Our Heritage. Yours To Enjoy

Staatliche Schlösser und Gärten Baden-Württemberg

Data privacy notice

The following provides information on what personal data we process, for what purpose, on what basis and for what duration:

Overview / table of contents

Our data privacy notice includes the following information:

Our contact data and general information on data processing by us

Name and contact data of the data controller

The data controller as defined by data protection legislation, with responsibility for the collection and use of personal data, is

Staatliche Schlösser und Gärten
Baden-Württemberg – Headquarters
Schlossraum 22 a
76646 Bruchsal
Germany

Represented by Managing Director Michael Hörrmann and Uwe Weinreuter

Further information on our organisation is available from our website masthead (Impressum) at http://www.schloesser-und-gaerten.de/en/about-us/masthead/.

Contact data for the data controller’s data protection officer

You can contact our data protection officer as follows:

Mr Martin Filip
Data Protection Officer
Vermögen und Bau Baden-Württemberg
Rotebühlplatz 30
70173 Stuttgart
Germany

Lawful basis for processing personal data

The following applies to the processing of personal data by us:

  • Insofar as we obtain your consent for processing your personal data, the lawful basis is Article 6 (1) a) EU General Data Protection Regulation (GDPR).
  • Where the processing of personal data is necessary for the performance of a contract with you, the lawful basis is Article 6 (1) b) GDPR. This also applies to processing for the performance of pre-contractual tasks.
  • Where processing personal data is for compliance with a statutory obligation to which we are subject, the lawful basis is Article 6 (1) c) GDPR.
  • If it should be necessary to process your personal data to safeguard your vital interest or those of another natural person, the lawful basis is Article 6(1) d) GDPR.
  • If the processing of personal data is in order to safeguard the legitimate interests of ourselves or a third party, and these are not overridden by your interests, fundamental rights or freedoms, the lawful basis is Article 6 (1) f) GDPR.

Data erasure and storage period

Generally, personal data is erased or blocked by us when the purpose for which they were stored no longer applies. Data can be retained for a longer period in accordance with European Union or national legislation or regulations to which the controller is subject. Data can also be erased or blocked upon expiration of a retention period specified by the above legislation or regulations, unless continued retention of the data is necessary for the conclusion or performance of a contract.

This means:
If we process your personal data on the basis of consent to data processing (Article 6 (1) a) General Data Protection Regulation, GDPR), then processing ceases when you withdraw such consent unless there is a further lawful reason for processing the data, which is the case if, at the time consent is withdrawn, we are entitled to process the data in order to perform the contract or if data processing is necessary to safeguard our legitimate interests (see below).

If, under exceptional circumstances, we should process personal data on account of our legitimate interests (Article 6 (1) f) GDPR) after having given the matter due consideration, then we store such data until our legitimate interest no longer applies, due consideration leads us to a different conclusion, or you have lodged a valid complaint according to Article 21 GDPR (see the information on your right to object in the box under “Rights of the Data Subject”).

Insofar as we are processing data for contract performance we store the data until the contract is fully performed and it is no longer possible to bring claims arising from the contract, i.e., all claims have expired under statute. According to Section 195 German Civil Code (BGB), expiration is generally after three years. However, certain types of claim, such as claims for damages, expire after 30 years (see Section 197 BGB). If we have legitimate reason, in a given case, to assume that this is relevant, we retain personal data for this period of time. The expirations under statute mentioned above commence at the end of the year (i.e. on 31 December) in which the claim arose and the creditor became aware of the circumstances giving rise to the claim and of the identity of the debtor, or should have become aware of them if not acting with gross negligence.

We are also subject to statutory data retention obligations for tax and accounting purposes. These include the obligation to retain certain types of data, which can include personal data, as accounting records for a period of six to ten years. These retention periods take precedence over the erasure obligations described above. Retention periods also commence at the end of the respective year, i.e. on 31 December.  

