State Palaces and Gardens of Baden-Wuerttemberg
Staatliche Schlösser und Gärten Baden-Württemberg

Data privacy notice

The following provides information on what personal data we process, for what purpose, on what basis and for what duration:

Overview / table of contents

Our data privacy notice includes the following information:

Our contact data and general information on data processing by us

Name and contact data of the data controller

The data controller as defined by data protection legislation, with responsibility for the collection and use of personal data, is

Staatliche Schlösser und Gärten
Baden-Württemberg – Headquarters
Schlossraum 22 a
76646 Bruchsal
Germany

Represented by Managing Director Michael Hörrmann and Uwe Weinreuter

+49 (0) 72 51.74 -27 00 (Michael Hörrmann)
+49 (0) 72 51.74 -27 10 (Uwe Weinreuter)
+49 (0) 72 51.74 -27 11
info@ssg.bwl.de
http://www.schloesser-und-gaerten.de

Further information on our organisation is available from our website masthead (Impressum) at http://www.schloesser-und-gaerten.de/en/about-us/masthead/.

Contact data for the data controller’s data protection officer

You can contact our data protection officer as follows:

Mr Martin Filip
Data Protection Officer
Vermögen und Bau Baden-Württemberg
Rotebühlplatz 30
70173 Stuttgart
Germany


datenschutz@vbv.bwl.de

Lawful basis for processing personal data

The following applies to the processing of personal data by us:

  • Insofar as we obtain your consent for processing your personal data, the lawful basis is Article 6 (1) a) EU General Data Protection Regulation (GDPR).
  • Where the processing of personal data is necessary for the performance of a contract with you, the lawful basis is Article 6 (1) b) GDPR. This also applies to processing for the performance of pre-contractual tasks.
  • Where processing personal data is for compliance with a statutory obligation to which we are subject, the lawful basis is Article 6 (1) c) GDPR.
  • If it should be necessary to process your personal data to safeguard your vital interest or those of another natural person, the lawful basis is Article 6(1) d) GDPR.
  • If the processing of personal data is in order to safeguard the legitimate interests of ourselves or a third party, and these are not overridden by your interests, fundamental rights or freedoms, the lawful basis is Article 6 (1) f) GDPR.

Data erasure and storage period

Generally, personal data is erased or blocked by us when the purpose for which they were stored no longer applies. Data can be retained for a longer period in accordance with European Union or national legislation or regulations to which the controller is subject. Data can also be erased or blocked upon expiration of a retention period specified by the above legislation or regulations, unless continued retention of the data is necessary for the conclusion or performance of a contract.

 

This means:
If we process your personal data on the basis of consent to data processing (Article 6 (1) a) General Data Protection Regulation, GDPR), then processing ceases when you withdraw such consent unless there is a further lawful reason for processing the data, which is the case if, at the time consent is withdrawn, we are entitled to process the data in order to perform the contract or if data processing is necessary to safeguard our legitimate interests (see below).

 

If, under exceptional circumstances, we should process personal data on account of our legitimate interests (Article 6 (1) f) GDPR) after having given the matter due consideration, then we store such data until our legitimate interest no longer applies, due consideration leads us to a different conclusion, or you have lodged a valid complaint according to Article 21 GDPR (see the information on your right to object in the box under “Rights of the Data Subject”).

 

Insofar as we are processing data for contract performance we store the data until the contract is fully performed and it is no longer possible to bring claims arising from the contract, i.e., all claims have expired under statute. According to Section 195 German Civil Code (BGB), expiration is generally after three years. However, certain types of claim, such as claims for damages, expire after 30 years (see Section 197 BGB). If we have legitimate reason, in a given case, to assume that this is relevant, we retain personal data for this period of time. The expirations under statute mentioned above commence at the end of the year (i.e. on 31 December) in which the claim arose and the creditor became aware of the circumstances giving rise to the claim and of the identity of the debtor, or should have become aware of them if not acting with gross negligence.

 

We are also subject to statutory data retention obligations for tax and accounting purposes. These include the obligation to retain certain types of data, which can include personal data, as accounting records for a period of six to ten years. These retention periods take precedence over the erasure obligations described above. Retention periods also commence at the end of the respective year, i.e. on 31 December.  

