Table of contents

Privacy Policy

We appreciate your visit to our website. The following text informs you about which personal data we collect and what happens with the data when you visit our website. Personal data are all data by which you can be personally identified. You will also find information about your rights as a data subject arising from the EU General Data Protection Regulation (EU GDPR).

I. The Responsible Party Regarding the EU General Data Protection Regulation (EU GDPR) Is

Kunstmuseum Stuttgart gGmbH
Represented by the managing director Dr. Ulrike Groos
Kleiner Schlossplatz 13
70173 Stuttgart
info [at] kunstmuseum-stuttgart [dot] de (info[at]kunstmuseum-stuttgart[dot]de )
+49 (0)711 / 216 196 00

II. Data Protection Officer

Columbus Consulting
Dr. Inge Rötlich
Mahdentalstr. 82
71065 Sindelfingen
+49 (0)7031 / 418 090
datenschutz [at] columbus-consulting [dot] eu (datenschutz[at]columbus-consulting[dot]eu )

III. General Information on Data Processing

1. Scope of personal data processing

We process the personal data of our users only to the extent necessary for the provision of a functional website along with our content and services.

2. Encryption

This website uses an SSL encryption to protect the transmission of confidential content, such as requests that you send us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. When this encryption is activated, the data that you transmit to us cannot be read by a third party.

3. Website provision and creation of log files

Each time you visit our website, our system automatically collects data and information from the calling computer. The following data is collected:

  • User IP address
  • Information about the browser type
  • Information about the browser type version used
  • User operating system
  • User Internet service provider
  • Date and time of the access
  • Website from which the user has reached our site
  • Websites that the system user visits from our website
  • Page views
  • Interactions

This data is stored in our system’s log files. This data is not stored together with other personal user data. The legal basis for this data processing is, on the one hand, our legitimate interest pursuant to Art. 6 para. 1 lit. f EU GDPR in the analysis of our website and its use, and, if applicable, also the legal permission to store data as part of the initiation of a contractual relationship pursuant to Art. 6 lit. b EU GDPR.

The stored date is used for the provision and functionality of the website and the analysis of user behavior.

There is a permanent storage of anonymized IP addresses in log files.

4. Processing of special data in accordance with Art. 9 GDPR

We process data pursuant to Art. 9 para. 2 GDPR if the processing is necessary us or the data subject to exercise the rights and comply with his or her obligations under labor law and social security and social protection law, to the extent permitted by European Union law or Member State law or a collective agreement under Member State law that provides appropriate safeguards for the fundamental rights and interests of the data subject.

No special personal data is processed in connection with this website.

IV. Cookies

Our website uses cookies within the scope of our legitimate interest in providing a technically flawless online offer and its optimization pursuant to Art. 6 para. 1 lit. f EU GDPR, so that our offer can be used better, more effectively, and more safely.

Cookies are small text files that a website stores on your computer. These can be, for instance, so-called session cookies, which are automatically deleted at the end of your visit to our website. There are also cookies that are permanently stored on your computer unless you delete them yourself. This enables us to recognize your browser the next time you visit our website and to make you appropriate offers. In your browser settings you can prevent any cookies from being stored whatsoever or when visiting certain websites. It is possible, however, that not all the functions of our website can be used then.

We use cookies to simplify the use of our website for users. The cookies are thus used to adopt language settings, to store search terms, as well as for the session ID and the cookie content tool. The cookies are also used to manage your settings and recognize cookie support.

We likewise use persistent cookies, that is, cookies that persist even after the browser is closed. Furthermore, we use analysis cookies to analyze users’ surfing behavior. For this purpose, we obtain consent from the user for the processing of personal data used in this context. For the analysis, the entered search terms, the frequency of the page views, and the use of website functions are transmitted.

What are the different types of internet cookies?

The question regarding which cookies we use in particular depends on the services used and is clarified in the following section of the privacy policy. Here we would like to briefly address the different kinds of HTTP cookies.

We can distinguish two types of cookies:

Functional Cookies

These cookies collect information about user behavior and whether the user receives any error messages. These cookies are also used to measure the loading time and the behavior of the website in connection with different browsers.

Targeting Cookies

These cookies provide a better user experience. Information such as entered locations, font sizes, or form data are stored.

How can I delete cookies?

