Table of contents
1. Purpose of data protection and legal framework
2. Server log data
3. Contact form/Email
4. Job applications
9. Embedded videos and social links, embedded third-party links
10. Recipients of personal data
11. Data processing in third countries
12. Retention policy
13. Your rights
14. Our Data Protection Officer
15. Safety and security
As the Data Controller responsible for www.zkm.de (hereinafter also referred to as the "Website"), we
ZKM | Zentrum für Kunst und Medien Karlsruhe
76135 Karlsruhe, Germany
Tel.: +49 (0) 721/8100-0
Fax: +49 (0) 721/8100-1139
(hereinafter also referred to as "we", "us" or "ZKM")
would like to inform you of relevant aspects of data protection law with respect to the use of the Website.
The processing of your personal data is performed exclusively within the framework of the provisions of the data protection law of the European Union, in particular the EU General Data Protection Regulation ("GDPR"), and also the Data Protection Act of the State of Baden-Württemberg ("LDSG BW") and other statutory provisions on data protection (hereinafter jointly referred to as "Data Protection Laws").
If you would like to read the GDPR for yourself, you can find a copy at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.
The purpose of data protection is to protect personal data. Personal data means all information relating to an identified or identifiable person ("data subject"). Therefore, your personal data includes all data that could be used to identify your person, e.g. your name, address, telephone number, or email address. Personal data also includes information that is of necessity generated by your use of our Website, e.g. the start, end and extent of your use, or your IP address.
Personal data are also collected in such cases where you provide this information to us when setting up member's access ("Login") or for the purposes of conducting a contractual relationship. Furthermore, personal data are collected insofar as you enter such information and content in your member's access and transmit this to us within the context of the member's dialog (profile data).
We only process your data where this is permitted by an applicable legal regulation. The legal basis for processing your data is, among others:
- Consent (Article 6(1)(1), point (a) GDPR): Certain data we use only on the basis of prior, explicit and voluntary consent which you have given us. You have the right to withdraw your consent at any time with effect for the future.
- Performance of a contract or steps necessary prior to entering into a contract (Article 6(1)(1), point (b) GDPR): We require certain data from you, in particular with respect to initiating or conducting a contractual relationship with ZKM.
- Compliance with a legal obligation (Article 6(1)(1), point (c) GDPR): We also process your personal data in order to comply with legal obligations, such as the directives of supervisory authorities or data retention requirements under commercial and tax law.
- Protecting legitimate interests (Article 6(1)(1), point (f) GDPR): ZKM will process certain data to protect its own interests or the interests of third parties. This only applies, however, if your interests are not overriding in the individual case
Please be aware that this is not a complete or exhaustive list of possible legal bases, rather these are simply examples intended to make the legal framework provided for data protection laws more transparent. For further details regarding the legal framework for each instance where data are processed within the context of using our Website, please see the explanations in the clauses below.
When you visit our Website, the following information concerning your access may be stored:
- IP address of the end device making the request;
- Name of website and file accessed;
- HTTP response code;
- Website, from which you are visiting the Website (Referrer URL);
- Date and time of server request;
- Browser type and version;
- Operating system used by the computer making the request;
- Search term used to find the Website, e.g. via Google.
We process these data on the basis of Article 6(1)(1), point (f) GDPR in order to make our Website available, to ensure correct operation of the technology, and for the safety and security of our IT systems. We are thereby pursuing our interest in facilitating the use of our Website and its technological functionalities and permanently maintaining such. These data are processed automatically when our Website is accessed. Otherwise, you will not be able to use our Website. We do not use these data for the purposes of drawing conclusions pertaining to your identity.
Generally, these automatically generated data are erased once they are no longer required for the purpose, for which they were collected, except in individual cases where an alternative legal framework applies. In the case of the latter, we erase these data immediately after this alternative legal framework ceases to apply.
We cannot comply with any objections to the collection and storage of your server log data since these data are absolutely necessary in order to ensure the smooth operation of our Website.
On our Website, you have the option of getting in touch with us via a contact form. When you use this contact form, we collect and store the following data:
- First name;
- Email address;
- Your individual message.
If you contact us via email, we also process any data you may have voluntarily given us, such as your name and email address.
