Privacy Policy



I. Responsibility, data protection official and scope of this information

Responsible for the personal data collected from users when visiting our website is the

ZKM | Center for Art and Media Karlsruhe
Foundation under public law

Lorenzstraße 19
76135 Karlsruhe

Tel: +49 (0) 721/8100-0
Fax: +49 (0) 721/8100-1139

Users (hereinafter also referred to as »you«) may also contact our Data Protection Officer with any questions regarding data protection at the ZKM (hereinafter also referred to as »we«). You can contact us by e-mail at or via:

Datenschutzbeauftragte/r des ZKM
c/o V-Formation GmbH
Stephanienstr. 18
76133 Karlsruhe
Telefon: +49 (0) 721/17029034

Subject of data protection are personal data. This is all information relating to an identified or identifiable natural person (the so-called data subject) who is the user of our website or the recipient of our newsletter. Such information is, for example, details such as name or e-mail address that the user can provide when registering for our newsletter. However, we also treat information that arises during a normal visit to our website (e.g. pages called up) as personal as long as it can be assigned to the user's Internet address (IP address) or in any other way to a natural person.

All personal data is processed by the ZKM in accordance with the relevant legal provisions, in particular the General Data Protection Regulation of the EU (also called GDPR for short) and the Baden-Württemberg Data Protection Act (LDSG).

This data protection notice applies only to the websites under the domain and to other ZKM websites that refer to this notice. In particular, the references do not refer to external websites of other providers to which links are provided on the ZKM website.

This privacy policy also does not apply to ZKM profiles on third party platforms such as social networks (e.g. Facebook, Twitter, Google+ or Instagram). For the profiles on these platforms, the data protection information of the respective platform operator as well as any special data protection information provided by the ZKM apply there.

If users who are not subject to or supervised by the ZKM post personal data on our website via third parties (e.g. mentioning names in blog articles), the users themselves are also responsible for this content in terms of data protection law. However, at the request of the person concerned, we will immediately delete inadmissible content from our website.

The ZKM's privacy policy is subject to regular changes, due, among other things, to the possible changing use of web technologies such as social media plug-ins. The data protection information available, when you visit the website, is authoritative in each case.

The content of any consent already given remains unaffected by any changes to the data protection information. In this case, amended data protection notices merely inform you about changed technical, organizational or legal framework conditions (such as, for example, about security measures adapted to the state of the art, new contact information or the rights of affected persons, some of which have been extended by the GDPR).


II. Data collected automatically when visiting the website

When you visit our website, the following information is usually automatically transferred from your browser to our server:

  • internet address (IP address) of the requesting computer at the time of the request
  • date and time of request
  • accessed web pages or files
  • transferred data volume
  • notification as to whether the request was successful or why it may have failed (error code)
  • operating system and browser software of the accessing computer, each including version
  • screen resolution and color depth of the accessing computer
  • browser settings like the set language
  • browser plugins (JavaScript, Flash Player, Java, Silverlight, Adobe Acrobat Reader etc.)
  • the previously visited website (referrer URL)
  • keyword with which the website was found, for example via Google.

We process these data on the basis of our legitimate interests within the meaning of Article 6 paragraph 1 sentence 1 letter f GDPR, namely

  • to provide our website,
  • to maintain the technical stability and security of our website, including the detection and resolution of malfunctions (e.g. by blocking a denial of service attack originating from a particular IP address),
  • for statistical evaluation of the use of the website with the aim of its demand-oriented design and improvement, and
  • to check for concrete indications of illegal use (e.g. suspicion of slander in the context of a blog provided or fraud in the context of the online shop).

When you visit our website, this data is collected automatically. Without this survey, our website cannot be used. We do not use this data for the purpose of drawing conclusions about the identity of the user, unless there are concrete indications of illegal use.

Generally, the collected data will be deleted after 7 days or made completely anonymous by deleting at least parts of the IP address, unless we exceptionally need it longer for the above-mentioned purposes. In such a case, we will delete or make the data completely anonymous immediately after it has been used.


III. Cookies

Cookies are used on the website to assign an identification code to your computer. Cookies are small text files (with the identification code) that are stored on the user's computer when a website is accessed. As plain text files, cookies cannot contain viruses or other malware.