Source of personal data

The personal data processed by us are primarily from the data subject themselves, for instance, where the subject

  • As a user of our website, transfers information such as their IP address via their web browser and their device (such as a PC, smartphone, tablet or notebook) to our web server,
  • As a potential customer, requests information or a proposal for services from us,
  • As a customer, places a booking or order with us, and/or concludes a contract with us,
  • As a press/media representative, requests information material, a press release, a statement or similar,
  • As a supplier, provides goods, services or similar to us in agreement with us.

    Personal data processed by us can only come from third parties in highly exceptional circumstances, for example where a person is acting on behalf of a third party.

    Concrete categories, purposes and lawful basis of personal data processing

    We process the following categories of personal data:

    • Users of our website,
    • Potential customers,
    • Press/media representatives,
    • Customers, and
    • Suppliers

     

    Depending on the category of data, we process personal data for the following purposes on the lawful basis of the sections of the General Data Protection Regulation (GDPR) cited in each case:

     

    User data: Data on users of our website are collected and processed by us without reference to the person. We are unable to identify a specific person by means of these data. The IP address is only processed in anonymised form. Insofar as we in exceptional cases do process personal data, this is performed to safeguard our legitimate interests on the lawful basis of Article 6 (1) f) GDPR. In this context, our legitimate interests are the security and integrity of our website (in particular, without limitation, the identification of faults and errors, and the investigation of unauthorised access), marketing and statistical analysis (to improve our website, and our products and services). After due consideration, we have concluded that data processing is necessary to safeguard our legitimate interests as given above, and these are not overridden by your interests, fundamental rights or freedoms that would require the protection of personal data.

     

    Data of potential customers/representatives of the press/media: Insofar as we process data of potential customers of our products and services, or of press/media representatives, this is only performed where you have entered these data in an entry field or via email and send them to us with the purpose of submitting an inquiry. These data have been provided voluntarily by you. We subsequently process these data exclusively in order to fulfil your inquiry. These voluntarily submitted data are processed by us in order to provide information on our products or services within the scope of pre-contractual tasks in accordance with Article 6 (1) b) GDPR and/or on the basis of consent given by submitting your inquiry/data in accordance with Article 6 (1) a) GDPR.

     

    Customer data: We process customer data with the purpose of contract performance in accordance with Article 6 (1) b) GDPR and/or on the basis of consent given in accordance with Article 6 (1) a) GDPR. This also applies to processing necessary to perform pre-contractual tasks (e.g. within the scope of drafting and negotiating quotations/proposals).

     

    Supplier data/business partner data: We process supplier/business partner data with the purpose of contract performance in accordance with Article 6 (1) b) GDPR and/or on the basis of consent given in accordance with Article 6 (1) a) GDPR. This also applies to processing necessary to perform pre-contractual tasks (e.g. within the scope of drafting and negotiating quotations/proposals).

    Recipients/categories of recipients of personal data

    Your personal data are only made available to third parties where this is necessary for contract performance (e.g. to fulfil an order) or executing a financial transaction (e.g. to complete a payment transaction to purchase goods or services), where there is legitimate interest in transferring/submitting such data and these are not overridden by your interests, fundamental rights or freedoms, or you have duly given your valid consent.

    Recipient categories may include:

    • Service providers (publishers, printers, event organisers and similar)
    • Couriers/freight forwarders, suppliers
    • Payment service providers, banks

    Data processing for newsletter distribution

    It is possible to subscribe to a free newsletter via our website or by submitting a request to us. The data submitted via the entry screen/fields are transferred to us. These data comprise

    • Form of address (Mr/Ms etc.), given name, surname and
    • Email address.

    Moreover, the following data are collected when you register for the newsletter subscription:

    • The user’s IP address and
    • The date and time of registration.


    This serves to prevent a misuse of the service or of the data subject’s email address.

    Registration for the newsletter subscription is by means of a double opt-in process. In other words, once you have initially registered, you receive an email which requests that you confirm your registration. This confirmation is necessary to ensure no one can register using someone else’s email address.