You decide how and whether you want to use cookies. Regardless of which service or website the cookies come from, you always have the option to delete, disable, or only partially allow cookies. You can, for instance, block third-party cookies but allow all other cookies. If you want to find out which cookies have been stored in your browser or if you would like to change or delete cookies settings, you can do this in your browser settings:

Chrome: to delete, activate, or manage cookies in Chrome, see: https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DDesktop&hl=de

Safari: to manage cookies and website data with Safari, see: https://praxistipps.chip.de/safari-cookies-loeschen-so-gehts_35280

Firefox: to delete cookies in order to remove data that websites have stored on your computer, see: https://www.bitdefender.de/consumer/support/answer/12296/

Internet Explorer: to delete and manage cookies, see: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies

Microsoft Edge: to delete and manage cookies, see: https://support.microsoft.com/de-de/help/4027947/microsoft-edge-delete-cookies

If you categorically don’t want to have cookies, you can set your browser so that it always informs you when a cookie is to be set. This way you can decide for each individual cookie whether or not you allow the cookie. The procedure varies depending on the browser. The best way is to search for the instructions in Google with the search term, if for instance using a Chrome browser, “delete cookies in Chrome” or “deactivate cookies in Chrome.”

V. Newsletter

Our site offers an opportunity to subscribe to a free newsletter. The data you enter in the input mask will be transmitted to us. To subscribe to the newsletter, it is only necessary to specify your email address. Any further data is voluntary.

The following data is gathered when you subscribe to the newsletter:

  • Email address
  • First name, last name
  • Street adress, house number
  • ZIP  code/City/Town

Our system also automatically collects the following data:

  • IP address
  • Date and time of registration
  • URL of the login page

As part of the newsletter registration, you will receive a confirmation e-mail containing a link that you must click to complete the registration for our newsletter (double opt-in). the newsletter can be unsubscribed at any time by clicking on the unsubscribe link in each newsletter. The data you provide for the newsletter will be stored by us until you unsubscribe from the newsletter. We do not pass this data on to third parties. After unsubscribing from the newsletter, the data will be deleted. Data that has been stored by us for other purposes (e.g., e-mail address for registration) remains unaffected by this.

When sending the newsletter, user behavior is evaluated.

CleverReach

The website uses CleverReach for sending newsletters. The provider is the CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede. CleverReach is a service by which the newsletter distribution can be organized and analyzed. The data you enter for the purpose of receiving the newsletter (e.g., e-mail address) is stored on CleverReach’s servers in Germany or Ireland.

Our newsletter sent via CleverReach allows us to analyze the behavior of the newsletter recipients. We can, among other things analyze how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the aid of so-called conversion tracking, we can also analyze whether a predefined action has taken place after clicking on the link in the newsletter. For further information on the data analysis by CleverReach-Newsletter please visit: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/.

The data processing is based on your consent (Art. 6 para. 1 lit. a EU GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations already conducted remains unaffected by the revocation.

If you don’t want any analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. Furthermore, you can also unsubscribe directly on our website.

The data you provide for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter, and after you unsubscribe from the newsletter, it will be deleted from our servers as well as CleverReach’s servers. Data stored by us for other purposes (e.g., e-mail addresses for the members’ area) remain unaffected by unsubscribing.

For further information, please refer to CleverReach’s privacy policy: https://www.cleverreach.com/de/datenschutz/.

We have a standing order-processing contract with CleverReach.

VI. Registration

We also offer journalists the opportunity to register on our website by providing personal data. The data is entered into an input mask and transmitted to us and stored. The data is not passed on to third parties. The following data is collected as part of our documentation:

  • First Name
  • Last Name
  • E-mail Address

The data collected during registration are stored by us until the user submits a delete request. Legal retention periods remain unaffected. You have the option of submitting a deletion request or a request to change data to customer service by e-mail. The legality of the data processing already conducted remains unaffected by the revocation.

VII. Online-Shop

Payment options in the online store

Payment in our online store is only possible by prepayment.

For this, the following data is collected for processing your order:

  • Last Name
  • First Name
  • Organization
  • Street, House Number
  • Postal Code, City
  • E-mail
  • Telephone Number

VIII. E-mail Contact

If you send us an inquiry by e-mail, your data will only be used for processing your inquiry. This data will not be passed on to a third party. In this case, the user’s personal data transmitted with the e-mail will be stored.

The processing of the data is based on your consent (Art. 6 para. 1 lit. a EU GDPR), which you have granted by sending the e-mail. You can revoke this consent at any time. For this purpose, sending us an informal communication by e-mail is sufficient. The legality of the data processing operations carried out up to the revocation remains unaffected by the revocation.