Cookies serve to make websites more comfortable, efficient and secure. We use both transient and persistent cookies:

  • Transient cookies are automatically deleted when you close your browser. This includes in particular the session cookies. These store a so-called session ID, with which different requests of your browser can be assigned to the common session. This will allow your computer to be recognized when you return to our website. Session cookies are deleted when you log out or close your browser. A session cookie can be used, for example, to manage your shopping cart in our online shop.
  • Persistent cookies are stored after a browser session, but automatically deleted after a specified period, which may vary depending on the cookie. You can also delete cookies at any time in the security settings of your browser.

We generally do not use cookies to draw conclusions about the identity of the user, but only to identify his computer for the purposes described above. Exceptionally, the user can also be identified if he has entered his contact data during his visit to our website during which our cookie was set (e.g. in the online shop or during the press download).

We process the data in connection with cookies on the basis of our legitimate interests within the meaning of Article 6 paragraph 1 sentence 1 letter f GDPR, namely

  • to provide certain functionalities of our website and
  • for the statistical evaluation of the use of the website with the aim of its demand-oriented design and improvement.

Most browsers offer the possibility to display a warning before storing a cookie, to completely refuse the acceptance of cookies and/or to delete existing cookies again. However, the usability of the website may be restricted by such settings.

If you wish to refuse the processing of your data in connection with cookies, please refuse the acceptance of cookies via your browser or proceed with Google Analytics as described in the following section.

In particular, cookies are used at the following places on

  • Forms: If you use one of our forms (registration for a workshop; group booking request for guided tours and workshops; request for an event at ZKM; registration for the ZKM press distribution list), a cookie is automatically set. The form may then inform you that you have already submitted a form.
  • Press Download: There is an additional form for press representatives to download press material. If you wish, you can optionally set a cookie there, which remembers your contact data for a next download, so that you do not have to enter this data repeatedly.
  • Google Analytics: The use of cookies for Google Analytics is described in the next section.

If you confirm the active cookie hint with »Ok, understood« when accessing our website, which is displayed to you independently of this data protection hint, we can also set a cookie, which means that this hint will no longer be displayed to you for a period of one year.


 IV. Use of Google Analytics

This website uses Google Analytics, a web analysis service of Google Inc. (»Google«). Google Analytics also uses cookies, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transferred to a Google server in the United States and stored there. However, due to the activation of IP anonymization on this website, Google will reduce your IP address within the Member States of the European Union or in other states party to the Agreement on the European Economic Area so that it can no longer be assigned to a connection or user. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

This website also uses Google Analytics for a device-independent analysis of visitor flows, which is carried out via a user ID.

Google will use the collected information on behalf of ZKM to evaluate your use of the website, to compile reports on website activities and to provide ZKM with further services related to website and Internet use. Google may also transfer this information to third parties if this is required by law or if third parties process this data on behalf of Google. Google will not associate your IP address with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings on your browser. You can also object to the collection of data by Google Analytics by installing a deactivation add-on ( for your browser.

We use Google Analytics to analyze and regularly improve the use of our website. We can improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, The legal basis for the use of Google Analytics is our legitimate interest in the aforementioned analysis pursuant to Article 6 paragraph 1 sentence 1 letter f GDPR.

For more information about Google Analytics and how we process the information we collect about you, please see the following documents from Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001:

Terms and conditions of use:

Overview of data protection:

Data protection declaration:


V. Google Maps

On our website, we may use Google Maps to display locations and to create directions. This is a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter only called »Google«.

If you use the Google Maps component of our website, Google stores a cookie on your device via your Internet browser. In order to display the locations and create route descriptions, the automatically generated usage data (see Section II above) as well as any additional information you may have voluntarily entered, in particular regarding your location, will be transmitted to Google and processed there. The connection to Google established in this way enables Google to determine in particular from which (namely our) website your enquiry has been sent and to which (namely your) IP address the route description is to be transmitted. We cannot exclude that Google uses servers in the USA.

The legal basis for this data processing is our legitimate interest in accordance with Article 6 paragraph 1 sentence 1 letter f GDPR. The legitimate interest lies in the optimization of the functionality of our Internet presence. Through certification according to the EU-US Privacy Shield, Google also ensures that data processing in the USA also complies with an appropriate level of data protection in accordance with the EU Commission.

If you do not agree to this processing, you have the option of preventing the installation of cookies by making the appropriate settings in your Internet browser. You will find details on this in the section »Cookies«.