    Within the scope of the registration process, we receive your consent for data processing and draw your attention to this data privacy notice.

    Your data are not made available to any third party. The only exception is where there is a statutory requirement to do so. The data are only used for distribution of the newsletter.

     

    Purpose of data processing: The collection and processing the user’s email address serves the purpose of delivering the newsletter. We use the email address for marketing/advertising purposes. The collection of personal data during the registration serves to prevent the misuse of the service or of the data subject’s email address.

     

    Lawful basis for data processing: The lawful basis for processing data collected during user registration for the newsletter is, where the user has given consent, Article 6 (1 ) a) GDPR.
    The other data collected during user registration are processed on account of our legitimate interests in accordance with Article 6 (1) f) GDPR. Our legitimate interests are in this instance the prevention of a misuse of our services, of our web server or of the email address.

     

    Storage period: The data are erased as soon as they are no longer required for the purpose for which they were collected. The user’s email address is stored for at least as long as the newsletter subscription is active. We are permitted to store email addresses of users who have unsubscribed for up to three years on account of our legitimate interests before their erasure for the newsletter in order to document that consent was originally given. The processing of these data is confined to the purpose of providing a defence against any claims that might be brought against us. The data subject may submit a request for their data to be erased insofar as they simultaneously confirm that their consent was originally given.
    Other personal data collected during registration is generally erased after seven days.

     

    Objection and prevention: The user can, at any time, unsubscribe from the newsletter free of charge and by the simple expression of such by suitable means. To this end, a corresponding link is provided in each newsletter. This link also enables the user to withdraw their consent to the storage of personal data collected during registration.

    Scope of personal data processing via our website

    We only collect and use personal data of website users where this necessary to the provisioning of an operational website and for the provisioning of content, products and services. Personal data is generally only collected and used following receipt of the user’s consent. An exception is where it is not possible to gain prior consent due to reasons of fact, and/or where data processing is permitted by law.

    Provisioning of website and generation of log files

    For technical reasons, our system automatically collects certain data and information whenever our website is accessed. This information and data are stored in server log files. The information concerned is as follows:

    • Date and time of access,
    • URL (address) of the referring website,
    • Pages on our website accessed by the user’s system,
    • The user’s screen resolution,
    • File(s) accessed and a report on the success of such access,
    • Volume of transmitted data,
    • The user’s Internet service provider,
    • Browser, browser type and browser version, browser engine and engine version,
    • Operating system, operating system version, operating system type, and
    • The user’s anonymised IP address and the user’s Internet service provider.

     

    These data are processed separately from other data. These data are not processed together with other personal data of the user. We are not able to identify a specific person by means of these data.

     

    Purpose of data processing: The system is required to temporarily process data in order to deliver the content of our website to the user’s device. This requires the user’s IP address to be stored for the duration of the session. Storage of data in log files is in order to ensure the correct operation of our website. Moreover, they help us to improve our products and services, and our website, and to safeguard the security of IT systems. These data are not used or analysed for marketing/advertising purposes.

     

    Lawful basis for data processing: The lawful basis for storing the data and log files is Article 6 (1) f) GDPR. Our legitimate interest in data processing is the purposes given above.

     

    Storage period: The data are erased as soon as they are no longer required for the purpose for which they were collected. In the case of data collected for the provision of the website this is when the session ends. In the case of data stored in log files this is generally at the latest after seven days. It is possible that data may be stored beyond this period. In this instance, the user’s IP address is erased or anonymised so that it is no longer possible to identify the client device.

     

    Objection and prevention: The collection of data for the provision of the website and the storage of data in log files is essential to the operation of the website. The user therefore has no right to object. The user can however cease to use the website at any time and therefore prevent the further collection of the data described above.

    Making contact via contact form, email, fax and phone

    Our website includes contact forms that can be used to contact us by electronic means with regard to a variety of areas and topics. If you make use of a contact form, then the data entered into the corresponding fields are transmitted to us and stored.

    These data are:

    • Form of address (Mr/Ms, etc.), given name, surname, email, your inquiry (required fields)
    • Title, street, house number, post code, city (optional fields)

    Upon submitting your message, the following data are also collected:

    • User’s IP address,
    • Date and time of submission.

