Monuments 3D app HohentwielDATA PROTECTION INFORMATION

The “Monuments 3D” app (hereinafter “app”) is provided by Staatliche Schlösser und Gärten Baden-Württemberg, Schlossraum 22a, 76646 Bruchsal, Germany (hereinafter also “we” or “us”) as the controller as defined by the applicable data protection laws to users (hereinafter also “you”).

 

We process your personal data when you use our app. In this instance, personal data means any information relating to an identified or identifiable natural person. In the following, we want to let you know which personal data we process when you use our app and how we handle this data. Moreover, we want to inform you about the legal basis for the processing of your data if this processing is necessary for the purposes of the legitimate interests pursued by us, as well as regarding our legitimate interests.

You can access this privacy policy at any time in the app by tapping the "Data protection" menu item.

A. OUR CONTACT INFORMATION AND GENERAL INFORMATION ON OUR DATA PROCESSING

NAME AND CONTACT INFORMATION FOR THE CONTROLLER

The following entity is responsible for the collection and use of personal information in the sense of the data protection law.

Staatliche Schlösser und Gärten
Baden-Württemberg – Zentrale
Schlossraum 22a
76646 Bruchsal, Germany

represented by CEO Manuel Liehr

Phone +49(0)72 51.74 -27 27
Fax +49(0)72 51.74 -27 11
E-mail info@ssg.bwl.de 

You can find more information about us on our website at https://www.schloesser-und-gaerten.de/en/about-us/masthead.

CONTACT INFORMATION FOR THE CONTROLLER'S DATA SECURITY OFFICER

Official Data Security Officer
Vermögen und Bau Baden-Württemberg
Betriebsleitung
Rotebühlplatz 30
70173 Stuttgart, Germany

 

Phone +49(0)711 / 6673 - 3521
E-mail address datenschutz@vbv.bwl.de

General information on the legal basis for the processing of personal data

When we process personal data, the following applies in general:

  • When we have obtained your consent for processing operations for the processing of your personal data, Article 6(1)(a) of the EC General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.
  • When the processing of personal data is necessary for the performance of a contract, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies when processing is necessary in order to take the required steps prior to entering into a contract.
  • When the processing of personal data is necessary for compliance with a legal obligation to which we are subject, Article 6(1)(c) of the GDPR serves as the legal basis.
  • When processing of personal data is necessary in order to protect your vital interests or the vital interests of another natural person, Article 6(1)(d) of the GDPR serves as the legal basis.
  • If the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, and these interests are not overridden by your interests or fundamental rights and freedoms which require protection of personal data, then Article 6(1)(f) of the GDPR serves as the legal basis for processing.

General information on the deletion of data and storage period

We will generally delete or block personal data once the purpose of the storage of the data no longer applies. Furthermore, data may also be stored if this storage is permitted by the European or national legislative authorities in EU regulations, laws or other guidelines to which we as controller are subject. Data is also deleted or made unavailable to users once the storage period defined by the specified norms elapses as long as continued storage of the data is not required in order to conclude or perform a contract.

 

Specifically, this means:

When we process personal data on the basis of consent given to the processing of personal data (Article 6(1)(a) of the EC General Data Protection Regulation (GDPR)), processing ends when you withdraw your consent, unless there is another valid legal reason for your data to be processed, which is the case when we are still authorized to process your data for the purpose of performance of a contract at the time when consent is withdrawn, or when data processing is necessary for the purposes of our legitimate interests (see below for further information).

 

If, in exceptional cases, we process data on the basis of our legitimate interests (Article 6(1)(f) of the GDPR) as part of considerations made prior to the processing, we store this data until these legitimate interests no longer apply, the consideration results in a different conclusion, or you object to the processing pursuant to Article 21 of the GDPR (see highlighted text under “Information on special right to object” under C.).

