State Palaces and Gardens of Baden-Wuerttemberg
Staatliche Schlösser und Gärten Baden-Württemberg

"Monument BW" APPDATA PROTECTION INFORMATION

This app for "Monument BW" (hereinafter referred to as “the app”) is provided by Staatliche Schlösser und Gärten Baden-Württemberg, Schlossraum 22a, 76646 Bruchsal (hereinafter referred to as “we” or “us”) as the controller as defined by the applicable data protection laws.

We process your personal data when you use our app. In this instance, personal data means any information relating to an identified or identifiable natural person. In the following, we want to let you know which personal data we process when you use our app and how we handle this data. Moreover, we want to inform you about the legal basis for the processing of your data if this processing is necessary for the purposes of the legitimate interests pursued by us, as well as regarding our legitimate interests.
   
You can access this privacy policy at any time in the app by tapping the “Data protection” menu item.

A. OUR CONTACT INFORMATION AND GENERAL INFORMATION ON OUR DATA PROCESSING

NAME AND CONTACT INFORMATION FOR THE CONTROLLER

The following entity is responsible for the collection and use of personal information in the sense of the data protection law.

Staatliche Schlösser und Gärten
Baden-Württemberg – Zentrale
Schlossraum 22a
76646 Bruchsal, Germany

represented by CEO Manuel Liehr

Phone +49(0)72 51.74 -27 27
Fax +49(0)72 51.74 -27 11

E-mail info@ssg.bwl.de 
Web: http://www.schloesser-und-gaerten.de 

You can find more information about us on our website at http://www.schloesser-und-gaerten.de/wir-ueber-uns/impressum/.

CONTACT INFORMATION FOR THE CONTROLLER'S DATA SECURITY OFFICER

Official Data Security Officer
Vermögen und Bau Baden-Württemberg
Betriebsleitung
Rotebühlplatz 30
70173 Stuttgart, Germany

 

Phone +49(0)711 / 6673 - 3521
E-mail address datenschutz@vbv.bwl.de

LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

When we process personal data, the following applies in general:

  • When we have obtained your consent for processing operations for the processing of your personal data, Article 6(1)(a) of the EC General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.
  • When the processing of personal data is necessary for the performance of a contract, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies when processing is necessary in order to take the required steps prior to entering into a contract.
  • When the processing of personal data is necessary for compliance with a legal obligation to which we are subject, Article 6(1)(c) of the GDPR serves as the legal basis.
  • When processing of personal data is necessary in order to protect your vital interests or the vital interests of another natural person, Article 6(1)(d) of the GDPR serves as the legal basis.
  • If the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, and these interests are not overridden by your interests or fundamental rights and freedoms which require protection of personal data, then Article 6(1)(f) of the GDPR serves as the legal basis for the processing.

DELETION OF DATA AND STORAGE PERIOD

We will generally delete or block personal data once the purpose of the storage of the data no longer applies. Furthermore, data may also be stored if this storage is permitted by the European or national legislative authorities in EU regulations, laws or other guidelines to which we as controller are subject. Data is also deleted or made unavailable to users once the storage period defined by the specified norms elapses as long as continued storage of the data is not required in order to conclude or perform a contract.
   
Specifically, this means:
When we process personal data on the basis of consent given to the processing of data (Article 6(1)(a) of the EC General Data Protection Regulation or GDPR), processing ends when you withdraw your consent, unless there is another valid legal reason for your data to be processed, which is the case when we are still authorized to process your data for the purpose of performance of a contract at the time when consent is withdrawn, or when data processing is necessary for the purposes of our legitimate interests (see below for further information).

If, in exceptional cases, we process data on the basis of our legitimate interests (Article 6(1)(f) of the GDPR) as part of considerations made prior to the processing, we store this data until these legitimate interests no longer apply, the consideration results in a different conclusion, or you object to the processing pursuant to Article 21 of the GDPR (see also the highlighted text under “Information on special right to object” under C.).

If we process data necessary for the performance of a contract, then we store this data until the contract has been completely fulfilled and settled and none of the claims from the contract can be asserted, meaning when the statute of limitations has elapsed. The general statute of limitations in accordance with Paragraph 195 of the German Civil Code (BGB) is three (3) years. However, certain claims, such as claims for damages, have a statute of limitations of 30 years (see Paragraph 197 of the BGB). If there is legitimate grounds to believe that this may be relevant in specific cases, we will save a data subject’s personal data for this period of time. The statute of limitations specified start at the end of the year (December 31) in which the claim arose and the creditor became aware of the circumstances giving rise to the claim and of the debtor, or must have become aware of them in the absence of gross negligence.

Here, we would like to point out that we are also subject to statutory retention obligations for tax and accounting purposes. In accordance with these obligations, we must store certain data, which could include personal data, as proof for the purposes of our accounting over a period of six (6) to ten (10) years. These retention periods override the obligations to delete data described above. The retention periods also begin at the end of the year in question, meaning on December 31 of that year.