The data you send us in the e-mail remains stored by us until you ask us to delete it, you revoke your consent to store it, or the purpose for storing the data no longer applies (e.g., after we have completed processing your inquiry). Mandatory legal provisions—particularly the retention periods—remain unaffected.

IX. Analysis Tools and Advertising

This website uses the open-source web analytics service Matomo. The software provider is the company InnoCraft, 7 Waterloo Quay PO625, 6140 Wellington, in New Zealand. Matomo uses so-called “cookies.” These are text files that are stored on your computer and enable an analysis of your use of the website. For this, the information generated by the cookies about the use of this website is stored on our server. The IP address is anonymized before storage. Matomo cookies remain on your terminal device until you delete them.

The storage of cookies takes place on the basis of Art. 6 para. 1 lit. f EU GDPR. The website operator has a legitimate interest in the anonymized analysis of user behavior in order to optimize both its website and its advertising.

The information generated by the cookie about the use of this website will not be passed on to a third party. You can prevent the use of cookies by selecting the appropriate setting in your browser software; please note, however, that if you do this you may not be able to ensure the full functionality of this website.

The storage period of the data is 365 days.

If you do not agree to the storage and use of your data, you can deactivate the storing and use of your data here: https://matomo.org/docs/privacy-how-to/#step-3-include-a-web-analytics-opt-out-feature-on-your-site-using-an-iframe. An opt-out cookie is then stored on your browser, which prevents Matomo from storing usage data. If you delete your cookies, this results in the Matomo opt-out cookie also being deleted. The opt-out must be reactivated when you revisit our website.

X. Social Media

Twitter-Plugin

We use plugins from the service Twitter. The provider is Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. By using Twitter and the “re-tweet” function, the websites you visit will be linked with your Twitter account and disclosed to other users. Data is also transmitted to Twitter in the process. Please note that we do not receive any knowledge about the content of the transmitted data or its use by Twitter. For further information, please consult Twitter’s privacy policy at: https://twitter.com/privacy.

You can change your privacy settings on Twitter in the account settings at https://twitter.com/account/settings.

Instagram-Plugin

We use plugins from the service Instagram. These functions are provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.

When you are logged into your Instagram account, you can click on the Instagram button to link the content of our pages with your Instagram profile. This allows Instagram to associate the visit to our pages with your user account. Please note that we have no knowledge about the content of the transmitted data or its use by Instagram.

You can find further information on this in Instagram’s privacy policy: https://instagram.com/about/legal/privacy/.

Facebook-Plugins (Like & Share-Button)

We use plugins from the social network Facebook, whose provider is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. You can recognize the Facebook plugins by the Facebook logo or the “like button” on our website. For an overview of Facebook plugins, visit: https://developers.facebook.com/docs/plugins/.

When you visit our pages, a direct connection between your browser and the Facebook server is established via the plugin. Facebook thereby receives information that you have visited our webpage with your IP address. If you click Facebook’s “like button” while you are logged into your Facebook account, you can link the content of our pages with your Facebook profile. This way, Facebook can associate the visit to our pages with your user account. Please note that we have no knowledge of the content of the transmitted data or its use by Facebook. Further information is available in Facebook’s privacy policy at: https://de-de.facebook.com/policy.php.

If you don’t want Facebook to be able to associate your visit to our pages with your Facebook user account, please log out of your Facebook user account.

XI. Further Plugins and Tools

YouTube

We use plugins from the Google-operated YouTube webpage of YouTube, LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA.

If your habitual residence is in the European Economic Area or Switzerland, this service is provided to you by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. If your habitual residence is not in the European Economic Area or Switzerland, this service is provided to you by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

For Google’s privacy policy, please visit http://www.google.de/intl/de/policies/privacy.

When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube’s servers is established. This tells the YouTube server which of our pages you have visited. When you are logged into your YouTube account, you allow YouTube to associate your surfing behavior directly with our personal profile. You can prevent this by logging out of your YouTube account.

YouTube is used in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f EU GDPR.

Google Maps

We use the map service Google Maps via an API.

If you have your habitual residence in the European Economic Area or Switzerland, this service is provided to you by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. If your habitual residence is not in the European Economic Area or Switzerland, this service is provided to you by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

You can find Google’s privacy policy at http://www.google.de/intl/de/policies/privacy.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transmitted to a Google server in the USA and stored there. We have no influence on this data transmission.