Source of personal data

The personal data processed by us are primarily from the data subject themselves, for instance, where the subject

  • As a user of our website, transfers information such as their IP address via their web browser and their device (such as a PC, smartphone, tablet or notebook) to our web server,
  • As a potential customer, requests information or a proposal for services from us,
  • As a customer, places a booking or order with us, and/or concludes a contract with us,
  • As a press/media representative, requests information material, a press release, a statement or similar,
  • As a supplier, provides goods, services or similar to us in agreement with us.

    Personal data processed by us can only come from third parties in highly exceptional circumstances, for example where a person is acting on behalf of a third party.

    Concrete categories, purposes and lawful basis of personal data processing

    We process the following categories of personal data:

    • Users of our website,
    • Potential customers,
    • Press/media representatives,
    • Customers, and
    • Suppliers

    Depending on the category of data, we process personal data for the following purposes on the lawful basis of the sections of the General Data Protection Regulation (GDPR) cited in each case:

    User data: Data on users of our website are collected and processed by us without reference to the person. We are unable to identify a specific person by means of these data. The IP address is only processed in anonymised form. Insofar as we in exceptional cases do process personal data, this is performed to safeguard our legitimate interests on the lawful basis of Article 6 (1) f) GDPR. In this context, our legitimate interests are the security and integrity of our website (in particular, without limitation, the identification of faults and errors, and the investigation of unauthorised access), marketing and statistical analysis (to improve our website, and our products and services). After due consideration, we have concluded that data processing is necessary to safeguard our legitimate interests as given above, and these are not overridden by your interests, fundamental rights or freedoms that would require the protection of personal data.

    Data of potential customers/representatives of the press/media: Insofar as we process data of potential customers of our products and services, or of press/media representatives, this is only performed where you have entered these data in an entry field or via email and send them to us with the purpose of submitting an inquiry. These data have been provided voluntarily by you. We subsequently process these data exclusively in order to fulfil your inquiry. These voluntarily submitted data are processed by us in order to provide information on our products or services within the scope of pre-contractual tasks in accordance with Article 6 (1) b) GDPR and/or on the basis of consent given by submitting your inquiry/data in accordance with Article 6 (1) a) GDPR.

    Customer data: We process customer data with the purpose of contract performance in accordance with Article 6 (1) b) GDPR and/or on the basis of consent given in accordance with Article 6 (1) a) GDPR. This also applies to processing necessary to perform pre-contractual tasks (e.g. within the scope of drafting and negotiating quotations/proposals).

    Supplier data/business partner data: We process supplier/business partner data with the purpose of contract performance in accordance with Article 6 (1) b) GDPR and/or on the basis of consent given in accordance with Article 6 (1) a) GDPR. This also applies to processing necessary to perform pre-contractual tasks (e.g. within the scope of drafting and negotiating quotations/proposals).

    Recipients/categories of recipients of personal data

    Your personal data are only made available to third parties where this is necessary for contract performance (e.g. to fulfil an order) or executing a financial transaction (e.g. to complete a payment transaction to purchase goods or services), where there is legitimate interest in transferring/submitting such data and these are not overridden by your interests, fundamental rights or freedoms, or you have duly given your valid consent.

    Recipient categories may include:

    • Service providers (publishers, printers, event organisers and similar)
    • Couriers/freight forwarders, suppliers
    • Payment service providers, banks

    Data processing for newsletter distribution

    It is possible to subscribe to a free newsletter via our website or by submitting a request to us. The data submitted via the entry screen/fields are transferred to us. These data comprise

    • Form of address (Mr/Ms etc.), given name, surname and
    • Email address.

    Moreover, the following data are collected when you register for the newsletter subscription:

    • The user’s IP address and
    • The date and time of registration.


    This serves to prevent a misuse of the service or of the data subject’s email address.

    Registration for the newsletter subscription is by means of a double opt-in process. In other words, once you have initially registered, you receive an email which requests that you confirm your registration. This confirmation is necessary to ensure no one can register using someone else’s email address.

    Within the scope of the registration process, we receive your consent for data processing and draw your attention to this data privacy notice.