The data you transmit to us via our contact form are transmitted to us via a secure connection (for details, see Sec. 17). Our outgoing email communication is also encrypted for transmission using the TLS 1.3 standard. Your email communication to us may or may not be encrypted depending on the settings of your email server or provider. Your contact details are collected, processed and used solely for the purposes of receiving and, where applicable, responding to your inquiry. The processing of data transmitted within the context of communication via contact form or email is based on Article 6(1)(1), point (b) GDPR, if such communication pertains to the initiation or conducting of a contractual relationship with you, or alternatively Article 6(1)(1), point (f) GDPR. In the latter case, we have a legitimate interest in processing contact requests sent to us voluntarily.
We erase the data you have provided as soon as they are no longer required for the purpose, for which they were collected, subject to compliance with statutory retention obligations that may still apply.
Where your data are processed on the basis of legitimate interests, you can object to the storage of your personal data at any time. In such case, we will no longer process your data unless we can prove that we have an overriding legitimate interest in this processing, or we are otherwise legally required to store your data. In order to exercise your right to object to storage, please contact us in writing via fax or email.
Please be aware, however, that we cannot guarantee complete data security in the event of communication via contact form and, in particular, via email. Therefore, we recommend sending your communication via secure means, such as ordinary mail, particularly with respect to confidential information.
On our website, we provide an overview of our current vacancies at https://zkm.de/en/about-the-zkm/job-offers, and also allow you to search for current vacancies with us. Alternatively, you can apply for an open position via email. You will find the relevant contact email in the job posting.
While your application is entirely voluntary, it must include the following documents in order for it to be taken into consideration in our application process:
- Cover letter;
- References and proof of previous experience.
Incomplete applications will not be considered.
We process the data you send us in connection with your application in order to assess your suitability for the position (or other roles available where applicable) and in order to carry out the application process.
The processing of your personal data in this application process is based on § 15 LDSG BW in conjunction with Article 6(1)(1), point (b) GDPR and is conducted for the purposes of preparing and, where applicable, performing an employment contract. We are permitted to process data after this time insofar as this is necessary in connection with our decision on whether to establish an employment relationship.
Storage of any additional information provided by the applicant voluntarily is based on Article 6(1)(1), point (f) GDPR since we have a legitimate interest in also processing the additional information you have provided voluntarily for the purposes of conducting the application process. You can object to the processing of data you have volunteered at any time with effect for the future, without specifying your reasons. In such case, we will no longer process your data unless we can prove that we have an overriding legitimate interest in this processing, or we are otherwise legally required to store your data.
Should these data be necessary after the conclusion of the application process, such as for the purpose of law enforcement, we may process data on the basis of Article 6(1)(1), point (f) GDPR for the purposes of protecting our legitimate interests. In such case, our legitimate interest consists in the exercise or defense of legal claims. In the event of a rejection, your data will generally be erased six months after we notify you of our decision.
In the event that you are offered a position during the application process, the data from the online application process will be transferred to our employee information system where they will be processed insofar as they are required in order to establish and conduct the employment relationship.
In principle, the only persons within the company who have access to your data are persons who require these data with respect to the standard application process.
In order that you can select, order, pay for and arrange delivery of products in our webshop, we process your data as part of our order processing. We do this for the purpose of rendering contractual services within the context of operating our webshop, for the purpose of order processing, billing and shipping, and for the purpose of providing customer service. The data we process when you place an order via the webshop include, in particular, your master data, contact details, contract information, and billing/payment information.
This processing is based on Article 6(1)(1), point (b) GDPR (order processing) or alternatively, where data are stored for the purposes of complying with statutory retention obligations, Article 6(1)(1), point (c) GDPR. All fields marked as mandatory/required must be filled in so that we can establish and perform the contract. Without these data, we will not be able to perform the contract with you. You may also volunteer additional information which is not necessary for the placing and execution of your order. Storage of this voluntary information is based on Article 6(1)(1), point (f) GDPR since we have a legitimate interest in processing the data you have volunteered. You can object to further processing of data you have volunteered at any time. One way of doing this is to send a message to firstname.lastname@example.org.
We will only ever transmit your data to third parties within the context of the order, and in particular for payment processing and shipping, or within the framework of statutory rights and obligations. Data are only ever processed in third countries where this is necessary for performance of the contract (e.g. for shipping orders to destinations outside the EU).