 

If we process data necessary for the performance of a contract, then we store this data until the contract has been completely fulfilled and settled and none of the claims from the contract can be asserted, meaning when the statute of limitations has elapsed. The general statute of limitations in accordance with Paragraph 195 of the German Civil Code (BGB) is three (3) years. However, certain claims, such as claims for damages, have a statute of limitations of 30 years (see Paragraph 197 of the BGB). If there is legitimate grounds to believe that this may be relevant in specific cases, we will save a data subject’s personal data for this period of time. The statute of limitations specified start at the end of the year (December 31) in which the claim arose and the creditor became aware of the circumstances giving rise to the claim and of the debtor, or must have become aware of them in the absence of gross negligence.

 

Here, we would like to point out that we are also subject to statutory retention obligations for tax and accounting purposes. In accordance with these obligations, we must store certain data, which could include personal data, as proof for the purposes of our accounting over a period of six (6) to ten (10) years. These retention periods override the obligations to delete data described above. The retention periods also begin at the end of the year in question, meaning on December 31 of that year.

General sources of personal data

The personal data that we process is primarily provided to us by the data subject, for example when this person:

  • as a user of our app, transfers information on their device, such as an IP address or device information, to our web server,
  • requests information from us as an interested party,
  • requests information, press releases, statements, and the like from us as a media representative and/or journalist.

 

Only in extremely rare cases do we receive the personal data that we process from third parties, for example in the event that a person is acting on behalf of a third party.

General categories, purpose and legal basis for the processing of personal data

We process the following categories of personal data:

  • app users,
  • interested parties,
  • media representatives.

 

Depending on the category of data in question, we process personal data for the following purposes and in accordance with the legal basis specified as defined in the EC General Data Protection Regulation (GDPR):

 

User data: We collect and process data from the users of our app in a pseudonymized format. It is not possible for us to connect this data to a specific individual. IP addresses are solely processed in an anonymized format. If, in exceptional cases, personal data is involved in this context, we only process this data for the purposes of our legitimate interests on the basis of Article 6(1)(f) of the GDPR. In this context, our legitimate interests are our interests in the security and integrity of the app and the data on our web server (in particular fault and error detection as well as tracking unauthorized access), as well as marketing interests and interests in statistical data (which allows us to improve the app as well as our services and offers). After careful consideration, we have come to the conclusion that data processing for the purposes of our legitimate interests as specified above is necessary, and that your interests or fundamental rights and freedoms which require protection of personal data do not override these interests.

 

Data of interested parties/media representatives: In the event that we process the data of persons interested in our services or of media representatives, this only occurs when such persons provide us with this data by filling out a form or sending us an e-mail for the purposes of submitting a request or an inquiry. You are not obligated to provide us with this information. We only process this data in order to process your request or inquiry. We process the information that you voluntarily provide us with for the purposes of finding out more information about our services as part of the steps required prior to entering into a contract in accordance with Article 6(1)(b) of the GDPR as well as on the basis of the consent you have given us by providing us with this information in accordance with Article 6(1)(a) of the GDPR.

General information on the recipients or categories of recipients of personal data

Your personal information is only shared with third parties or otherwise transferred if this is required for the functionality of the app or you have provided your consent prior to the transfer.

Scope of the processing of personal data via the app

We collect and use our users’ personal data during their use of our app only to the extent necessary for the use of our app as well as its content and functions. Generally, we only collect and use our users’ personal data with the users’ consent. One exception is in cases when it is not possible to obtain the user’s consent in advance for practical reasons and/or we are permitted to process this data within the scope of the law.

Information collected by the app store (Apple App Store / Google Play Store) during download

When you download the app, certain required information is transferred to the app store you used to download the app (e.g. Google Play or the Apple App Store); in particular, your user name, your e-mail address, the customer ID for your account, the time at which you downloaded the app, your payment information, and individual device IDs may be processed. This data is solely processed by the app store in question and is outside of our control.

 

Information on how the operator of the app store processes such data can be found in the respective app store's privacy policy.

INFORMATION THAT IS AUTOMATICALLY COLLECTED WHEN YOU USE THE APP

When you use the app, we automatically collect certain information that is necessary for use of the app. This data is stored in log files on our server.