    Your data are not made available to any third party. The only exception is where there is a statutory requirement to do so. The data are only used for distribution of the newsletter.

    Purpose of data processing: The collection and processing the user’s email address serves the purpose of delivering the newsletter. We use the email address for marketing/advertising purposes. The collection of personal data during the registration serves to prevent the misuse of the service or of the data subject’s email address.

    Lawful basis for data processing: The lawful basis for processing data collected during user registration for the newsletter is, where the user has given consent, Article 6 (1 ) a) GDPR.
    The other data collected during user registration are processed on account of our legitimate interests in accordance with Article 6 (1) f) GDPR. Our legitimate interests are in this instance the prevention of a misuse of our services, of our web server or of the email address.

    Storage period: The data are erased as soon as they are no longer required for the purpose for which they were collected. The user’s email address is stored for at least as long as the newsletter subscription is active. We are permitted to store email addresses of users who have unsubscribed for up to three years on account of our legitimate interests before their erasure for the newsletter in order to document that consent was originally given. The processing of these data is confined to the purpose of providing a defence against any claims that might be brought against us. The data subject may submit a request for their data to be erased insofar as they simultaneously confirm that their consent was originally given.
    Other personal data collected during registration is generally erased after seven days.

    Objection and prevention: The user can, at any time, unsubscribe from the newsletter free of charge and by the simple expression of such by suitable means. To this end, a corresponding link is provided in each newsletter. This link also enables the user to withdraw their consent to the storage of personal data collected during registration.

    Scope of personal data processing via our website

    We only collect and use personal data of website users where this necessary to the provisioning of an operational website and for the provisioning of content, products and services. Personal data is generally only collected and used following receipt of the user’s consent. An exception is where it is not possible to gain prior consent due to reasons of fact, and/or where data processing is permitted by law.

    Provisioning of website and generation of log files

    For technical reasons, our system automatically collects certain data and information whenever our website is accessed. This information and data are stored in server log files. The information concerned is as follows:

    • Date and time of access,
    • URL (address) of the referring website,
    • Pages on our website accessed by the user’s system,
    • The user’s screen resolution,
    • File(s) accessed and a report on the success of such access,
    • Volume of transmitted data,
    • The user’s Internet service provider,
    • Browser, browser type and browser version, browser engine and engine version,
    • Operating system, operating system version, operating system type, and
    • The user’s anonymised IP address and the user’s Internet service provider.

    These data are processed separately from other data. These data are not processed together with other personal data of the user. We are not able to identify a specific person by means of these data.

    Purpose of data processing: The system is required to temporarily process data in order to deliver the content of our website to the user’s device. This requires the user’s IP address to be stored for the duration of the session. Storage of data in log files is in order to ensure the correct operation of our website. Moreover, they help us to improve our products and services, and our website, and to safeguard the security of IT systems. These data are not used or analysed for marketing/advertising purposes.

    Lawful basis for data processing: The lawful basis for storing the data and log files is Article 6 (1) f) GDPR. Our legitimate interest in data processing is the purposes given above.

    Storage period: The data are erased as soon as they are no longer required for the purpose for which they were collected. In the case of data collected for the provision of the website this is when the session ends. In the case of data stored in log files this is generally at the latest after seven days. It is possible that data may be stored beyond this period. In this instance, the user’s IP address is erased or anonymised so that it is no longer possible to identify the client device.

    Objection and prevention: The collection of data for the provision of the website and the storage of data in log files is essential to the operation of the website. The user therefore has no right to object. The user can however cease to use the website at any time and therefore prevent the further collection of the data described above.

    Making contact via contact form, email, fax and phone

    Our website includes contact forms that can be used to contact us by electronic means with regard to a variety of areas and topics. If you make use of a contact form, then the data entered into the corresponding fields are transmitted to us and stored.