    Data are transmitted in encrypted form by means of SSL.

    Upon submitting your message, we obtain your consent for data processing and we also draw attention to our legitimate interest in data processing. You are also again informed of the nature of such data processing and we make reference to this data privacy notice.

    Alternatively, you can contact us by means of the email address, fax number or telephone number provided. In this instance, we collect and store the personal data provided to us by such email, fax or phone.

     

    No data are provided to third parties. The data are used exclusively for the purposes of the communication/conversation initiated in this way.

     

    Purpose of data processing: The processing of personal data from entry fields/screens, and provided via email, fax or phone, is for the purpose of processing your initial contact and processing your inquiry/request, where provided via registration for an event for the purpose of managing registrations and organising this event. We require your email address, fax number or phone number or postal address in order to be able to answer. This is therefore our legitimate interest for processing the data. Other personal data processed upon submission are employed to prevent misuse of our contact form and to safeguard the security of our IT systems.

     

    Lawful basis for data processing: The lawful basis for data processing is consent in accordance with Article 6 (1) a) GDPR and our legitimate interest in data processing in accordance with Article 6 (1) f) GDPR. If the goal of the contact or inquiry is to conclude a contract then the lawful basis for data processing is Article 6 (1) b) GDPR (performance of pre-contractual tasks).

     

    Storage period: The data are erased as soon as they are no longer required for the purpose for which they were collected. For personal data entered via the fields of a contact form and the data submitted to us via email, this is when the conversation is concluded. The conversation is deemed to have been concluded where it can be inferred from the circumstances that the issue in question has been fully resolved. Other personal data collected upon submission process are erased after seven days at the latest.

     

    Fax data are stored separately from print data in the memory of the fax device. Once the fax has been printed, the space used within the device’s memory is made available to allow receipt and storage of any subsequent fax. Parts of the printed fax may continue to reside temporarily in the fax device’s memory until they are overwritten by a subsequent fax. Typically, this means automatic erasure of data within one to two weeks.
    When we receive or make a phone call, your telephone number and/or the name/company name stored by your telephone service provider and the date and time of the call are stored within our telephone system in a circular buffer, until the oldest data are overwritten by the most recent. Typically, this means that data in the telephone system are automatically erased at the latest after three months.

     

    Objection and prevention: You may at any time withdraw your consent to the processing of your personal data or object to continued data processing on account of your legitimate interest (see the information on your right to object in the box under "Rights of the Data Subject). In this instance, the conversation cannot be continued.

    Use of cookies

    Our website uses cookies. Cookies are small text files that are stored on your device. A cookie may be stored by your browser when you access one of our websites. This cookie contains a string of characters that enables us to clearly identify your browser whenever you return to our website.

     

    On principle, we only use cookies that are technically necessary and thus essential for the use of our website. These cookies, and any possible associated processing of personal data (e.g., your IP address), are contained exclusively on our own web servers.

     

    Only in exceptional cases may cookies be used by third-party providers. Our data privacy statement shall address each potential case separately in the sections relating to the respective third-party tools.

     

    Purpose of data processing: Technically necessary cookies are used to simplify the use of websites for their users. Some functions of our internet site cannot be provided without the use of cookies. This functionality requires that the user's browser be recognized after navigating to a new page. The user data collected by technically necessary cookies is not used to create user profiles.

     

    Legal basis for data processing: The legal basis for the processing of personal data via technically necessary cookies is Article 6(1)(f) of the GDPR (General Data Protection Regulation), i.e., legitimate interests. Our legitimate interest is based on the fact that, without the use of such cookies, providing our internet services would be impossible, or at least not possible in their current form. Our assessment has revealed that our legitimate interests are, at the very least, not outweighed by your interests (or basic rights or fundamental freedoms) demanding the protection of personal data.

     

    Duration of storage: Some of the cookies we use are deleted at the end of the browser session, i.e., after you close your browser (session cookies). Other cookies remain on your end device and enable us to recognize your browser during subsequent visits (persistent cookies).