This includes:

  • date and time at which the app was accessed,
  • date and time at which the app content was downloaded (for statistical purposes),
  • downloaded files (content),
  • quantities of data accessed/sent,
  • operating system and version,
  • app version,
  • the user's anonymized IP address.

 

This data is processed separately from other data. This data is not processed together with the user’s other personal data. It is not possible for us to connect this information to a specific person.

 

Purpose of data processing: It is necessary for the system to temporarily process your data in order to provide you with this service and the corresponding functions, to improve the functions and characteristics of the app, and to prevent and/or remedy misuse and malfunctions. In order to do this, the user’s IP address must be stored for the entire session.

The data is stored in log files in order to ensure the functionality of the app. Furthermore, we use this information to optimize the services we offer and our app and to ensure that our information technology systems are secure. The data saved for these reasons is not evaluated.

 

Legal basis for data processing: This data processing is justified by the fact that (1) the processing is necessary for the performance of a contract between you as the data subject and us in accordance with Article 6(1)(b) of the GDPR in order for you to be able to use the app and (2) we have a legitimate interest in maintaining the functionality of the app and ensuring that it can be operated without errors or malfunctions, as well as in our ability to offer service in line with the market and in accordance with the wishes and needs of interested parties, and that this legitimate interest overrides your interest in the protection of your personal data in accordance with Article 6(1)(f) of the GDPR.

 

Duration of storage: Data is deleted as soon as it is no longer required for the purpose for which it was obtained. In terms of the data collected for the provision of the app, this is the case as soon as the session in question ends. Data saved in the log files is deleted after 24 hours at the latest. It is possible that data could be stored beyond this window. In this case, the IP address of the user is deleted or anonymized so that it is no longer possible to associate it with the end device that accessed the website.

 

Options for objection and removal: The collection of data required for the provision of the app and the storage of data in log files is essential in order to use the app. For this reason, the user cannot opt out.

Geolocation / location tracking of the app as a central function

The app uses a geolocation to determine your position in order to perform functions central to the app, such as the 3D ego-mode during in-person visits. In this mode, the app needs to know exactly where your device is located and in which direction it is facing. To do so, the user device sensors are used in addition to the location. However, this information remains entirely on your device. No data is store by us or a third party.

 

Purpose of data processing: The temporary processing of locational data is necessary for providing the user with the basic functionality of the app. It is the primary function of the app to use location tracking so that you can experience an altered environment, showing the monument across various eras.

 

Legal basis for data processing: The temporary processing of your locational data is based on your consent according to Article 6(1)(a) of the GDPR, which you gave when you approved access requests to your device (access to camera, location). Such access granted to the app can also be revoked by you at anytime on your device.

 

Duration of storage: The locational data are only used while the app is being used in a corresponding mode and exclusively stored on your device. The data is not stored by us or a third party.

 

Options for objection and removal: The processing of locational data for the purpose of providing the 3D ego-mode and other similar services within the app and the temporary processing of tracking data are absolutely necessary for the use of the app in such a mode. You can prevent this type of data processing by not using such a 3D mode. You can also refuse to approve access to your device, or revoke previously approved access on your device, at any time.

Encryption of data transmission

The app and the data transmitted via the app are encrypted in accordance with the HTTPS, TLS 1.2 HTTPS protocol.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES (NON-EU)

Whilst it is not our intention, we cannot entirely exclude the possibility that personal data may be processed outside the EEA (European Economic area). Countries outside the EEA are also designated as third countries.

When you download our app from the provider of the respective app store of your choice (the Apple App Store or Google Play Store), your personal data (at least your IP address) may, where appropriate, be transmitted to the United States (US). The data is not transmitted by our app and not on our behalf, but rather due to the fact that the providers exclusively operate the online distribution platforms on which apps can be downloaded.

 

These providers are the following companies:

 

  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA (“Google”) as provider of the Play Store for Android devices.
  • Apple Inc. One Apple Park Way, Cupertino, California, USA, 95014 as provider of the App Store for Apple and iOS devices.