    These data are:

    • Form of address (Mr/Ms, etc.), given name, surname, email, your inquiry (required fields)
    • Title, street, house number, post code, city (optional fields)

    Upon submitting your message, the following data are also collected:

    • User’s IP address,
    • Date and time of submission.

    Data are transmitted in encrypted form by means of SSL.

    Upon submitting your message, we obtain your consent for data processing and we also draw attention to our legitimate interest in data processing. You are also again informed of the nature of such data processing and we make reference to this data privacy notice.

    Alternatively, you can contact us by means of the email address, fax number or telephone number provided. In this instance, we collect and store the personal data provided to us by such email, fax or phone.

    No data are provided to third parties. The data are used exclusively for the purposes of the communication/conversation initiated in this way.

    Purpose of data processing: The processing of personal data from entry fields/screens, and provided via email, fax or phone, is for the purpose of processing your initial contact and processing your inquiry/request, where provided via registration for an event for the purpose of managing registrations and organising this event. We require your email address, fax number or phone number or postal address in order to be able to answer. This is therefore our legitimate interest for processing the data. Other personal data processed upon submission are employed to prevent misuse of our contact form and to safeguard the security of our IT systems.

    Lawful basis for data processing: The lawful basis for data processing is consent in accordance with Article 6 (1) a) GDPR and our legitimate interest in data processing in accordance with Article 6 (1) f) GDPR. If the goal of the contact or inquiry is to conclude a contract then the lawful basis for data processing is Article 6 (1) b) GDPR (performance of pre-contractual tasks).

    Storage period: The data are erased as soon as they are no longer required for the purpose for which they were collected. For personal data entered via the fields of a contact form and the data submitted to us via email, this is when the conversation is concluded. The conversation is deemed to have been concluded where it can be inferred from the circumstances that the issue in question has been fully resolved. Other personal data collected upon submission process are erased after seven days at the latest.

    Fax data are stored separately from print data in the memory of the fax device. Once the fax has been printed, the space used within the device’s memory is made available to allow receipt and storage of any subsequent fax. Parts of the printed fax may continue to reside temporarily in the fax device’s memory until they are overwritten by a subsequent fax. Typically, this means automatic erasure of data within one to two weeks.
    When we receive or make a phone call, your telephone number and/or the name/company name stored by your telephone service provider and the date and time of the call are stored within our telephone system in a circular buffer, until the oldest data are overwritten by the most recent. Typically, this means that data in the telephone system are automatically erased at the latest after three months.

    Objection and prevention: You may at any time withdraw your consent to the processing of your personal data or object to continued data processing on account of your legitimate interest (see the information on your right to object in the box under "Rights of the Data Subject). In this instance, the conversation cannot be continued.

    Use of cookies

    Cookies are generated when a user accesses a website. Cookies are small text files that are saved to your device (PC, smartphone, tablet, etc.). If you access a website a cookie may be stored by your browser. A cookie contains a string of characters that allow the browser to be identified when it is used to access the website again.

    It is also possible that third parties may use cookies. If this is the case, we inform you of this fact in this data privacy notice in the section(s) on the corresponding third-party tools (such as analytics tools, plugins, etc.).

    When a user accesses our website, they are informed of the use of cookies for analytics purposes and their consent is sought for the processing of personal data in this context. We also refer the user to this data privacy notice.

    Purpose of data processing: The purpose of technically necessary cookies is to simplify use of the website. Some of the functions of our website would not be possible without cookies. These functions require the browser to be recognised when the users move from one page to another.
    The data collected by means of technically necessary cookies are not employed to create user profiles.
    Analytics cookies are employed for the purpose of improving website quality and content. Analytics cookies allow us to discover how the website is used, allowing is to improve our content and offering.

    Lawful basis for data processing: The lawful basis for personal data processing within the scope of cookie use is Article 6 (1) f) GDPR, i.e. our legitimate interest. Our legitimate interest is the purposes given above. The lawful basis for processing personal data via cookies for the purposes of analytics is, where the user has given their consent, Article 6 (1) a) GDPR.