     

    Otherwise, we store data collected on the basis of our legitimate interests until those legitimate interests no longer exist, the assessment of legitimate interest yields different results, or you have submitted a valid objection as per Article 21 of the GDPR (cf. highlighted notice of your “right to object to processing based on legitimate interests,” under item c).

     

    Options for objection and removal: Cookies are stored on your computer and are shared with our site by your computer. This means that you have complete control over the use of cookies. By changing your internet browser settings, you can deactivate or limit the transfer of cookies. Previously stored cookies can be deleted at any time. This process can also be automated. If you set your browser to such a “do-not-track” setting, we will interpret this as an objection to the further collection and use of your personal data. Note: Deactivating cookies for our website may limit website functionality.

    Use of Like buttons on Facebook

    Our website contains Like buttons and/or Share buttons that link to the Facebook social network. This network is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, or in Europe by their subsidiary Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter jointly referred to as: Facebook). The button can be identified by the Facebook logo (“f”) and/or the word “Like” and/or “Share.”

     

    When visiting one of our internet sites containing such a button, your browser only connects to Facebook's servers (which may be located not only within the EU, but also in the USA) if you first approve the transfer of data by actively clicking on the button. This means that there is no data transfer to Facebook through the Facebook buttons used on our website simply by accessing our site. This kind of data transfer only occurs after you take a corresponding deliberate action (= clicking the button). Only through your first click on the button is the information that you have visited our site transferred to Facebook.

     

    If you are logged into your personal Facebook account when you visit our website and click on the button, Facebook can link the website visit to your account. Whenever the Facebook button is used, the corresponding interaction is transferred to Facebook and stored there. If you would like to prevent this kind of connection to your Facebook account, you must log out of your Facebook account before you visit our website. However, certain data, such as your IP address, the time of the click, the browser in use, etc., will still be transferred to Facebook in that case. By logging out, you only prevent the direct linking of the data to your specific Facebook account.



    Shared responsibility with Facebook: Concerning the collection of personal data through the use of the button and the subsequent transfer of data to Facebook, we share responsibility with Facebook in the context of data protection (Article 26 GDPR). Therefore, within the scope of our data protection obligations, we are hereby informing you of the processing of data which takes place within the sphere of our knowledge and influence. We do not transfer any personal data in connection with the button other than to Facebook itself.


    However, we have no influence over, or knowledge of, how the data is further processed by Facebook after data transfer has occurred. Facebook is therefore solely responsible for all subsequent data processing after data transfer (cf. Judgment of the ECJ from 07/29/2019 – C-40/17).
    For information about the purpose and scope of further data collection by Facebook, as well as your rights and options for protecting your privacy with regards to such collection within your Facebook account, can be found in Facebook's data privacy statement (http://de-de.facebook.com/privacy/explanation.php). Facebook Inc. is certified under the EU-U.S. Privacy Shield and is thus obligated to comply with European data protection guidelines.

     

    Concerning your questions and your rights as a user: If you contact us, we will answer your inquiry ourselves to the extent that we are able to do so based on our own data processing and will otherwise forward your inquiry directly to Facebook with a request for full information, since we have no insight into data processing by Facebook.

     

    Purpose of data processing: Use of the Facebook button serves the purpose of providing our website's users with a direct feedback option (Like) and/or the option of sharing our content and information (Share), thus serving our advertising and marketing interests, as the further dissemination of our content and websites expands the reach of our services.

     

    Legal basis for data processing: The legal basis for the processing of personal data when using this button is your consent as per Article 6(1)(a) of the GDPR, which is given by clicking on the button.

     

    Duration of storage: We do not store any personal information related to the use of the Facebook button. Our interests in providing this button and the related Like and Share functions lie solely in increasing our reach. We have no knowledge of how long Facebook will make use of the data resulting from the click of the button — in particular how long Facebook stores and processes this data. Additional information about how Facebook handles personal data is available in their privacy policy.

     

    Options for objection and removal: If you would like to avoid the processing of data associated with the use of the button, you can prevent such use by simply choosing not to click the button.
    If you would like your visit to our website not to be assigned to your Facebook account by Facebook, please log out of your Facebook account and block the use of Facebook scripts in your browser, e.g., by using a script blocker like www.noscript.net or www.ghostery.com, before you click on the Facebook button.