 

Both providers refer to the standard data protection clauses of the European Commission (Article 46(2)(c) of the GDPR).

In addition, Google LLC is also certified by the EU-U.S. Data Privacy Framework (DPF), so that the transfer of data there is also permitted under the European Commission’s adequacy decision for the US.

C. RIGHTS OF THE DATA SUBJECT

When your personal data is processed, then you are the “data subject” and you have the following rights vis-à-vis us as the controller:

RIGHT TO REQUEST ACCESS

You have the right to obtain free confirmation from us as to whether we are processing your personal data. If this is the case, you have the right to request access to this personal data and also have the right to obtain further information as specified in Article 15 of the GDPR. You can contact us regarding this matter by mail or by e-mail.

RIGHT TO RECTIFICATION

You have the right to request that we immediately rectify your personal data in the event that this data is incorrect. You also have the right—taking into account the purposes of processing specified above—to request the completion of incomplete personal data—also by means of a supplemental statement. You can contact us regarding this matter by mail or by e-mail.

RIGHT TO ERASURE

You have the right to request the immediate deletion of your personal data if one of the conditions specified in Article 17 of the GDPR applies. You can contact us regarding this matter by mail or by e-mail.

RIGHT TO RESTRICTION OF PROCESSING

You have the right to request the restriction of processing of your personal data if one of the conditions specified in Article 18 of the GDPR applies. You can contact us regarding this matter by mail or by e-mail.

RIGHT TO INFORMATION

If you exercise your right of rectification, to erasure or to restriction of processing vis-à-vis the controller, the controller is obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

You also have the right to be informed about those recipients by the controller upon request.

RIGHT TO DATA PORTABILITY

You have the right to receive the personal data that you have provided us with in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller without hindrance by us if the conditions specified in Article 20 of the GDPR apply. You can contact us regarding this matter by mail or by e-mail.

Right to object to processing for legitimate interests

Insofar as we process personal information on the basis of Article 6(1)(f) of the GDPR (i.e. for legitimate interests), you have the right to object to the processing of your personal data by us at any time for reasons relating to your unique situation. If we cannot demonstrate any compelling legitimate grounds for the further processing of your data which overrides your interests, rights, and freedoms, or if we are processing the data in question concerning you for the purposes of direct marketing, we will no longer process your personal data (refer to Article 21 of the GDPR). You can contact us regarding this matter by mail or by e-mail.
 

If personal data are processed for the purposes of direct marketing, you have the right to object to the processing of the respective personal data for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

RIGHT TO WITHDRAW CONSENT

You have the right to withdraw your consent to the collection and use of your personal data with effect for the future at any time. You can contact us regarding this matter by mail or by e-mail. This does not alter the legality of the processing carried out on the basis of the consent until revocation.

 

AUTOMATED INDIVIDUAL DECISION-MAKING INCLUDING PROFILING

You have the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision is necessary for entering into, or performance of, a contract between us and you; is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or is based on your explicit consent.
We do not make these kinds of automated decisions.

VOLUNTARY PROVISION OF PERSONAL DATA

As a rule, if the provision of personal data is a statutory or contractual requirement, we will inform you of such at the time when we obtain the personal data. Some of the data that we obtain is necessary for entering into a contract; specifically in the event that we are otherwise unable to meet or to sufficiently meet our contractual obligations to you. You are not obligated to provide us with your personal data. However, failure to provide data may result in us being unable to provide you with or offer you a desired service, action, measure, or the like, or make it impossible for us to enter into a contract with you.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

Without prejudice to any other rights, you have the right to lodge a complaint with a supervisory authority for data protection at any time, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you violates the GDPR.

 

The supervisory authority responsible for us is: Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Königstrasse 10a, 70173, Stuttgart, Germany, website: www.baden-wuerttemberg.datenschutz.de

 

Our data protection information was last updated on: 10/05/2023