    Storage period: Some of the cookies used by us are erased at the conclusion of the browser session, i.e. once you have shut down your browser (session cookies). Other cookies remain on your device and enable us or our service providers (third parties) to recognise your browser upon your next visit (persistent cookies).
    Data collected on account of our legitimate interest are only stored until our legitimate interest no longer exists, due consideration leads to a different conclusion, or you lodge a valid objection in accordance with Article 21 GDPR (see the information on your right to object in the box under "Rights of the Data Subject). We regularly, and at least once annually, review whether our legitimate interest still exists. Our interest no longer exists, in particular, when the data are of an age that renders them insufficiently relevant to us with regard to website use analytics or statistics, which is assumed to be case at the latest after three years.  

    Objection and prevention: Cookies are saved to your device and from there they are transferred to our website. You therefore have complete control over the use of these cookies. By changing your browser settings, you can disable or restrict the transfer of cookies. Cookies already saved on your device can be erased at any time. This can also be performed automatically. A do-not-track setting of this kind is regarded by us as an objection to the continued collection and use of your personal data. However, if cookies for our website are disabled, it may not be possible to use all functions of our website.

    Use of Facebook plugins

    Our website also uses Facebook social plugins. These are small software programs from the Facebook social network. These are operated exclusively by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (hereinafter referred to as Facebook). On our website, these plugins are recognisable by the use of the Facebook logo or the term “Share”.

    If you visit a page of our website that features a plugin of this kind then your browser will establish a direct connection with Facebook’s servers in the USA, resulting in the content of the plugin being transmitted to your browser, which then incorporates it into the website.

    The plugin informs Facebook that you have visited our website. If you are logged onto your personal Facebook account while visiting our website, then Facebook can link your website visit to your account. If you interact with plugins, e.g. by clicking on a “Share” button or posting a comment, this information is directly transmitted to and saved by Facebook.

    If you wish to prevent this information being linked to your Facebook account, you must first log out of Facebook before visiting our website. Nevertheless, certain data will still be transmitted to Facebook, such as your IP address, the time you clicked on the button, your browser, etc. Logging out only prevents data being linked to a specific Facebook account.

    Purpose of data processing: We use Facebook plugins to enable direct feedback (“Like”) or the direct sharing of selected elements of our website content (“Share”), and to pursue our advertising and marketing interests. For information on the purpose and scope of data collection on the part of Facebook, further processing and use of your data by Facebook, and your corresponding rights and privacy settings within your Facebook account, please refer to Facebook’s own privacy notice:
    https://www.facebook.com/privacy/explanation 

    Lawful basis for data processing: The lawful basis for personal data processing within the scope of cookie use is Article 6 (1) f) GDPR, i.e. our legitimate interest. Our legitimate interest is the purposes given above.

    Storage period: As a user, you can yourself manage the execution of the corresponding JavaScript code required by this tool via your browser settings. By changing your browser settings, you can disable or restrict the execution of JavaScript, and therefore prevent data from being collected and stored. However, if JavaScript is disabled, it may not be possible to use all functions of our website.

    Objection and prevention: If you do not wish Facebook to link your visit to our website with your Facebook account, please log out of your personal Facebook account and prevent the execution of script from Facebook within your browser, e.g. by means of script blockers from www.noscript.net or www.ghostery.com.

    Use of the Tweet button from Twitter

    Our website uses the Tweet button from the Twitter social network, which is operated by Twitter Inc., 750 Folsom Street, Suite 600, San Francisco, CA 94107, United States (“Twitter”). The Tweet button is recognisable by the dark-blue bird symbol.

    If you visit a page of our website that features one of these buttons, your browser establishes a direct connection with Twitter’s servers. The content of the “Tweet″ button is transferred directly by Twitter to your browser, and then incorporated directly by your browser into your Twitter message. We have no influence over the scope of data that Twitter collects by means of the button. To the best of our knowledge, only the user’s IP address and the URL of the corresponding page of the website is transferred when the button is downloaded, but solely for the purposes of displaying the button. Interactions, in particular clicking a “re-tweet” button, are also transferred to Twitter.