The data you provide in the context of making an order are erased once the relevant statutory warranty and retention obligations and relevant statutes of limitations have expired. Further data, such as your shopping basket or your item viewing history, are erased no later than 24 hours after your last activity in the webshop, unless you have set up a customer account. Data from abandoned, undeliverable or rejected orders are erased at the end of three months, unless the order can be matched to a customer account.
As a customer, you have the option of setting up an online customer account which you can use to view your orders and manage your master data/contact details etc. Our storage of the information we process in this context is based on Article 6(1)(1), point (b) GDPR since it serves the purpose of performing the contract we have concluded with you concerning management of your customer account. This service is free of charge. You can object to processing of data you have volunteered at any time by erasing the relevant data from your customer profile.
Customer accounts are not public and cannot be indexed by search engines. If you, as a customer, have requested that your customer account be deleted, the relevant data will be erased immediately unless they must be kept on the basis of legal obligations or legitimate interests. You can have your customer account deleted at any time, in particular by using the option in your customer account. This will also terminate your contract concerning the provision of the customer account. We also reserve the right to erase any customer account, generally after 3 years of inactivity, subject to an appropriate grace period (generally 14 days) which we will inform you of in advance via email.
With respect to registration, repeat logins, and use of our webshop, we reserve the right to store the IP address and time of access in each case. Storage is based on our legitimate interest in preventing misuse and other unauthorized use of our webshop (Article 6(1)(1), point (f) GDPR). In principle, we only ever forward these data to third parties insofar as this is necessary in order to pursue our claims on the grounds of legitimate interests (Article 6(1)(1), point (f) GDPR), or where we are required to do so by law (Article 6(1)(1), point (c) GDPR).
The "Remember me" function is intended to make your visit to our webshop as enjoyable as possible. This function allows you to use our webshop without having to log back in again every time. For security reasons, however, you will be requested to enter your password any time you change your personal data, for example, or if you wish to abandon an order. We recommend not using this function if multiple people use your device. Please note that the "Remember me" function will not be available if you have configured your browser to automatically delete stored cookies after each session, or if you do not consent to the use of comfort cookies.
In our webshop, you can choose to pay by credit card, direct debit, or PayPal.
In order to process payments using these payment options, we have partnered with the following payment services provider:
- PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
Your payment details (name of your bank, IBAN, BIC) will be transferred to the payment services provider in this context for the purpose of processing payment. We do not store your payment information ourselves.
- PayPal (Europe) S.à r.l. et Cie, S.C.A., https://www.paypal.com/en/webapps/mpp/ua/privacy-full
The legal basis for this data processing is Article 6(1)(1), point (b) GDPR since processing your payment is necessary for performance of our contract with you.
Where we pass on your data to our logistics partner, the legal basis is generally Article 6(1)(1), point (b) GDPR since your data need to be transmitted to our logistics partner for the purposes of processing and shipping your order.
If you have explicitly consented, during the order process, to the forwarding of your email address, we may transmit this information to our logistics partner for the purposes of delivery notifications or arranging a delivery slot. The legal basis for this is consequently your consent, Article 6(1)(1), point (a) GDPR. If you do not consent to the forwarding of your email address, we will not transmit this information. It will consequently not be possible for you to receive delivery notifications or arrange a delivery slot.
Our newsletter contains information on the ZKM program and special events. You can subscribe on our Website, via email, or by filling out a flyer at the ZKM info desk.
If you subscribe to our newsletter via our Website at https://zkm.de/en/newsletter/subscribe, you must first enter your email address and first and last names and then confirm that you wish to receive the newsletter by checking the check box. You will then receive an email to the email address you have provided containing a confirmation link. This will lead you to a "Confirmation Site" where you can configure and save your personal interests (from events to arts education to publications), areas of interest (from visual arts to music, and from natural sciences to literature) and your preferred language (German or English). You can also confirm your subscription to the newsletter (Double Opt-In).
We only send the newsletter to persons who have completed the subscription process, i.e. with your consent on the basis of Article 6(1), point (a) GDPR. You will begin receiving our newsletter, with content filtered according to your interests, when the next issue comes out.
We also log and store the IP address you used and the time when you subscribed and confirmed your subscription. The purpose of this process is to verify your subscription and, where necessary, to clarify any potential misuse of your personal data. Recording your subscription and confirmation of your subscription and the processing of data required to do this are based on our legitimate interest pursuant to Article 6(1), point (f) GDPR. Our legitimate interest arises from the purposes indicated above.