In addition, Google Maps and the information obtained via Google Maps are used in accordance with the Goolge Terms of Use and the Terms and Conditions for Google Maps

Furthermore, Google offers at
for further information.


VI. Voluntary declaration of personal data

If you voluntarily provide personal data when visiting our website, for example in the context of an online form or when ordering our newsletter, the ZKM may process this data to respond to the enquiry or to send the newsletter. The legal basis for these purposes is the (pre-)contractual relationship upon your request (Article 6 paragraph 1 sentence 1 letter b GDPR) or your consent to the dispatch of the newsletter (Article 6 paragraph 1 sentence 1 letter a GDPR).

In addition, your form entries, in particular booking requests for guided tours or workshops, can also be used in at least pseudonymized form to improve and design our offer to meet your needs (e.g. by increasing the offer for services frequently requested in a certain period of time). The legal basis for these purposes is the legitimate interests of the CCNM (Article 6(1), first sentence, point (f GDPR).

You may revoke your consent to the processing of personal data, in particular your e-mail address for sending the newsletter, at any time by simple notification (by e-mail, fax or letter), or cancel the newsletter at any time by activating a link in each newsletter sent. In this case, your personal data will be deleted immediately by the ZKM. Further information on the newsletter can be found in the following section VI.

Personal data will not be passed on by us to third parties, unless you have given us your express prior consent or there is a legal permission to pass on data. If you have given your consent to the disclosure of your data, you can revoke this at any time by simple notification (by e-mail, fax or letter).


VII. Newsletter

With your consent you can subscribe to our newsletter, with which we inform you about the program currently offered by or in the ZKM.

After entering your e-mail address and first and last name, you will receive a confirmation link by e-mail. This leads you to a »Confirmation Site«, where you can select your individual interests (from exhibitions to art education to publications) as well as topics of interest to you (from fine arts to music to natural sciences and literature). You can change these settings yourself at any time.

In addition, we store your IP addresses and the time of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

After your confirmation, we will save the data you provide for the purpose of sending you the corresponding newsletter. The legal basis is your consent in accordance with Article 6 paragraph 1 sentence 1 letter a GDPR.

You can revoke your consent to receive the newsletter at any time and unsubscribe from the newsletter. The easiest way to cancel your subscription is to click on the link provided in each newsletter e-mail.


VIII. Online store

a) Order processing

In order to enable the selection, ordering, payment, and delivery of products in our online store, we process your data as part of the ordering process. This processing is carried out for the purpose of providing contractual services in the context of the operation of our online store, for order processing, billing, delivery and for the provision of customer services. When placing an order via the online store, your master data, contact information, contract information, and invoice/payment information in particular will be processed.

The processing is based on Art. 6 (1) sentence 1 letter b of GDPR (execution of order transactions) or, insofar as the storage serves the fulfillment of legal storage obligations, Art. 6 (1) sentence 1 letter c GDPR. The information marked as mandatory fields in each case is required for the establishment and fulfillment of the contract. Without this data, we will be unable to execute the contract with you. You can additionally provide voluntary information that is not required for performance and execution of the order. The storage of the voluntary information is based on Art. 6 (1) sentence 1 letter f GDPR, as we have a legitimate interest in processing data voluntarily provided by you. You can object to the further processing of voluntarily provided data at any time, for example by sending a message to

We transmit your data to third parties only in the context of the order, in particular in payment processing and delivery, or in the context of legal rights and obligations. The data is only processed in third countries if this is necessary for the fulfillment of the contract (for example, delivery to a location outside the EU).

The deletion of the data you provided in the context of an order will take place after the expiry of relevant statutory warranty, statute of limitation, and retention obligations. Other information, such as your shopping cart or your merchandise display history, will be deleted no later than 24 hours after your last activity in the online store unless you have created a customer account. Data from canceled, non-deliverable, or rejected orders will be deleted after three months if the order is not assigned to a customer account.

b) Customer account

As a customer, you can optionally create an online customer account where you can, among other things, view your orders, set your default payment method, and manage your master data/contact information. The storage of the processed data is based on Art. 6 (1) sentence 1 letter b GDPR, as it serves the fulfillment of the contract concluded with you on the management of the customer account. This service is free of charge. You can object to the processing of voluntarily provided data at any time by deleting the respective data from your customer profile.