SOURCE OF PERSONAL DATA

The personal data that we process is primarily provided to us by the data subject, for example when this person:
 

  • as a user of our app, transfers information on the end device such as an IP address or device information, to our web server.

Only in extremely rare cases do we receive the personal data that we process from third parties, for example in the event that a person is acting on behalf of a third party.

GENERAL CATEGORIES, PURPOSE AND LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

We process the following categories of personal data:
 

  • app user.

Depending on the category of data in question, we process personal data for the following purposes and in accordance with the legal basis specified as defined in the EC General Data Protection Regulation (GDPR):

User data:
We collect and process data from the users of our app in a pseudonymized format. It is not possible for us to connect this information to a specific individual. IP addresses are solely processed in an anonymized format. If, in exceptional cases, personal data is involved in this context, we only process this data for the purposes of our legitimate interests on the basis of Article 6(1)(f) of the GDPR. In this context, our legitimate interests are our interests in the security and integrity of the app and the data on our web server (in particular fault and error detection as well as tracking unauthorized access), as well as marketing interests and interests in statistical data (which allows us to improve the app as well as our services and offers). After careful consideration, we have come to the conclusion that data processing for the purposes of our legitimate interests as specified above is necessary, and that your interests or fundamental rights and freedoms which require protection of personal data do not override these interests.

B. SCOPE OF THE PROCESSNIG OF PERSONAL DATA

We only collect and use our users’ personal data when they use our app to the extent necessary for the use of our app as well as the provision of our content and services. In general, we only collect and use our users’ personal data with the users’ consent. One exception is in cases when it is not possible to obtain the user’s consent in advance for practical reasons and/or we are permitted to process this data within the scope of the law.

INFORMATION COLLECTED WHEN THE APP IS DOWNLOADED (APPLE APP STORE / GOOGLE PLAY STORE)

When you download the app, certain required information is transferred to the app store you used to download the app (e.g. Google Play or the Apple App Store); in particular, your user name, e-mail address, the customer ID for your account, the time at which you downloaded the app, your payment information, and individual device IDs may be processed. This data is solely processed by the app store in question and is outside of our control.

INFORMATION THAT IS AUTOMATICALLY COLLECTED WHEN YOU USE THE APP

When you use the app, we automatically collect certain information that is necessary for use of the app. This data is stored in log files on our server. This includes:
 

  • date and time at which the app was accessed,
  • date and time at which the app content was downloaded (for statistical purposes),
  • file(s) accessed,
  • quantities of data accessed/sent,
  • operating system used, version of the operating system used, and
  • user's anonymized IP address (while data is being transmitted / only saved for the duration of the session / deleted after a maximum of 24 hours).

This data is processed separately from other data. This data is not processed together with the user’s other personal data. It is not possible for us to connect this information to a specific person.
 

Purpose of data processing:
It is necessary for the system to temporarily process your data in order to provide you with this service and the corresponding functions, to improve the functions and characteristics of the app, and to prevent and/or remedy misuse and malfunctions. In order to do this, the user’s IP address must be stored during the entire session.
The data is stored in log files in order to ensure the functionality of the app. Furthermore, we use this information to optimize the services we offer and our app and to ensure that our information technology systems are secure. The data saved for these reasons is not used or evaluated for marketing purposes.

Legal basis for data processing:
This data processing is justified by the fact that (1) the processing is necessary for the performance of a contract between you as the data subject and us in accordance with Article 6(1)(b) of the GDPR in order for you to be able to use the app or (2) we have a legitimate interest in maintaining the functionality of the app and ensuring that it can be operated without errors or malfunctions, as well as in our ability to offer service in line with the market and in accordance with the wishes and needs of interested parties, and that this legitimate interest overrides your interest in the protection of your personal data in accordance with Article 6(1)(f) of the GDPR.

Duration of storage:
Data is deleted as soon as it is no longer required for the purpose for which it was obtained. In terms of the data collected for the provision of the app, this is the case as soon as the session in question ends. Data saved in the log files is deleted after 24 hours at the latest. It is possible that data could be stored for longer than 24 hours. In this case, the IP address of the user is deleted or anonymized so that it is no longer possible to associate it with the end device that accessed the website.

Options for objection and removal:
The collection of data required for the provision of the app and the storage of data in log files is essential in order to use the app. For this reason, the user cannot opt out.

MAP FUNCTIONS IN THE APP

The app includes a function that shows where the user is currently located on a map. This function is carried out purely locally on your mobile end device and only once you have given your consent. We do not process any location data or other personal data in connection with this function.

CREATION/COLLECTION OF YOUR PERSONAL NOTES

All personal files created by you are only stored on your mobile end device. There is no transmission to our servers and nothing is synchronized. This applies to the following content created within the app: notes, audio files, photos and videos taken using the app-internal camera function, as well as photos and videos uploaded to the app from your personal files. When you delete the app from your mobile end device, this data is also permanently deleted.