If you subscribe to our newsletter via email or using one of the flyers available at our center, you provide us with your email address, first and last names, personal interests, areas of interest (see above) and preferred language (German or English) either by filling in the flyer or via email. If using the flyer, we kindly ask you to also provide your signature as confirmation. In the event that individual details are missing, such as your preferred language, we will ask you to provide this information via email. The data you provide will be entered into a database manually and you will begin receiving our newsletter, with content filtered according to your interests, when the next issue comes out. You are not required to provide additional confirmation.
Once you have confirmed your subscription, we will store the data you have provided for the purpose of sending you your personalized newsletter. The legal basis for this is your consent pursuant to Article 6(1)(1), point (a) GDPR.
We store your sign-up flyer and emails until you unsubscribe from our newsletter in order to verify your subscription and, where necessary, to clarify any potential misuse of your personal data. The legal basis is Article 6(1), point (f) GDPR. Our legitimate interest arises from the purposes indicated above.
You can withdraw your consent to receiving the newsletter and unsubscribe at any time. The easiest way to unsubscribe is to click on the link provided in each newsletter email.
We use a service provided by Rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg im Breisgau ("Rapidmail") to deliver our newsletter. In this regard, data are processed on our behalf on the basis of a data processing contract which we have concluded with Rapidmail. In this contract, Rapidmail undertakes to keep the data of our users safe, to only process them under our instructions, and in particular not to forward these data to third parties.
Rapidmail processes the email addresses of our newsletter subscribers and other subscriber data as described in this clause, and uses this information to send out the newsletter on our behalf. Rapidmail does not use the data of our newsletter subscribers to write to subscribers themselves or to pass on such information to third parties.
Information on privacy at Rapidmail can be found here: https://www.rapidmail.de/datenschutz.
Cookies are, generally speaking, small identifiers which our web server sends to your browser and which are stored on your computer, provided you have configured standard settings. These cookies can be used to determine whether your end device has already communicated with us. They thus serve the purpose of making the Website easier to use and streamlining our presence by allowing us to analyze the use of our Website. Cookies may be used by us or by third-party providers, such as our analytics, marketing and social media partners. Data processing is based on Article 6(1)(1), point (f) GDPR, or alternatively Article 6(1)(1), point (a) GDPR if you have explicitly consented to the use and storage of cookies. Personal data can then be stored in cookies where the technology requires this or you have given your consent. Recourse to other legal frameworks is explicitly reserved.
If you consent to the use and storage of non-essential cookies (see Sec. 7, points (b), (c), and (d)), you can withdraw this consent at any time with effect for the future via the cookie settings on our Website.
You can also block the storage of necessary cookies at any time by selecting "Block all cookies" in your browser settings. For details of how to manage and delete cookies via your browser settings, please refer to the Help function of your browser.
However, blocking the storage of all cookies may restrict the functionality of our Website.
a) Necessary cookies
We use necessary cookies to help our Website function. We have a legitimate interest in storing these cookies since otherwise we would not be able to offer certain basic Website functionalities (e.g. you would have to reconfigure Website settings every time you switch a page). You will find an overview of the necessary cookies we use in this table:
Saves whether cookies or not were accepted
Saves cookie category settings
Specifies the version of cookies that were accepted
Remembers the deactivation of the audio layer on the start page
The storage and use of necessary cookies is based on Article 6(1)(1), point (f) GDPR. You can only deactivate necessary cookies via your browser settings or browser add-ons. Please see the previous section for further details. This may restrict the functionality of our Website.
b) Functional cookies & External video cookies
We have embedded the YouTube and Vimeo platforms into our online presence. These videos are stored on https://youtube.com/ and https://vimeo.com/ and can be played directly from our Website. However, we have embedded our videos in "privacy-enhanced mode", i.e. data concerning you as a user is not transmitted to YouTube/Google unless you play one of the videos. Cookies are only used and user data transmitted once you click play on a video and accept "External video sources" in the cookie banner (see Sec. 11).