Google Maps is used in the interest of an appealing presentation of our online offers and in providing a means to easily find the places indicated by us on the website. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f EU GDPR.

XII. Your Data Protection Rights

If we process your personal data, you are a data subject within the meaning of the EU Data Protection Regulation. You are therefore entitled to the following rights:

Right to information (Art. 15 EU GDPR)

You can request information from us at any time, free of charge, about the personal data we have stored about you. In order to prevent misuse, identification of your person is required.

Right to rectification (correction) (Art. 16 EU GDPR)

You have the right at any time to have your personal data processed by us corrected and/or completed if it is incorrect or incomplete.

Right to erasure—“Right to be forgotten” (Art. 17 EU GDPR)

You have the right to the erasure of your personal data that has been processed by us. This applies in particular when the purpose for processing it has expired, a required consent has been revoked and no other legal basis exists, or our data processing is unlawful. We will delete your personal data immediately within the legal framework.

Right to restriction of processing (Art. 18 EU GDPR)

You can request the restriction of the processing of your data. Where the processing of the personal data concerning you has been restricted, such data may be processed—with the exception of its storage—only with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest or the Union or a Member State. If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller(s) before the restriction is lifted.

Right to notification (Art. 19 EU GDPR)

If you have asserted your right to rectification, erasure, or restriction of processing to the controller(s), the controller is obliged to notify each recipient to whom your personal data has been disclosed of any rectification, erasure, or restriction of process personal data, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients by the person responsible.

Right to data portability (Art. 20 EU GDPR)

You have the right to receive from us the data we have stored about you in machine-readable format.

Right to object (Art. 21 EU GDPR)

You have the right to object, on grounds relating to your particular situation, at any time, to processing of personal data concerning you that is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object, at any time, to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. This also applies to profiling, insofar as it is linked with such direct marketing.

If you object the processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

Right to lodge a complaint with a supervisory authority (Art. 77 EU GDPR)

Irrespective of any other administrative or legal redress, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes on the EU GDPR. You can assert this right to a supervisory authority in the Member State of your residence, workplace, or the location of the alleged infringement. In Baden-Württemberg, the responsible supervisory authority is the Baden-Württemberg State Commissioner for Data Protection and Freedom of Information:

Der Landesbeauftragte für den Datenschutz
und die Informationsfreiheit Baden-Württemberg
Königstrasse 10a
70173 Stuttgart
+49 (0)711 / 615 5 41 0
poststelle [at] lfdi [dot] bwl [dot] de (poststelle[at]lfdi[dot]bwl[dot]de)

The supervisory authority with which the complaint has been lodged shall inform the complainant(s) of the status and outcome of the complaint, including the possibility of a legal redress under Art. 78 EU GDPR.

XIII. Changes to the privacy policy

If a change to the privacy policy becomes necessary for legal or factual reasons, we will update this page accordingly. In doing so, no changes will be made to the consents given by the user.

XIV. Application procedure

The protection of personal data is an important concern for us. The handling of your data provided to us in accordance with the legal regulations, in particular those of the EU Data Protection Regulation and the German Federal Data Protection Act (BDSG).

1. Application information

We collect different types of information. These include in particular your personal data with contact information as well as a description of your education, professional experience, and skills. Moreover, you have the option of providing us with electronically stored documents, such as references or cover letters.

With your application you assure that the information you provide is true. Please note that any false statement or deliberate omission may constitute grounds for rejection or subsequent termination.

We do not require any information from you that is not usable under the General Equal Treatment Act (regarding race, ethnic origin, gender, religion or belief, disability, age, or sexual identity). We also do not ask you to provide information about illnesses, pregnancy, ethnic origin, political views, philosophical or religious beliefs, trade union membership, physical or mental health, or sex life. The same applies to content that is likely to infringe upon the rights of third parties (e.g., copyrights, press law, or general rights of third parties).

2. Collection, processing, use, and disclosure of your data

Personal data is only collected, stored, processed, and used for purposes related to your interest in current or future employment with us and the processing of your application. Data will not be passed on to third parties. In order to use the online application process, data such as name, address, telephone number, e-mail address, etc. is collected. This data is basically used to contact you regarding your application.

If your application is successful, the data provided may be used for administrative purposes related to employment.

Your online application will only be processed and noted by the relevant contact persons at our institution. All employees entrusted with data processing are obliged to maintain the confidentiality of your data.