ENCRYPTION OF DATA TRANSMISSION

The app and all data transmitted via the app are encrypted in accordance with the SSL standard (HTTPS protocol).

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Whilst it is not our intention, we cannot entirely exclude the possibility that personal data may be processed outside the EEA (European Economic area). Countries outside the EEA are also designated as third countries.

When you download our app from the provider of the respective app store of your choice (the Apple App Store or Google Play Store), your personal data (at least your IP address) may, where appropriate, be transmitted to the United States (US).  The data is not transmitted by our app and not on our behalf, but rather due to the fact that the providers exclusively operate the online distribution platforms on which apps can be downloaded.

These providers are the following companies: 

  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA (“Google”) as provider of the Play Store for Android devices.
  • Apple Inc. One Apple Park Way, Cupertino, California, USA, 95014 as provider of the App Store for Apple and iOS devices.

Both providers refer to the standard data protection clauses of the European Commission (Article 46(2)(c) of the GDPR).

In addition, Google LLC is also certified by the EU-U.S. Data Privacy Framework (DPF), so that the transfer of data there is also permitted under the European Commission’s adequacy decision for the US.

C. RIGHTS OF THE DATA SUBJECT

When your personal data is processed, then you are the “data subject” and you have the following rights vis-à-vis us as the controller:

RIGHT TO REQUEST ACCESS

You have the right to obtain free confirmation from us as to whether we are processing your personal data. If this is the case, you have the right to request access to this personal data and also have the right to obtain further information as specified in Article 15 of the GDPR. You can contact us regarding this matter by mail or by e-mail.

RIGHT TO RECTIFICATION

You have the right to request that we immediately rectify your personal data in the event that this data is incorrect. You also have the right—taking into account the purposes of processing specified above—to request the completion of incomplete personal data—also by means of a supplemental statement. You can contact us regarding this matter by mail or by e-mail.

RIGHT TO ERASURE

You have the right to request the immediate deletion of your personal data if one of the conditions specified in Article 17 of the GDPR applies. You can contact us regarding this matter by mail or by e-mail.

RIGHT TO RESTRICTION OF PROCESSING

You have the right to request the restriction of processing of your personal data if one of the conditions specified in Article 18 of the GDPR applies. You can contact us regarding this matter by mail or by e-mail.

RIGHT TO INFORMATION

If you exercise your right of rectification, to erasure or to restriction of processing vis-à-vis the controller, the controller is obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
You also have the right to be informed about those recipients by the controller upon request.

RIGHT TO DATA PORTABILITY

You have the right to receive the personal data that you have provided us with in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller without hindrance by us if the conditions specified in Article 20 of the GDPR apply. You can contact us regarding this matter by mail or by e-mail.

RIGHT TO OBJECT TO PROCESSING DUE TO LEGITIMATE INTERESTS

If, in exceptional cases, we process personal data on the basis of Article 6(1)(f) of the GDPR (meaning for the purposes of legitimate interests), you have the right to object to the processing of your personal data by us at any time for reasons relating to your unique situation. If we cannot demonstrate any compelling legitimate grounds for the further processing of your data which overrides your interests, rights, and freedoms, or if we are processing the data in question concerning you for the purposes of direct marketing, we will no longer process your personal data (refer to Article 21 of the GDPR). You can contact us regarding this matter by mail or by e-mail.

If personal data are processed for the purposes of direct marketing, you have the right to object to the processing of the respective personal data for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

RIGHT TO WITHDRAW CONSENT

You have the right to withdraw your consent to the collection and use of your personal data with effect for the future at any time. You can contact us regarding this matter by mail or by e-mail. This does not alter the legality of the processing carried out on the basis of the consent until revocation.

AUTOMATED INDIVIDUAL DECISION-MAKING INCLUDING PROFILING

You have the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision is necessary for entering into, or performance of, a contract between us and you; is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or is based on your explicit consent.
We do not make these kinds of automated decisions.

VOLUNTARY PROVISION OF PERSONAL DATA

As a rule, if the provision of personal data is a statutory or contractual requirement, we will inform you of such at the time when we obtain the personal data. Some of the data that we obtain is necessary for entering into a contract; specifically in the event that we are otherwise unable to meet or to sufficiently meet our contractual obligations to you. You are not obligated to provide us with your personal data. However, failure to provide data may result in us being unable to provide you with or offer you a desired service, action, measure, or the like, or make it impossible for us to enter into a contract with you. 

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

Without prejudice to any other rights, you have the right to lodge a complaint with a supervisory authority for data protection at any time, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you violates the GDPR.

The supervisory authority responsible for us is: Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Königstrasse 10a, 70173, Stuttgart, Germany, website: www.baden-wuerttemberg.datenschutz.de .


Our data protection information was last updated on: 10/05/2023