Additional cookies that are not absolutely required to use our Website still have important functions. They make browsing our Website more convenient. These comfort cookies allow a website to do things such as remember information, which can have an impact on how the website behaves or looks, e.g. prepopulated forms or the region where you are. You will find an overview of the functional cookies used on our Website in this table:
Offers advertising or advertising-related services such as data collection, behavior analysis or retargeting. Required to play YouTube videos on the website.
Saves whether a user has seen the dialog pop-up on the landing page.
Where you have given us your consent to do so, the storage and use of external video cookies is based on Article 6(1)(1), point (a) GDPR. Please see the previous sections for further details. You can withdraw this consent at any time with effect for the future via the cookie banner on our Website.
Where you have given us your consent to do so, the storage and use of comfort cookies is based on Article 6(1)(1), point (a) GDPR. Please see the previous sections and Sec. 8 below for further details. You can withdraw this consent at any time with effect for the future via the cookie banner on our Website.
c) Statistics cookies
Contains a randomly generated User ID. Using this ID, Google Analytics can recognize returning users of the Website and collate data from previous visits.
Contains a randomly generated User ID. Using this ID, Google Analytics can recognize returning users of the Website and collate data from previous visits.
Certain data are sent to Google Analytics at a maximum rate of once per minute only. The
cookie has a lifetime of one minute. Certain transmissions of data are prohibited while this cookie is active.
Where you have given us your consent to do so, the storage and use of statistics cookies is based on Article 6(1)(1), point (a) GDPR. Please see the previous sections for further details. You can withdraw this consent at any time with effect for the future via the cookie banner on our Website.
We use the open source software Matomo to evaluate users' browsing behavior on our website. Matomo is operated by us and is therefore also subject to our sole control; the data collected is therefore not passed on to third parties.
We have configured Matomo with regard to data protection and, for example, only record IP addresses in anonymized form. We also only store user IDs or order numbers in anonymized form. In addition, we have enforced tracking without cookies in Matomo. This means neither cookies are stored on the end devices by our Matomo installation nor are they evaluated if they are already present on the end device. This means that different visits to the website, even via the same end device, can usually no longer be assigned to each other.
During your visit to our website, we process the following data:
Name of the retrieved website and file,
the internet page from which you visit the website (referrer URL),
date and time of the server request,
browser type and version,
operating system used by the requesting end device.
We process this data on the basis of Art. 6 para. 1 sentence 1 letter f DSGVO of our legitimate interest in analyzing visits to our website and measuring reach.
The data is deleted as soon as it is no longer required for our recording purposes. In our case, this is usually the case after 24 months.
Insofar as your data is processed on the basis of legitimate interests, you can object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can prove an overriding legitimate interest in this or are otherwise legally obliged to store it. To exercise your right of objection regarding storage, please contact us in writing, by fax or by e-mail.
There are YouTube videos embedded on our website. This service is provided by the following companies (hereinafter also "third-party providers"). Data processing is based on your consent, insofar as you have given us such, and also on our legitimate interest. Our legitimate interest consists in the commercial operation of our Website and optimization of our entire online presence. Recourse to other legal frameworks is explicitly reserved.
- YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google" or "YouTube").
The YouTube videos embedded on our website, which are stored on http://www.youtube.com and can be played directly from our Website, are embedded in "privacy-enhanced mode". According to YouTube, this means that YouTube will not receive any data concerning you as a user unless you play these videos. If you activate an embedded video, a connection is established to the servers of the provider, YouTube, and certain information (e.g. your IP address) is sent to the provider, even if you are not registered with this provider. In principle, we do not receive any information on the type and scope of data collected by YouTube and do not have any control over how such data are used. Where you have consented to such, the YouTube services may also be used for the purposes of retargeting/remarketing (see Sec. 9 for details).
Further information on the purposes and scope of data collection and further processing and use of data by these third-party providers, and on your rights in this regard and how to configure your settings to protect your privacy can be found in the third-party providers' own privacy policies:
b) Social Links
On our Website, you will also find hyperlinks to our presences on the social networks and platforms Facebook, Twitter, Instagram, YouTube, Vimeo and LinkedIn. These services are provided by the following companies (hereinafter also "third-party providers"):
- Facebook and Instagram are operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
- Twitter is operated by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland
- YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Vimeo is operated by Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA
- LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland ("LinkedIn")
Information on the purpose and scope of data collection and further processing and use of data by these third-party providers, and on your rights in this regard and how to configure your settings to protect your privacy can be found in the third-party providers' own privacy policies:
If you do not want a third-party provider to be able to associate your clicks on a hyperlink leading to their presence with the user account you have with this provider, you must log out of the relevant service before clicking on such a hyperlink. Even if you are not registered with the third-party provider, there may be cookies that are used to send data to the third-party provider after their hyperlink is clicked on.
c) Links to third-party offerings
Where we link to websites and services ("offerings") of third parties, clicking on the hyperlink will redirect you to the offering of the respective third party.