Customer accounts are not public and cannot be indexed by search engines. If you as a customer have requested the deletion of your customer account, data relating to this account will be deleted immediately unless its retention is required due to legal obligations or legitimate interests. You can prompt the deletion of your customer account at any time, in particular from your customer account. This will also end the contract for the provision of the customer account. We otherwise reserve the right to delete the customer account, usually after 3 years of inactivity, but only after a reasonable period of typically at least 14 days has elapsed. We will have informed you of this in advance by email.

As part of registration and renewed logins, as well as use of our online store, we reserve the right to store IP address and the time of the respective access. Storage is based on our legitimate interests in protecting against misuse and other unauthorized use of our online store (Art. 6 (1) sentence 1 letter f GDPR). In principle, this data will only be passed on to third parties if necessary to pursue our claims based on legitimate interests (Art. 6 (1) sentence 1 letter f GDPR) or if there is a legal obligation to do so (Art. 6 (1) sentence 1 letter c GDPR).

The “Stay logged in” function is intended to make your visit to our online store as pleasant as possible. This function allows you to use our online store without having to log in again each time. For security reasons, however, you will be asked to enter your password again if, for example, you want to change your personal information or place an order. We do not recommend that you use this function if your terminal device is used by multiple people. We would like to point out that the “Stay logged in” function is not available if your browser is set to automatically delete stored cookies after each session or if you do not give your consent to the use of comfort cookies.

c) Payment processing

In our online store, you can choose to pay by credit card, debit card, or PayPal.

To process these payment options, we cooperate with the following payment service provider:

  • PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

Your payment data (name of your credit institution, IBAN, BIC) will be transferred to the payment service provider for the purpose of payment processing. We do not store your payment data ourselves.

For this reason, please observe the payment service provider’s data protection and security statements:

The legal basis for this data processing is Art. 6 (1) sentence 1 letter b GDPR, as payment processing is necessary for the fulfillment of our contract with you.

d) Shipping service provider

If we pass on your data to our shipping service provider, the legal basis for this is regularly Art. 6 (1) sentence 1 letter b GDPR, as a transfer of your data to shipping service providers is necessary for the execution and delivery of your order.

If you have expressly consented to the disclosure of your email address during the ordering process, we may transmit it to the shipping service provider for the purpose of delivery notification or coordinating the delivery date. The legal basis for this is your consent, Art. 6 (1) sentence 1 letter a GDPR. If you do not consent to the transfer of your email address, your email address will not be transmitted. Delivery notification and coordination of the delivery date will not be possible as a result.

We mainly use DHL Paket GmbH, Strässchensweg 10, 53113 Bonn, Germany as a shipping service provider. You should take note of its data privacy statements (the “Products and services” section in particular):

We also ship with Deutsche Post AG, Charles-de-Gaulle-Strasse 20, 53113 Bonn, Germany. You can access its privacy policy at the following link:


IX. Data protection for applications

Thank you for your interest in the ZKM I Center for Art and Media, and for your application. By sending us your application documents, you are providing us with personal data. We take the protection of your personal data very seriously, and have therefore taken measures to ensure that the regulations on data protection are observed.

a) What personal data is collected and where does it come from?

  • Your master data (e.g. first name, last name, titles, suffixes, gender, date of birth, salary bracket or pay group, if applicable)
  • Contact information (e.g. private address, (cell) phone number, e-mail address)
  • Qualification data (e.g. educational history, professional activities, evaluations, certificates, further education and training)
  • Special knowledge and skills, as relevant for the advertised position
  • Severely disabled status, if applicable
  • Work permit / residence permit, if applicable

You provide us with your personal data from the application documents as well as the interview.

b) For what purposes and on what legal basis is data processed?

We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the State Data Protection Act (LDSG). Your personal data will be processed exclusively for filling the specific position for which you have applied. The basis for this is Art. 6 (1) lit. b GDPR in conjunction with Art. 88 (1) GDPR in conjunction with Section 15 (1) LDSG. Processing is necessary in particular to ensure your fundamental right to equal access to a public office based on suitability, qualification, and professional performance (Article 33 (2) of the German Basic Law).

c) How long will your data be stored?

