We take the protection and security of your personal data seriously and would like you to feel secure when visiting our website and using our internet services. It is therefore important to us that you know what personal data is processed when you use our internet services.
Purposes for which your personal data are processed and legal bases for their processing
“Personal data” refers to any information relating to an identified or identifiable natural person. In the following cases, we process personal data from you relating to your use of our website for the purposes stated below and based on the legal basis mentioned:
- Processing of personal data for contacting you:
When you use our contact forms, we process your personal data to process your request. These are your salutation, title, surname, first name, e-mail address and phone number as well as your specific request. Legal basis for processing your personal data: Consent in accordance with point (a), Art. 6(1) EU GDPR.
- Processing of personal data for marketing or advertising purposes:
To receive our newsletter (promotional information e-mail), you must subscribe to it, for which we process your personal data. These data are your salutation, surname, first name and e-mail address. Legal basis for processing your personal data: Consent in accordance with point (a), Art. 6(1) EU GDPR. (See also below: E-mail distribution via rapidmail)
- Processing of personal data for the purposes of your application:
For submitting an unsolicited or targeted application for one of our vacancies, we provide an E-mail address on our website to which we ask you to send your application documents. For the purposes of receiving and processing your application, we process your personal data depending on the extent of the personal data that you submit. Please also note our Information sheet for applicants. Legal basis for processing your personal data: Decision or establishment of an employment relationship in accordance with Para. 26 of the German Federal Data Protection Act (Bundesdatenschutzgesetz). You are welcome to send us your application documents in an access-protected file. In that case, please contact us and provide us with the password(s) required to open your application documents.
- Processing of personal data for the purpose of investigating and prosecuting violations or misuse of our online offers:
We identify and track breaches or misuse of our online offers or telecommunications services and facilities, for which we process your personal usage data. These are the IP address of the requesting computer, date and time of access, name and URL of the file accessed and the website from which access is made (referrer URL). Legal basis for processing your personal data: Legitimate interest of the controller in accordance with point (f), Art. 6(1) EU GDPR.
- Processing of personal data through cookies:
- Processing of pseudonymised usage data for the continuous improvement of our website (Matomo website analysis service):
We will process pseudonymised usage data via Matomo only if you have given us your consent to process pseudonymised usage data for the ongoing improvement of our website when you called up the website (for the use of an opt-in/opt-out cookie is required). Legal basis of processing of your data: Consent according to Para 15(3) Telemedia Act, point(a) Art. 6(1) EU GDPR or Para. 25(1) TTDSG.
If you gave us your consent to process pseudonymised usage data to tailor our website to your needs when you called up the website, you can
revoke this consent.
- Processing of personal data through embedded videos:
Videos stored on YouTube are embedded on our website. The controller and provider of the YouTube service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (https://www.youtube.com/t/impressum). If you use our 2-click solution to allow its usage by clicking on the “Accept and view YouTube video” link, YouTube/Google may process personal data such as your IP address and other data, including for the purpose of creating usage profiles. (Legal basis point (a) Para. 6(1)EU GDPR or Para. 25(1) TTDSG)
Furthermore, videos stored on Vimeo are embedded on our website. The controller and provider of the Vimeo service is Vimeo.com, Inc., 555 West 18th Street New York, New York 10011, USA (https://vimeo.com/leo/guidelines/impressum). If you use our 2-click solution to allow its usage by clicking on the “Accept and view YouTube video” link, Vimeo may process personal data such as your IP address and other data, including for the purpose of creating usage profiles. (Legal basis point (a) Para. 6(1) EU GDPR or Para. 25(1) TTDSG)
You are not obliged by law to provide us with your personal data when using our website. It is only necessary for concluding a contract if this has been stated above for the respective purposes of processing your personal data. We do not use your personal data that is processed through our website for automated decision making, including profiling.