We only ever forward your personal data to external recipients where this is necessary in order to handle or process your inquiry, or we have your consent to do so, or we have other permission to do so under law.
External recipients may include, in particular:
- Data processors: These are service providers who we engage to render services relating to our technical infrastructure or maintenance of our Website, for example. We carefully select and regularly review these data processors in order to ensure that your privacy is guaranteed. These service providers may only ever use the data they receive for the purposes we have specified and according to our instructions. We are authorized to make use of such data processors subject to our compliance with the legal requirements of Article 28 GDPR.
- Public agencies: These are public authorities, state institutions, and other public bodies, e.g. supervisory authorities, courts, public prosecutors, or financial authorities. Personal data are only ever transmitted to such public agencies where there exist legally compelling grounds to do so. The legal basis for such a transmission of data is Article 6(1)(1), point (c) GDPR.
- Non-public bodies: These are service providers and agents, to whom data are transmitted on the basis of a legal obligation or in order to protect legitimate interests, e.g. tax advisors or financial auditors. Such a transmission of data is thus based on Article 6(1)(1), point (c) and/or point (f) GDPR.
Insofar as we transmit your data to third countries outside of the EU or EEA according to the explanations above, we ensure prior to this transmission that, notwithstanding the exceptions permitted by law, the recipient has an appropriate level of data protection or you consent to this transmission of data. An appropriate level of data protection can be guaranteed by conclusion of EU standard contractual clauses, for example, or the existence of so-called Binding Corporate Rules (BCR). Please get in touch with us via one of the communication channels indicated under Sec. 15 if you would like a copy of the concrete guarantees we have in place for forwarding your data to third countries.
We only store your personal data for as long as this is necessary in order to fulfill the relevant purposes or – if you give your consent – until such time as you withdraw your consent. If you do withdraw your consent, we will stop processing your personal data unless we are permitted or required to continue processing according to the relevant statutory provisions (e.g. within the context of retention obligations under commercial and tax law). We will also erase your personal data where we are required to do so for legal reasons.
For further details of how long we store your personal data for, please see the relevant explanations in the sections above.
As a data subject, you have a number of rights. These rights are:
- Right of access (Article 15 GDPR): You have the right to receive information on the personal data we are storing concerning you.
- Right to rectification and erasure (Article 16 and Article 17 GDPR): You can request that we rectify incorrect data and – provided the legal requirements are satisfied – that we erase your data.
- Right to restriction of processing (Article 18 GDPR): You can request that we restrict our processing of your data, provided the legal requirements are satisfied.
- Right to data portability (Article 20 GDPR): If you have provided us with data on the basis of a contract or consent, then you can request to receive the data you have provided in a structured and commonly used format or alternatively that we transmit these data to another controller, provided the legal requirements are satisfied.
- Right to object to data processing on the grounds of legitimate interests (Article 21 GDPR): You have the right to object, on grounds relating to your particular situation, to our processing of personal data, provided this is based on legitimate interests within the meaning of Article 6(1)(1), point (f) GDPR. If you make use of your right to object, we will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests.
- Withdrawing consent (Article 7 GDPR): If you have consented to our processing of your data, you can withdraw this consent at any time with effect for the future. This shall not affect the lawfulness of processing based on consent before its withdrawal. If you would like to withdraw your consent to the use of specific cookies, please refer to the explanations under Sec. 7.
- Right to lodge a complaint with a supervisory authority (Article 77 GDPR): You can also lodge a complaint with the relevant supervisory authority if you are of the opinion that the processing of your data infringes on the applicable law. To do this, you can contact either the data protection authority with jurisdiction over your place of residence, workplace or place of the purported violation, or the data protection authority with jurisdiction over us. The supervisory authority for data protection with jurisdiction over us is the State Data Protection Officer for Baden-Württemberg (www.baden-wuerttemberg.datenschutz.de).