If you are hired, we will transfer your application documents to your personnel file. After termination of the employment relationship, we will continue store the personal data that we are legally obligated to retain. This regularly results from the legal obligations to produce proof and to preserve records. Then the storage periods are up to ten years. In the event of a rejection, your application documents will be deleted or destroyed no later than six months after completion of the application process.

d) Who receives your data?

Within the ZKM, your personal data will only be disclosed to those involved in the decision on your employment (responsible personnel managers, department representatives, staff council representatives). Your personal data will not be passed on to external third parties.

e) Are you required to provide your data?

We require your personal data to the extent that it is necessary for the hiring decision. The absence of relevant personal data in the application documents may mean that we will be unable to consider you in the hiring process.

f) Are automated individual case decisions or measures used?

We do not use purely automated processing to make a decision for or against your application.

g) What rights can you assert as a data subject?

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right of erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)

h) Right of revocation

If we process your data on the basis of a declaration of consent, you have the right to revoke this at any time effective for the future. The lawfulness of the processing carried out on the basis of your consent until revocation shall remain unaffected by the revocation.

i) Right to lodge a complaint

Baden-Württemberg State Commissioner for Data Protection and Freedom of Information
Königstrasse 10a
70173 Stuttgart, Germany

Phone: +49 (0) 711 615 541 0
Fax: +49 (0) 711 615 541 15



X. Recipients of personal data

We will only pass on your personal data to external third parties if this is necessary for the processing or handling of your request, if we have another legal permission or if we have your consent to do so. External recipients may in particular be service providers that we use for the provision of services, for example in the areas of technical infrastructure and maintenance of our website. Such contractors are carefully selected and regularly checked by us. You may only use the data for the purposes specified by us and in accordance with our instructions.

If data is transferred to entities whose registered office or place of data processing is not located in a member state of the European Union or in another state party to the Agreement on the European Economic Area, we will ensure that the recipient either has an adequate level of data protection or your consent to the transfer of data prior to the transfer, except in exceptional cases permitted by law.


XI. Storing time

We store your personal data only as long as this is necessary for the fulfillment of the purposes or – in the case of a consent – as long as you do not revoke the consent. In the event of an objection, we will delete your personal data unless further processing is permitted by the relevant statutory provisions or is even mandatory (e.g. within the framework of commercial and tax storage obligations). We delete your personal data even if we are obliged to do so for legal reasons.


XII. Rights as data subject

As a person affected by the data processing, you have numerous rights at your disposal. In particular, these are:

  • Right of information (Article 15 GDPR): You have the right to obtain information about your personal data stored by us.
  • Right of rectification (Article 16 GDPR): You can ask us to rectify incorrect data.
  • Right of deletion (Article 17 GDPR): You may request us to delete data that has been processed illegally in particular.
  • Restriction of processing (Article 18 GDPR): You may require us to restrict the processing of your data, in particular to »block« data whose processing is controversial.
  • Data transferability (Article 20 GDPR): If you have provided us with data on the basis of a contract or consent, you may request that you receive the data you have provided in a structured, current and machine-readable format or that we transmit it to another person responsible.
  • Objection to data processing on the legal basis of »legitimate interest« (Article 21 GDPR): You have the right to refuse data processing by us at any time for reasons arising from your particular situation, insofar as this is based on the legal basis of »legitimate interest«. If you exercise your right of objection, we will stop processing your data unless we can prove compelling reasons worthy of protection for further processing, which outweigh your rights. In the case of direct advertising or the use of cookies due to justified interests, we will generally observe your objection and stop the corresponding processing of your data. If you object to cookies, please note that you must take certain precautions in your browser as described above.
  • Revocation of consent (Article 7(3) GDPR): If you have given us consent to the processing of your data, you can revoke this at any time with effect for the future. The legality of the processing of your data until revocation remains unaffected by this.
  • Right of appeal to the supervisory authority (Article 77 GDPR): You may also lodge a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable law. You can contact the data protection authority responsible for your place of residence or country or the data protection authority responsible for us.

You are only entitled to the rights described above on condition that the legal requirements applicable in this respect are fulfilled, even if this is not expressly mentioned in the above description.

If you have any questions regarding the processing of your personal data, your rights as a person concerned or any consent you may contact us free of charge. To exercise all your aforementioned rights, please contact or write to the address indicated in Section I above. Please ensure that we can uniquely identify you. You can also contact our data protection officer, also under the contact details mentioned in Section I.


Last updated: 10.05.2021