    Use of Twitter's Tweet button

    Our website uses the Tweet button for the Twitter social network, which is operated by Twitter Inc., 750 Folsom Street, Suite 600, San Francisco, CA 94107, United States (“Twitter”). The Tweet button can be identified by its bird symbol.

     

    When visiting one of our internet sites containing such a button, your browser only connects to Twitter's servers (which may be located not only within the EU, but also in the USA) if you first approve the transfer of data by actively clicking on the button. This means that there is no data transfer to Twitter through the Twitter buttons used on our website simply by accessing our site. Such data transfer only occurs after you take a corresponding deliberate action (= clicking the button). Only through your first click is the information that you have visited our site transferred to Twitter.

     

    If you are logged into your Twitter account when you visit our website and click on the button, Twitter can link the website visit to your account. Whenever the Tweet button is used, the website visit and the corresponding interaction is transferred to Twitter and stored there. If you would like to prevent this kind of connection to your Twitter account, you must log out of your Twitter account before you visit our website. However, certain data, such as your IP address, the time of the click, the browser in use, etc., are still transferred to Twitter in that case. By logging out, you only prevent the direct assignment of the data to your specific Twitter account.

     

    Shared responsibility with Twitter: Concerning the collection of personal data through the use of the button and the subsequent transfer of the data to Twitter, we share responsibility with Twitter in the context of data protection (Article 26 GDPR). Therefore, within the scope of our data protection obligations, we are hereby informing you of the processing of data which takes place within the sphere of our knowledge and influence. We do not transfer any personal data in connection with the button, other than to Twitter itself.

     

    However, we have no influence over, or knowledge of, how the data is further processed by Twitter after data transfer has occurred. To the best of our knowledge, only your IP address and the respective website's URL are transferred. Interactions, especially the clicking of a Re-Tweet button, are also shared with Twitter. Twitter is therefore solely responsible for all subsequent data processing after data transfer (cf. Judgment of the ECJ from 07/29/2019 – C-40/17).

     

    For information regarding the purpose and scope of data collection and the further processing and use of the data by Twitter, as well as your rights and options to protect your privacy with regards to such collection, can be found in Twitter's data privacy statement at http://twitter.com/privacy. Twitter Inc. is certified under the EU-U.S. Privacy Shield and is thus obligated to comply with European data protection guidelines.

     

    Concerning your questions and your rights as a user: If you contact us, we will answer your inquiry ourselves to the extent that we are able to do so based on our own data processing and will otherwise forward your inquiry directly to Twitter with a request for full information, since we have no insight into Twitter's data processing.

     

    Purpose of data processing: Use of the Twitter plug-in serves the purpose of a direct feedback option and/or serves to enable direct sharing of our content and information (Tweet), thus expanding and positively impacting our reach and thereby our advertising and marketing interests.
     

    Legal basis for data processing: The legal basis for the processing of personal data when using this button is your consent as per Article 6(1)(a) of the GDPR, which is given by clicking on the button.

     

    Duration of storage: We do not store any personal information related to the use of the Twitter button. Our interests in providing this button and the related Like and Share functions lie solely in increasing our reach. We have no knowledge of how long Twitter will make use of the data resulting from the click of the button, in particular how long Twitter stores and processes this data. Additional information on how Twitter handles personal data is available in Twitter's privacy policy at http://twitter.com/privacy.

     

    Options for objection and removal: If you would like to avoid the processing of data associated with the use of the button, you can prevent such use by simply choosing not to click the button.
    If you would like your visit to our website not be assigned to your Twitter account by Twitter, please log out of your Twitter account and block the use of Twitter scripts in your browser, e.g., by using a script blocker like www.noscript.net or www.ghostery.com, before clicking on the Twitter button.



    You also have the option of changing your data privacy settings in Twitter by accessing your Twitter account settings at http://twitter.com/account/settings.

