or national legislation, in the regulations of the European Union or any other legal stipulations to which the data controller is subject. Data is also blocked or deleted upon the expiry of the archiving period stipulated by any of the statutory provisions referred to above unless continued storage of the data is necessary to enter into or perform a contract.
Whenever you visit our website, our system automatically collects data and information on your computer system.
Specifically, the following data is collected:
The data is also stored in the logfiles created by our system. This does not include the IP address of the user or any other data which can be traced back to the user. This data is not stored together with the user’s other personal data. The legal basis for the temporary storage of the data and the log files is Article 6 (1) f of the GDPR.
It is necessary for the system to temporarily store the IP address to ensure that the content of the website can be transmitted to the user’s device. This requires the user’s IP address to be stored for the duration of the session.
This data is stored in the log files to ensure that the website functions properly. In addition, we use this data to optimize our website and to protect our information technology systems. This data is not evaluated for marketing purposes. These purposes arise from our legitimate interests in processing the data as defined in Article 6 (1) f of the GDPR.
The data is deleted as soon as it is no longer required for the purpose for which it was collected. When the data is collected for the purpose of providing the website, this is the case when the session in question is over.
When the data is stored in log files, this is the case no later than seven days later. The data may be stored beyond this period. In this case, the user’s IP address will be deleted or anonymized to prevent it from being traced back to the visiting client.
The cookies store and transmit the following data:
This website uses only transient cookies, which are deleted automatically when you close your browser. We do not use any cookies on our website permitting an analysis of the user’s browsing history. The legal basis for processing personal data using cookies is Article 6 (1) f of the GDPR.
Our website uses Google Maps. This allows us to display interactive maps directly in our website and to offer you convenient positioning functions. When you visit our website, Google is notified that you have visited the corresponding part of our website. In addition, the data referred to in Section 3 of this privacy statement is transmitted. This is done regardless of whether Google provides a user account via which you are logged in or not. If you are logged onto Google, your data will be directly linked with your account. If you do not want your profile to be linked to your Google account, you must first log out of Google before clicking on the button. Google will store your data as a user profile, which it utilizes for advertising, market research and/or tailored website design. The main purpose of this analysis (which is also performed on users who are not logged on) is to provide customized advertising and to inform other users of social networks of your activities on our website. You have the right to object to the creation of such user profiles. However, this right of objection must be exercised directly against Google.
Further information on the purpose and extent to which data is collected and processed by the plug-in provider can be found in the respective provider’s privacy statements. They will also provide you with further information on your rights and options available to you for protecting your privacy: http://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the United States and has agreed to accept the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
On our website, you are able to subscribe to our free newsletter, which is published a maximum of once a month to inform you of the current exhibitions and events. When you register for the newsletter, the data that you enter in the form will be transmitted to us.
The data which you must enter to receive the newsletter comprises your name and your e-mail address.
We request your consent to process the data for the purposes of the registration process and refer you to this privacy statement.
No data is transferred to third parties in connection with the processing of data for the dispatch of the newsletters. The data is used solely for dispatching the newsletter.
The legal basis for processing the data after registration by the user to receive the newsletter is Article 6 (1) a of the GDPR provided that the user has granted their consent.
The user’s e-mail address is collected so that the newsletter can be delivered. The user’s name is collected to ensure that the correct salutation is used.
Other personal data is collected during the registration process to prevent unauthorized use of the services or the e-mail address used.
The data is deleted as soon as it is no longer required for the purpose for which it was collected. Accordingly, the user’s e-mail address is only stored for as long as the newsletter subscription is active.
Other personal data collected during the registration process is generally deleted after a period of seven days.
The user may cancel the newsletter subscription at any time. For this purpose, each newsletter includes a dedicated link. Alternatively, the user may cancel their subscription by sending an e-mail message to firstname.lastname@example.org or the contact data stated in the legal notice.
In doing so, the user will also cancel their consent to the storage of their personal data during the registration process.
Some parts of our website contain a contact form which may be used for establishing contact with us electronically. If the user utilizes this possibility, the data entered in the form will be transmitted to us and stored.
This data comprises:
In addition, the following data is stored upon the message being transmitted:
We request your consent to process the data for the purposes of this transmission process and refer you to this privacy statement.
Alternatively, you can contact us by writing to us at the e-mail address stated for this purpose. In this case, the user’s personal data transmitted with the e-mail message will be stored.
No data will be transferred to any third parties in this connection. The data will be used solely for processing the conversation.
The legal basis for processing the data is Article 6 (1) a of the GDPR provided that the user has granted their consent. The legal basis for processing the data which is transmitted in an e-mail message is Article 6 (1) f of the GDPR. If the purpose of the e-mail contact is to enter into a contract, the legal basis for processing the data is additionally also Article 6 (1) b of the GDPR.
The personal data collected from the form is used solely to process the contact with us. If contact is established by e-mail, this also constitutes the necessary legitimate interest in processing the data.
The purpose of the other personal data processed during the transmission process is to prevent any misuse of the contact form and to protect our information technology systems.