    Purpose of data processing: We use Twitter plugins to enable direct feedback or the direct sharing of selected elements of our website content (“Tweet”), and to pursue our advertising and marketing interests. For information on the purpose and scope of data collection on the part of Twitter, further processing and use of your data by Twitter, and your corresponding rights and privacy settings, please refer to Twitter’s own privacy notice http://twitter.com/privacy

    Lawful basis for data processing: The lawful basis for personal data processing within the scope of cookie use is Article 6 (1) f) GDPR, i.e. our legitimate interest. Our legitimate interest is the purposes given above.

    Storage period: As a user, you can yourself manage the execution of the corresponding JavaScript code required by this tool via your browser settings. By changing you browser settings, you can disable or restrict the execution of JavaScript, and therefore prevent data being collected and stored. However, if JavaScript is disabled, it may not be possible to use all functions of our website.

    Objection and prevention: If you are a member of Twitter and do not wish for Twitter to collect data on your visit to our website, and to link those data with your Twitter membership data, you need to log out of Twitter before you visit our website. You can prevent the execution of the corresponding JavaScript code required by this tool via your browser settings. To entirely prevent the execution of JavaScript code, you can install a JavaScript blocker, such as the browser plugin NoScript (e.g. www.noscript.net or www.ghostery.com).

    You can also change your data privacy settings for your Twitter account at http://twitter.com/account/settings.

    Use of the Google+ +1 button

    Our website uses the +1 button from the Google Plus social network, operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”). The button is recognisable by the +1 symbol on a white or coloured background.

    If you access a page of our website that has this button, your browser establishes a direct connection with Google’s servers. The content of the +1 button is transmitted directly by Google to your browser, and then incorporated directly by your browser into the website. We have no influence over the scope of data that Google collects by means of the button. According to Google, no personal data is collected unless the button is clicked. Such data, including the IP address, are only collected and processed in the case of logged-in members.

    Purpose of data processing: We use the plugins to enable direct feedback or the direct sharing of selected elements of our website content with the Google+ social network, and therefore to pursue our advertising and marketing interests. For information on the purpose and scope of data collection on the part of Google+, further processing and use of your data by Google+, and your corresponding rights and privacy settings, please refer to Google+’s own privacy notice regarding the +1 button: http://www.google.com/intl/de/+/policy/+1button.html.

    Lawful basis for data processing: The lawful basis for personal data processing within the scope of cookie use is Article 6 (1) f) GDPR, i.e. our legitimate interest. Our legitimate interest is the purposes given above.

    Storage period: As a user, you can yourself manage the execution of the corresponding JavaScript code required by this tool via your browser settings. By changing your browser settings, you can disable or restrict the execution of JavaScript, and therefore prevent data being collected and stored. However, if JavaScript is disabled, it may not be possible to use all functions of our website.

    Objection and prevention: If you are a member of Google+ and do not wish for Google+ to collect data on your visit to our Website, and to link those data with your Google+ membership data, you need to log out of Google+ before you visit our website. You can prevent the execution of the corresponding JavaScript code required by this tool via your browser settings. To entirely prevent the execution of JavaScript code, you can install a JavaScript blocker, such as the browser plugin NoScript (e.g. www.noscript.net or www.ghostery.com).

    Use of Matomo (formerly PIWIK) analytics tool

    Our website employs Matomo (Piwik), an Open-Source Web analytics tool from InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (https://matomo.org), to collect and store data for marketing and optimisation purposes. These data can be processed to create pseudonymised usage profiles. To this end, cookies may be deployed. Cookies are small text files that are stored in the local cache of the user’s browser. These cookies allow the browser to be recognised. Except where the express consent of the data subject has been given, these data collected by means of Matomo (Piwik) are not used to personally identify the user of our website and are also not combined with personal data on the person (orthonym) behind the pseudonym.