    Use of Matomo (formerly PIWIK) analytics tool

    Our website employs Matomo (Piwik), an Open-Source Web analytics tool from InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (https://matomo.org), to collect and store data for marketing and optimisation purposes. These data can be processed to create pseudonymised usage profiles. To this end, cookies may be deployed. Cookies are small text files that are stored in the local cache of the user’s browser. These cookies allow the browser to be recognised. Except where the express consent of the data subject has been given, these data collected by means of Matomo (Piwik) are not used to personally identify the user of our website and are also not combined with personal data on the person (orthonym) behind the pseudonym.

     

    Purpose of data processing: Analytics cookies and tools are employed for the purpose of improving website quality and content. Analytics cookies allow us to discover how the website is used, allowing us to improve our content and offering.

     

    Lawful basis for data processing: The lawful basis for personal data processing within the scope of cookie use is Article 6 (1) f) GDPR, i.e. our legitimate interest. Our legitimate interest is the purposes given above.

     

    Storage period: Cookies are saved to your device and from there they are transferred to our website. The IP address is anonymised immediately after processing and before storage. You therefore have complete control over the use of these cookies. By changing your browser settings, you can disable or restrict the transfer of cookies. Cookies already saved on your device can be erased at any time. This can also be performed automatically. A do-not-track setting of this kind is regarded by us as an objection to the continued collection and use of your personal data. However, if cookies for our website are disabled, it may not be possible to use all functions of our website. We store data collected on account of our legitimate interest until our legitimate interest no longer exists, due consideration leads to a different conclusion, or you lodge a valid objection in accordance with Article 21 GDPR (see the information on your right to object in the box under “Rights of the Data Subject). We regularly, and at least once annually, review whether our legitimate interest still exists. Our interest no longer exists, in particular, when the data are of an age that renders them insufficiently relevant to us with regard to website use analytics or statistics, which is assumed to be case at the latest after three years.

     

    Objection and prevention: You can prevent the storage of cookies by your browser settings; however, in this case, you may not be able to use all functions of our website. Moreover, you can prevent the collection of data on your website use (including your IP address) by means of the cookie, and the processing of these data by us, by employing the opt-out option provided at the end of this data privacy notice:

    Use of fonts from fonts.net

    Our website uses/downloads JavaScript code from Monotype GmbH, Werner-Reimers-Strasse 2-4, 61352 Bad Homburg, Germany (Fonts.net).

     

    Purpose of data processing: The fonts are employed to improve our website for the user and make it distinctive in look-and-feel, and they therefore serve our marketing and advertising interests. For information on the purpose and scope of data collection on the part of Monotype, further processing and use of your data by Monotype, and your corresponding rights and privacy settings, please refer to Monotype’s own privacy notice: https://www.monotype.com/legal/privacy-policy

     

    Lawful basis for data processing: The lawful basis for personal data processing within the scope of font use is Article 6 (1) f) GDPR, i.e. our legitimate interest. Our legitimate interest is the purposes given above.
     

    Storage period: As a user, you can yourself manage the execution of the corresponding JavaScript code required by this tool via your browser settings. By changing you browser settings, you can disable or restrict the execution of JavaScript, and therefore prevent data from being collected and stored. However, if JavaScript is disabled, it may not be possible to use all functions of our website.

     

    Objection and prevention: If you do not want your data to be processed, you can change your browser settings to disable the execution of JavaScript code.
    If you have activated JavaScript in your browser and have not installed a JavaScript blocker, your browser may under certain circumstances transmit personal data to Fonts.net. We do not know to what data Fonts.net links the data it receives, and to what purpose it uses these data. Further information can be found in the data privacy notice published by Fonts.net: http://www.monotype.com/legal/privacy-policy. To entirely prevent the execution of JavaScript code by Fonts.net, you can install a JavaScript blocker (e.g. www.noscript.net or www.ghostery.com).

    Website encryption

    The website and data transmission via the website is encrypted in accordance with the SSL standard (HTTPS protocol).

    Transfer of personal data to a third country (non-EU country)

    It is intended to transfer personal data to the United States of America (USA). An adequacy decision has been adopted by the EU Commission to the effect that personal data may be transferred to the USA if the recipient has joined the EU-U.S. Privacy Shield framework. Personal data are therefore only transferred to recipients in the USA who have demonstrated their membership of the EU-U.S. Privacy Shield framework.