Categories of recipients of personal data
Your personal data that is processed through our website will be transmitted or made accessible to other recipients only if this is necessary for the purpose of processing your personal data or if we have entrusted other recipients with the fulfilment of individual tasks or services and access to these personal data is thereby necessary or cannot be excluded. The categories of recipients of personal data processed through our website are:
- Internal departments involved in completing the respective business processes (e.g. Purchasing, Accounts, IT)
- Service providers for hosting, maintenance and administration of our applications or databases; this is currently 4th motion GmbH, Schleißheimer Straße 74, 80797 Munich, Germany
- External service providers for direct independent support of the respective business processes (e.g. courier or delivery service providers, tax consultants, auditors)
The transmission of your personal data processed through our website to the above recipients takes place with your consent in accordance with point (b) Art. 6(1) EU GDPR, provided this is necessary for the fulfilment of a contract or the implementation of pre-contractual measures with you in accordance with point (a) Art. 6(1) EU GDPR, due to the legitimate interests of the controller in accordance with point (f) Art. 6(1) EU GDPR, for order processing in accordance with Art. 28(1) EU GDPR or, if necessary, for the decision or establishment of an employment relationship in accordance with Para. 26 of the German Federal Data Protection Act.
In addition, your personal data that are processed through our website are transmitted to state institutions or authorities if we are obliged to provide information by law or as a result of a court order. Furthermore, your personal data that are processed through our website are transmitted to government institutions or authorities if this is necessary to prosecute criminal offences against us as the injured party and to prosecute disruptions or misuse of our online offers or telecommunications services and systems or to assert, exercise or defend civil law claims (legal basis for processing your personal data: legitimate interest of the controller in accordance with point (f) Art. 6(1) EU GDPR, processing for other purposes by non-public bodies in accordance with Para. 24(1) of the German Federal Data Protection Act).
Transfer of data to recipients in a third country or to an international organisation
We do not transfer your personal data processed via our website to recipients in a third country or to international organisations.
Duration of storage of pseudonymised usage data
Your personal data processed through our website will only be stored for as long as is necessary to fulfil the purposes for which they were processed. In addition, your personal data processed through our website will be stored if required by law, the articles of association or contractual retention periods. For example, personal data relevant to tax law are usually stored for a period of 10 years; other personal data are usually stored for a period of 6 years in accordance with commercial law regulations.
Information on your rights as a data subject
In general, and with respect to your personal data processed through our website, you may exercise the rights set out below:
- Right of access in accordance with Art. 15 EU GDPR:
You have the right to request information from the controller about the personal data stored about you and other information relating to this personal data.
- Right to rectification in accordance with Art. 16 EU GDPR:
You have the right to obtain from the controller rectification of inaccurate personal data concerning you.
- Right to erasure in accordance with Art. 17 EU GDPR:
You have the right to obtain from the controller the erasure of personal data concerning you.
- Right to restrict processing in accordance with Art. 18 EU GDPR:
You have the right to request the controller to restrict the processing of personal data concerning you.
- Right to data portability in accordance with Art. 20 EU GDPR:
You have the right to receive your personal data from the controller in a structured, commonly used and machine-readable format.
- Right of revocation in accordance with Art. 7(3) EU GDPR:
You have the right to withdraw your consent given in accordance with point (a) Art. 6(1) to the processing of your personal data at any time. Your withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal.
- Right to object in accordance with Art. 21(1) EU GDPR:
You have the right to object at any time to the processing of your personal data in accordance with Art. 6(1) point (e) or (f) EU GDPR.
- Right to lodge a complaint with a supervisory authority in accordance with Art. 77 EU GDPR:
If, as data subject, you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. Competent supervisory authority: Bavarian Data Protection Authority, Promenade 27 (Schloss), 91522 Ansbach, Germany; Phone: +49 981 531300, Fax: +49 981 53981300, E-mail: email@example.com.
The exercise of your rights to cancellation, restriction of processing, revocation or objection may mean that you can use our website or other services that we provide only to a limited extent.
E-mail distribution via rapidmail
We regularly send out Gasteig-related mailings per e-mail, for which we use the services of the Freiburg-based company rapidmail on the basis of a processing agreement pursuant to Art. 28 GDPR. Service provider: rapidmail GmbH, Wentzingerstraße, 21, 79106 Freiburg, Germany. By subscribing to our information e-mails, you agree to receive those e-mails from us and to the procedures given below. The legal basis for data processing after signing up is your consent in accordance with point (a) Art. 6(1) GDPR.
The legal basis for sending the newsletter as a result of the sale of goods or services (in the case of existing customers) is point (f) Art. 6(1) GDPR in conjunction with Para. 7(3) UWG.