    Purpose of data processing: Analytics cookies and tools are employed for the purpose of improving website quality and content. Analytics cookies allow us to discover how the website is used, allowing us to improve our content and offering.

    Lawful basis for data processing: The lawful basis for personal data processing within the scope of cookie use is Article 6 (1) f) GDPR, i.e. our legitimate interest. Our legitimate interest is the purposes given above.

    Storage period: Cookies are saved to your device and from there they are transferred to our website. The IP address is anonymised immediately after processing and before storage. You therefore have complete control over the use of these cookies. By changing your browser settings, you can disable or restrict the transfer of cookies. Cookies already saved on your device can be erased at any time. This can also be performed automatically. A do-not-track setting of this kind is regarded by us as an objection to the continued collection and use of your personal data. However, if cookies for our website are disabled, it may not be possible to use all functions of our website. We store data collected on account of our legitimate interest until our legitimate interest no longer exists, due consideration leads to a different conclusion, or you lodge a valid objection in accordance with Article 21 GDPR (see the information on your right to object in the box under “Rights of the Data Subject). We regularly, and at least once annually, review whether our legitimate interest still exists. Our interest no longer exists, in particular, when the data are of an age that renders them insufficiently relevant to us with regard to website use analytics or statistics, which is assumed to be case at the latest after three years.

    Objection and prevention: You can prevent the storage of cookies by your browser settings; however, in this case, you may not be able to use all functions of our website. Moreover, you can prevent the collection of data on your website use (including your IP address) by means of the cookie, and the processing of these data by us, by employing the opt-out option provided at the end of this data privacy notice:

    Use of fonts from fonts.net

    Our website uses/downloads JavaScript code from Monotype GmbH, Werner-Reimers-Strasse 2-4, 61352 Bad Homburg, Germany (Fonts.net).

    Purpose of data processing: The fonts are employed to improve our website for the user and make it distinctive in look-and-feel, and they therefore serve our marketing and advertising interests. For information on the purpose and scope of data collection on the part of Monotype, further processing and use of your data by Monotype, and your corresponding rights and privacy settings, please refer to Monotype’s own privacy notice: https://www.monotype.com/legal/privacy-policy

    Lawful basis for data processing: The lawful basis for personal data processing within the scope of font use is Article 6 (1) f) GDPR, i.e. our legitimate interest. Our legitimate interest is the purposes given above.

    Storage period: As a user, you can yourself manage the execution of the corresponding JavaScript code required by this tool via your browser settings. By changing you browser settings, you can disable or restrict the execution of JavaScript, and therefore prevent data from being collected and stored. However, if JavaScript is disabled, it may not be possible to use all functions of our website.

    Objection and prevention: If you do not want your data to be processed, you can change your browser settings to disable the execution of JavaScript code.
    If you have activated JavaScript in your browser and have not installed a JavaScript blocker, your browser may under certain circumstances transmit personal data to Fonts.net. We do not know to what data Fonts.net links the data it receives, and to what purpose it uses these data. Further information can be found in the data privacy notice published by Fonts.net: http://www.monotype.com/legal/privacy-policy. To entirely prevent the execution of JavaScript code by Fonts.net, you can install a JavaScript blocker (e.g. www.noscript.net or www.ghostery.com).

    Website encryption

    The website and data transmission via the website is encrypted in accordance with the SSL standard (HTTPS protocol).

    Transfer of personal data to a third country (non-EU country)

    It is intended to transfer personal data to the United States of America (USA). An adequacy decision has been adopted by the EU Commission to the effect that personal data may be transferred to the USA if the recipient has joined the EU-U.S. Privacy Shield framework. Personal data are therefore only transferred to recipients in the USA who have demonstrated their membership of the EU-U.S. Privacy Shield framework.

    The intent is to transfer data to the following organisations:

    • Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“), as the provider of the Google+ social network.
    • Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, as the provider of the Facebook social network.
    • Twitter Inc., 750 Folsom Street, Suite 600, San Francisco, CA 94107, USA, as the provider of the Twitter messaging service.