     

    The intent is to transfer data to the following organisations:

    • Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, as the provider of the Facebook social network.
    • Twitter Inc., 750 Folsom Street, Suite 600, San Francisco, CA 94107, USA, as the provider of the Twitter messaging service.

     

    The organisations named above have joined the EU-U.S. Privacy Shield framework, and have submitted to data protection rules equivalent to those in the EU. The transfer of data to these organisations is therefore permissible. Where these organisations process data on our behalf, we have concluded corresponding data processing contracts with them to safeguard the data and our rights to issue instructions in their regard.

    Rights of the data subject

    If your personal data are processed, then you are a data subject and you have the following rights with regard to us as the data controller:

    Right of access

    You have the right to receive, free of charge, information from us as to whether we process your personal data. If this is the case, you have the right to access these personal data and to further information as defined in Article 15 GDPR. To exercise this right, you can contact us via conventional mail or email.

    Right to rectification

    You have the right to demand the rectification of incorrect personal data without delay. You also have the right – taking into account the above-mentioned purposes of processing – to demand the addition of missing information to incomplete personal data, for example by means of a supplementary statement. To exercise this right, you can contact us via conventional mail or email.

    Right to erasure

    You have the right to demand the erasure without delay of your personal data if one of the conditions specified in Article 17 GDPR applies. To exercise this right, you can contact us via conventional mail or email.

    Right to restriction of processing

    You have the right to demand restriction of processing if one of the conditions specified by Article 18 GDPR applies. To exercise this right, you can contact us via conventional mail or email.

    Right to notification

    If you have exercised your right to rectification or erasure of data or to restriction of processing, the data controller is obliged to notify all recipients of your personal data of the corresponding rectification or erasure of data or restriction of processing, unless notification proves to be impossible or would entail unreasonable effort or expense. You have the right to be informed of these recipients by the data controller.

    Right to portability

    You have the right to receive personal data which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transfer these data to another controller without hindrance from us where the conditions specified by Article 20 GDPR apply. To exercise these rights, you can contact us via conventional mail or email.


    Right to object to processing on the basis of legitimate interest

    Insofar as we, i.e. under exceptional circumstances, process your personal data on the basis of Article 6 (1) f) GDPR (on account of legitimate interest), you have the right at any time for grounds relating to your particular situation to object to the processing of your personal data. If we cannot demonstrate the existence of valid and compelling grounds for continued processing that would override your interests, rights or freedoms, or if we process the corresponding data in the pursuit of direct advertising/marketing, we shall no longer process your data (see Art. 21 GDPR). To exercise these rights, you can contact us via conventional mail or email.
     

    An objection in this context shall also be any technical method employed by you, e.g. a clearly expressed technical message transmitted to us by your browser (do-not track message).


    Right to withdraw consent

    You have the right at any time to withdraw consent to the future collection and use of personal data. To exercise this right, you can contact us via conventional mail or email. This does not affect the lawfulness of the processing carried out with your consent prior to your withdrawal.

    Automated individual decision-making, including profiling

    You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. However, this does not apply if the decision is necessary for entering into, or performance of, a contract between you and us; the decision is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or the decision is based on your explicit consent.
    We do not make use of automated decision-making.

    Data provided voluntarily

    If the provision of personal data is a statutory or contractual requirement, we draw attention hereto when collecting such data. In some instances, the collection of data is necessary to conclude a contract, i.e. if we would not otherwise be able to fulfil or adequately fulfil our contractual obligations to you. There is no obligation on your part to provide personal data. However, the non-provision can lead to us being unable to provide or offer a product, service, action, measure, or similar, or us being unable to conclude a contract with you.

    Right to complain to a supervisory authority

    If you believe that your personal data are being processed in breach of the GDPR, you have the right at any time, without prejudice to other rights, to lodge a complaint with a data protection supervisory authority, in particular, in the member state in which you live or work or in which the suspected breach of the GDPR is taking place.

     

    The authority responsible for us is: The Baden-Württemberg State Data Protection Officer (Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg), Königstrasse 10A, 70173 Stuttgart, Germany; website: www.baden-wuerttemberg.datenschutz.de.

     

     

    Data privacy notice last updated: 25 May 2018