3. Retention

If we are unable to offer you employment, we will retain the data you submit for up to six months for the purpose of answering questions related to your application and rejection. If the application is withdrawn by you, the deletion will take place immediately.

If, however, your application documents are fundamentally of interest and suitable employment is simply currently unavailable, we will ask for your consent to retain and store your data accordingly. This will enable us to contact you in the event of future job openings.

4. Data security

We attach great importance to the greatest security of our system and use modern data storage and security techniques to optimally protect your data. This includes measures such as anti-virus software or a firewall. Our security measures are of course continually improved in line with technological developments. Your data is transmitted in encrypted form and then stored in a database. All systems in which your personal data is stored are protected against access and are only accessible to a specific group of persons responsible for personnel.

5. Changes to the privacy policy

If we change the content of this privacy policy, we will announce these changes on our website.

6. Deletion of data, revocation of consent

You have the right at any time to request more detailed information about the data stored about you, to inspect this data, and to request that inaccurate data about you be corrected or that the stored data be deleted in part or in full.

You can revote your consent at any time with effect for the future. The relevant data will then be deleted immediately. In such a case, please send your revocation to datenschutz [at] columbus-consulting [dot] eu (datenschutz[at]columbus-consulting[dot]eu), stating your full name and e-mail address. The deletion may be replaced by a blocking of the data in the cases provided for by law.

XV. Communication via video conference systems

Privacy notice for online meetings, conference calls, and webinars via Jitsi Meet

We would like to inform you below about the processing of personal data in connection with the use of Jitsi Meet (hereinafter: Jitsi).

1. Purpose of processing

We use the tool Jisi to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter: “online meetings”). Jitsi is an open-source software for online meetings that we use via a service provider by way of so-called order processing.

2. Responsible party

The responsible party for data processing directly related to the conduct of online meetings is the Stiftung Kunstmuseum Stuttgart gGmbH.

3. Which data is processed?

When you use Jitsi, several types of data are processed. When you participate in a Jitsi meeting, you will be asked for your name at the beginning of the meeting. This name is processed for the duration of your participation in the respective online meeting and then deleted.

Any audio, video, or chat content is also only processed during the respective online meeting.

The following personal data is subject to processing:

  • IP address: to conduct an online meeting, it is mandatory to process the IP address used by your end device. The logging of the IP address is deactivated on our Jitsi server.
  • Name of the meeting and password if necessary: When setting up an online meeting, the organizer selects a name for the meeting. In addition, a password can be provided for participation in the online meeting. This data is only processed until the end of the respective online meeting and then deleted. Please note, however, that the name of online meetings as well as the date, time, and duration of the online meeting may be restored locally in your browser. If you do not want to continue to see the data, you should clear your browser cache.
  • E-mail address: you can optionally specify an e-mail address. This e-mail address is then used to retrieve and display a profile photo from the Gravatar service. Gravatar profile photos are displayed only if a public gravatar image can be retrieved for the specified e-mail address.

4. Scope of processing

We use Jitsi to conduct online meetings. If we want to record online meetings, we will transparently communicate this to you in advance and—if necessary—ask for consent.

5. Legal bases for data processing

Insofar as employees’ personal data is processed, § 26 GDPR is the legal basis for data processing. If, in connection with the use of Jitsi, personal data is not required for the establishment, implementation, or termination of the employment relationship, but is nevertheless an elementary component in the use of Jitsi, the legal basis for data processing is Art. 6 para. 1 lit. f) GDPR. In such cases, our interest is in the effective implementation of online meetings.

For the rest, the legal basis for data processing when conducting online meetings is Art. 6 para. 1 lit. b) GDPR, insofar as the meetings are conducted in the context of contractual relationships.

If no contractual relationship exists, the legal basis is Art. 6 para. 1 lit. f) GDPR. Here, too, our interest is in the effective implementation of online meetings.

6. Recipient / Data sharing

Personal data processed in connection with participation in online meetings is generally not disclosed to third parties unless it is intended for disclosure. Please note that content from online meetings, as well as from face-to-face meetings, is often used to communicate information with third parties and is therefore intended for disclosure.

The technical service provider we use to operate Jitsi is also a recipient of data. We have entered into an order processing agreement with the service provider that complies with the requirements of Art. 28 GDPR. In particular, the service provider ensures that all necessary technical and organizational data security measures are complied with in accordance with Art. 32 GDPR.