    The organisations named above have joined the EU-U.S. Privacy Shield framework, and have submitted to data protection rules equivalent to those in the EU. The transfer of data to these organisations is therefore permissible. Where these organisations process data on our behalf, we have concluded corresponding data processing contracts with them to safeguard the data and our rights to issue instructions in their regard.

    Rights of the data subject

    If your personal data are processed, then you are a data subject and you have the following rights with regard to us as the data controller:

    Right of access

    You have the right to receive, free of charge, information from us as to whether we process your personal data. If this is the case, you have the right to access these personal data and to further information as defined in Article 15 GDPR. To exercise this right, you can contact us via conventional mail or email.

    Right to rectification

    You have the right to demand the rectification of incorrect personal data without delay. You also have the right – taking into account the above-mentioned purposes of processing – to demand the addition of missing information to incomplete personal data, for example by means of a supplementary statement. To exercise this right, you can contact us via conventional mail or email.

    Right to erasure

    You have the right to demand the erasure without delay of your personal data if one of the conditions specified in Article 17 GDPR applies. To exercise this right, you can contact us via conventional mail or email.

    Right to restriction of processing

    You have the right to demand restriction of processing if one of the conditions specified by Article 18 GDPR applies. To exercise this right, you can contact us via conventional mail or email.

    Right to notification

    If you have exercised your right to rectification or erasure of data or to restriction of processing, the data controller is obliged to notify all recipients of your personal data of the corresponding rectification or erasure of data or restriction of processing, unless notification proves to be impossible or would entail unreasonable effort or expense. You have the right to be informed of these recipients by the data controller.

    Right to portability

    You have the right to receive personal data which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transfer these data to another controller without hindrance from us where the conditions specified by Article 20 GDPR apply. To exercise these rights, you can contact us via conventional mail or email.


    Right to object to processing on the basis of legitimate interest

    Insofar as we, i.e. under exceptional circumstances, process your personal data on the basis of Article 6 (1) f) GDPR (on account of legitimate interest), you have the right at any time for grounds relating to your particular situation to object to the processing of your personal data. If we cannot demonstrate the existence of valid and compelling grounds for continued processing that would override your interests, rights or freedoms, or if we process the corresponding data in the pursuit of direct advertising/marketing, we shall no longer process your data (see Art. 21 GDPR). To exercise these rights, you can contact us via conventional mail or email.

    An objection in this context shall also be any technical method employed by you, e.g. a clearly expressed technical message transmitted to us by your browser (do-not track message).


    Right to withdraw consent

    You have the right at any time to withdraw consent to the future collection and use of personal data. To exercise this right, you can contact us via conventional mail or email. This does not affect the lawfulness of the processing carried out with your consent prior to your withdrawal.

    Automated individual decision-making, including profiling

    You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. However, this does not apply if the decision is necessary for entering into, or performance of, a contract between you and us; the decision is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or the decision is based on your explicit consent.
    We do not make use of automated decision-making.

    Data provided voluntarily

    If the provision of personal data is a statutory or contractual requirement, we draw attention hereto when collecting such data. In some instances, the collection of data is necessary to conclude a contract, i.e. if we would not otherwise be able to fulfil or adequately fulfil our contractual obligations to you. There is no obligation on your part to provide personal data. However, the non-provision can lead to us being unable to provide or offer a product, service, action, measure, or similar, or us being unable to conclude a contract with you.

    Right to complain to a supervisory authority

    If you believe that your personal data are being processed in breach of the GDPR, you have the right at any time, without prejudice to other rights, to lodge a complaint with a data protection supervisory authority, in particular, in the member state in which you live or work or in which the suspected breach of the GDPR is taking place.

    The authority responsible for us is: The Baden-Württemberg State Data Protection Officer (Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg), Königstrasse 10A, 70173 Stuttgart, Germany; website: www.baden-wuerttemberg.datenschutz.de.

    Data privacy notice last updated: 25 May 2018