Your data will be used exclusively for sending Gasteig mailings by e-mail and will not be passed on to third parties except for rapidmail for the purpose of order processing. An exception exists if there is a legal obligation to disclose the data. The data you enter will be stored on the servers of rapidmail in Germany; the data will not be transmitted to third countries. Further data protection information at https://www.rapidmail.de/datensicherheit
“Double opt-in” procedure: To verify that a sign-up for Gasteig e-mails is made by the actual owner of an e-mail address, we use a “double opt-in” procedure. When you sign up, you will receive a confirmation e-mail to the e-mail address you have registered with. Your subscription only becomes active once you click the link in this confirmation e-mail. The IP address of the calling computer and the date and the time of activation are recorded. This serves to prevent misuse of the services or the e-mail address of the data subject. The legal basis for this is point (f), Art. 6(1) GDPR.
Relevant content: With our mailings, we want to provide you as much as possible with information that is interesting for you. That is why you can select personal interests when you sign up. Clicking on these filters is optional; the only mandatory information when you sign up is your e-mail address.
Evaluation: Usage data is analysed for all Gasteig mailings. The recipient’s IP address, the time, whether the e-mail has been opened and the clicks are recorded. This information helps us improve our mailings for you by including relevant content and ensuring flawless rendering. The legal basis for this analysis is your consent to this newsletter analysis in accordance with point (a) Art. 6(1) GDPR. The links in the e-mails are tracking links that can be used to count clicks. This is done using a so-called tracking pixel, which connects to rapidmail’s servers when the e-mail is opened.
Unsubscribe/revoke consent: You can unsubscribe from Gasteig mailings and revoke your consent to the storage of personal data at any time. At the end of each e-mail you will find an Unsubscribe link, on which you can click to cancel your subscription. You can also write an e-mail with your request to unsubscribe to the contact given. After unsubscribing and revoking of your consent, your data will also be deleted from the servers of rapidmail.
Gasteig Magazine subscription and delivery
On this website, you can subscribe to our free Gasteig Magazine. The printed magazine is sent out monthly by post. It contains information about the month’s programme as well as articles all around the Gasteig’s programme and activities.
When you request the Gasteig Magazine, the subscription order form transmits the following personal data to us: your name, address, e-mail address and telephone number (if specified). Your name and address are required to be able to deliver the magazine. The remaining contact details are used to contact you in the event of delivery problems. To send the Gasteig Magazine, it is necessary for us to pass on your address to companies that we use to deliver the programme booklets. Processing of the data entered in the subscription order form is based exclusively on your consent (point (a), Art. 6(1) GDPR).
You can revoke this consent or cancel your subscription to the Gasteig Magazine at any time: either with an informal e-mail to firstname.lastname@example.org or by post to Gasteig München GmbH, Abteilung Kommunikation, Rosenheimer Straße 5, 81667 München. Your withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal.
When you submit the form, the following data is also collected: date and time of registration. This is necessary to record your consent. The legal basis for data processing is point (f) Art. 6(1) GDPR.
Your data will be deleted when no longer required for the purpose for which it was collected (e.g. when you cancel your subscription) or until you request us to delete it or revoke your consent to its storage, unless we are required by law (e.g. statutory retention periods) to keep it.
Video observation and video surveillance
You can find information on video observation and video surveillance in accordance with Article 13 of the European General Data Protection Regulation on a separate page.
You can find information obligations regarding the processing of personal data of suppliers to Gasteig München GmbH in accordance with Article 13 of the European General Data Protection Regulation (EU GDPR) on a separate page.
Secure transmission of personal data through SSL encryption
Personal information that you submit via our website and the internet is encrypted using the Secure Socket Layer (SSL) encryption technology. SSL technology encrypts and protects your personal data when it is transmitted via our website and the Internet. Our website may contain links to other websites. If you use such links, you will automatically be taken to another website for whose privacy policies we assume no responsibility. For your own safety, you should carefully read the privacy policies of the websites concerned.
Contact details of the Data Protection Officer
Data Protection Officer of Gasteig München GmbH
TÜV SÜD Sec-IT GmbH
As at: Octobre 2023