If you have entered an e-mail address in the online meeting, then the service Gravatar of Automattic Inc. (USA) is called up. The use of Gravatar does not constitute any commissioned processing for us. The provider itself determines the purpose and means of data processing. If you have created an account with Gravatar, these terms and conditions apply.

7. Data processing outside the European Union

Data processing outside the European Union (EU) does not take place as a matter of principle. However, we cannot rule out the possibility that data is routed via Internet servers that are located outside the EU. This may be the case in particular if participants in an online meeting are located in a third country.

The data is, however, encrypted during transport over the Internet and this protected against unauthorized access by third parties.

If you have entered an e-mail address in the online meeting, then the service Gravatar of Automattic Inc. (USA) is called up. The servers of Automattic Inc. may also be located outside Europe.

Privacy policy for online meetings, telephone conferences, and webinars via Zoom

We would like to inform you below about the processing of personal data in connection with the use of Zoom.

1. Purpose of processing

We use the tool Zoom to host online events that you can register for. Zoom is a service provided by Zoom Video Communications, Inc., which is based in the USA.

2. Responsible party

The Stiftung Kunstmuseum Stuttgart gGmbH is responsible for data processing directly related to the implementation of the event.

Insofar as you call up the Zoom website, the provider of Zoom is responsible for data processing. However, calling up the Internet page is only necessary for the use of Zoom in order to download the software for the use of Zoom.

You can also use Zoom by entering the respective meeting ID and, if necessary, other access data for the meeting directly in the Zoom app.

If you do not want to or cannot use the Zoom app, then the basic functions can also be used via a browser version, which you can also find on Zoom’s website.

3. What data is processed?

When using Zoom, various types of data are processed. The scope of the data also depends on the data you provide before or during participation in an online event.

The following personal data are subject to processing:

  • First Name
  • Last Name
  • E-mail Address
  • Password (if single sign-in is not used)
  • Profile Picture (optional)

Meeting meta data:

  • Theme
  • Description (optional)
  • Participant IP address
  • Device/hardware information

For recordings (optional):

  • MP4 file of all video, audio, and presentation recordings
  • M4A file of all audio recordings
  • Online meeting chat text file

Text, audio, and video data: you may have the option of using the chat, question, or survey functions in an online event. In this respect, the text entries you make are processed in order to display them in the online event and, if necessary, to log them. To enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the online event. You can turn off or mute the camera and/or microphone yourself at any time via the Zoom applications.

To join an online meeting or enter the meeting room, you must at least provide information about your name.

4. Scope of processing

We use Zoom to conduct online events. If we want to record online events. We will transparently tell you in advance and ask for consent where necessary. The fact of recording will also be displayed to you in the Zoom app.

If it is necessary for the purposes of logging the results of an online event, we will log the chat content. This, however, will usually not be the case.

In the case of webinars, we may also process questions asked by webinar participants for the purposes of recording and following up webinars.

If you are registered with Zoom as a user, then online event reports (meeting metadata, phone dial-in data, webinar Q&A, webinar polling function) can be stored with Zoom for up to one month.

Automated decision-making pursuant to Art. 22 GDPR is not used.

5. Legal bases of data processing

The legal basis for data process when conducting an online event is Art. 6 para. 1 lit. b) GDPR, insofar as the event is conducted within the framework of contractual relationships.

If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f) GDPR. There is our legitimate interest in the effective implementation of online events.

If the event is recorded, the legal basis is you r consent pursuant to Art. 6 para. 1 p. 1 a) GDPR.

6. Recipient / Data sharing

Personal data processed in connection with participation in online events will not be disclosed to third parties as a matter of principle, unless they are specifically intended to be disclosed.

Personal data processed in connection with participation in online events will not be disclosed to third parties as a matter of principle, unless they are specifically intended to be disclosed.

Your name and e-mail address are transmitted to Zoom in the course of registration. Metadata is also processed by Zoom.

7. Data processed outside the European Union

Zoom is a service offered by a provider from the USA. A processing of personal data therefore also takes place in a third country. We have entered into an order-processing agreement with the Zoom provider that complies with the requirements of Art. 28 GDPR.

An appropriate level of data protection is guaranteed on the one hand by the conclusion of the so-called EU standard contractual clauses. As additional protective measures, we have also configured our Zoom so that only data centers in the EU, the European Economic Area (EEA), or secure third countries such as Canada or Japan are used to conduct online meetings.

Zurück nach oben