The data is deleted as soon as it is no longer required for the purpose for which it has been collected. This is the case with respect to personal data collected from the contact form and sent to us by e-mail when the conversation with the user has been concluded. The conversation is deemed to have been concluded if in the light of the prevailing circumstances the matter in question can be assumed to have been settled conclusively.
Other personal data collected during the transmission process is generally deleted after a period of seven days.
The following list sets out your rights as a data subject under the GDPR. If your personal data is processed, you are deemed to be a data subject as defined in the GDPR, which means that you have the following rights against the data controller:
1) Right to request information under Article 15 of the GDPR
You can ask the data controller for confirmation whether we are processing your personal data. If your personal data is being processed, you can request the following information from the data controller:
a) the purposes for which the personal data is being collected;
b) the categories of personal data that are being processed;
c) the recipients or categories of recipients to whom you have disclosed or will be disclosing the personal data;
d) the planned duration for which your personal data is to be stored or, if this cannot be specifically stated, the criteria applied for determining such duration;
e) the existence of a right to have your personal data rectified or erased, the right to restrict processing of your personal data by the data controller and the right to object to processing of your personal data by the data controller;
f) the existence of the right to submit a complaint with a supervisory authority;
g) all available information on the origin of the data if the personal data is not collected from the data subject;
h) the existence of automated individual decision-making including profiling as defined in Article 22 (1) and (4) of the GDPR and – at least in these cases – meaningful information on the logic involved, the scope and the planned effects of such processing for the data subject.
You have the right to request information on whether your personal data is transmitted to a third country or an individual organization. In this connection, you may be asked to be informed of the appropriate guarantees as defined in Article 46 of the GDPR in connection with the transmission of personal data.
2) Right to rectification in accordance with Article 16 of the GDPR
You have the right to ask the data controller to rectify and/or complete the personal data which it processes if it is incorrect or incomplete. The data controller must make such rectification immediately.
3) Right to restriction of processing in accordance with Article 18 of the GDPR
You may ask the data controller to restrict the processing of your personal data in the following circumstances:
a) if you contest the accuracy of the personal data for a period enabling the data controller to verify the accuracy of the personal data;
b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
c) the data controller no longer needs the personal data for the purposes of the processing but you require the personal data for the establishment, exercise or defense of legal claims, or
d) you have objected to the processing in accordance with Article 21 (1) of the GDPR pending verification whether the controller’s legitimate grounds override your own.
If the processing of your personal data has been restricted, the personal data may – with the exception of storage – only be processed with your consent or in order to establish, exercise or defend legal claims or to protect the rights of another natural or legal persons or for reasons of important public interest of the Union or of a member state.
If the processing of your personal data has been restricted in any of the above circumstances, the data controller will notify you before the restriction of processing is lifted.
4) Right to erasure in accordance with Article 17 of the GDPR
a) Duty of erasuret
You can ask the data controller to erase your personal data without undue delay, upon which the data controller will be under a duty to erase the personal data without undue delay where one of the following grounds apply:
b) Notification of third parties
If the data controller has disclosed your personal data publicly and is under a duty in accordance with Article 17 (1) of the GDPR to erase this data, the data controller, taking account of the available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
The right of erasure does not apply to the extent that processing is necessary
5) Right of notification in accordance with Article 19 of the GDPR
If you have asserted a right against the data controller to have your personal data rectified or erased or to restrict the processing of your personal data, it must notify all recipients to whom the personal data has been disclosed of such rectification, erasure or restriction unless this proves impossible or involves disproportionate effort.
The data controller must inform you of these recipients if you request this.
6) Right to data portability in accordance with Article 20 of the GDPR
You have the right to receive the personal data which you have provided to a controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided where
In exercising this right, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This right may not adversely affect the rights and freedoms of others. The right to data portability does not apply to the processing of personal data that is required for the performance of a task in the public interest or in the exercise of official authority vested in the data controller.
7) Right to object in accordance with Article 21 of the GDPR
You may cancel at any time consent that you have previously given to the processing of your data. The cancellation of consent will not prejudice the lawfulness of the processing up until the data of such cancellation.
If we process your personal data on the basis of a our overriding legitimate interests as defined in Article 6 (1) f of the GDPR, you may object to the processing. This is the case if, in particular, processing is not required to perform a contract with you, something which will be disclosed to you in the description of the specific function. When you exercise this right of objection, please inform us of the reasons why you do not want us to process your personal data. In the event of a justified objection, we will cease to process your personal data unless we can prove that we have a legitimate interest in processing the data that overrides your interests, rights and freedom or it is necessary for us to process the data in order to establish, exercise or defend legal claims.
Needless to say, you may object at any time to the processing of your personal data for advertising or data analytics purposes. In this case, we will refrain from processing your personal data for such purposes.
You can send your objection to email@example.com or the contact data disclosed in our legal notice.
8) Right to lodge a complaint with a supervisory authority in accordance with Article 77 of the GDPR
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement if you think that the processing of your personal data breaches the GDPR. The supervisory authority with which the complaint has been lodged will inform the complainant of the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
This privacy statement was last amended in May 2018.
However, it may be necessary to amend it to reflect the further development of our website or changes to statutory or regulatory requirements. The current version of our privacy statement may be inspected and printed out at our website on http://www.glassart.de/contact/privacy-en/ at any time.