In case of questions concerning the processing of your data, your rights as a data subject, and any consent you may have given, you can contact our Data Protection Officer via the communication channels listed under Sec. 15. Please also contact our Data Protection Officer directly in order to exercise your rights as a data subject. You can of course also contact the controllers indicated above in this respect.
We have appointed a company Data Protection Officer. You can reach them using the following information:
ZKM Data Protection Officer
c/o V-Formation GmbH
Tel.: +49 (0) 721/17029034
15. Safety and security
We implement technical and organizational security measures in order to protect your personal data against intentional or unintentional manipulation, loss, destruction, or access by authorized persons. These measures are always adjusted according to the current state of the art.
Personal data concerning you that are transmitted in the context of your use of our Website are transmitted to us securely using encryption. We do this using the Transport Layer Security (TLS) encryption protocol, largely known by its former name Secure Socket Layer (SSL).
Our employees are obliged to observe data secrecy.
Last updated: September 2023
Data protection information for online tours, events and workshops via "Zoom" of the ZKM I Karlsruhe
We would like to inform you below about the processing of personal data in connection with using "Zoom".
a) Purpose of processing
We use the tool "Zoom" to hold online guided tours, events, and workshops (hereinafter: "online meetings"). "Zoom" is a service provided by Zoom Video Communications, Inc., which is based in the USA.
The ZKM I Karlsruhe assumes responsibility for data processing directly related to the conducting of online meetings.
Note: If you call up the "Zoom" website, the provider of "Zoom" is responsible for data processing. However, it is not necessary to call up the website to use "Zoom", only in order to download the software for using "Zoom".
You can also use "Zoom" by entering the respective meeting ID and, if applicable, further access data for the meeting, directly in the "Zoom" app.
If you do not want to or cannot use the "Zoom" app, the basic functions can also be used via a browser version, which you can also find on the "Zoom" website.
c) What data is processed?
When using Zoom, various types of data are processed. The amount of the data also de- pends on how much data you provide before or during participation in an online meeting. The following personal data are processed:
- User details: First name, last name, telephone (optional), e-mail address, password (if "single sign-on" is not used), profile picture (optional).
- Meeting metadata: Topic, description (optional), participant IP addresses, device/hardware information.
- For recordings (optional): MP4 file of all video, audio, and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
- For dial- in with the telephone: Information on the incoming and outgoing call numbers, country name, start and end time. If appropriate, further connection data such as the IP address of the device may be stored.
Text, audio and video data: You possibly have the opportunity to use the chat, question, and survey functions at an online meeting. In this case, the text entries you make are pro- cessed in order to display them in the online meeting and, if necessary, to log them. To enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of your terminal device will be processed during the meeting. You can switch oﬀ or mute the camera or microphone yourself at any time via the “Zoom” applications.
In order to participate in an online meeting or to enter the meeting room, you must at least provide your name.
d) Scope of processing
We use “Zoom” to conduct online meetings. If we wish to record "online meetings", we will inform you in advance and – if required – ask for your consent. The fact that recording is taking place will also be displayed to you in the “Zoom” app.
If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will not normally be the case.
If necessary, we may also process questions asked by participants for the purposes of re cording and following up on online meetings.
If you are registered as a user with “Zoom”, reports on online meetings (meeting metada- ta, telephone dial-in data, questions and answers in webinars, survey function in webinars) may be stored by “Zoom” for up to one month.
Automated decision-making as specified in Art. 22 DSGVO is not used.
e) Legal basis for data processing
The legal basis for data processing when conducting online meetings is Art. 6 para. 1 lit. b) DSGVO, insofar as the meetings are conducted within the framework of contractual relationships.
If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f) DSGVO. In this case, our interest is to hold online meetings eﬀectively, including free (educational) oﬀers.
f) Recipients / passing on of data
Personal data processed in connection with participation in "online meetings" will not be passed on to third parties as a matter of principle, unless they are specifically intended to be passed on.
Other recipients: The provider of "Zoom" necessarily receives knowledge of the above mentioned data to the extent specified in our order processing contract with “Zoom”.
g) Data processing outside the European Union
“Zoom” is a service provided by a provider from the USA. Personal data is therefore also processed in a third country. We have concluded an order processing contract with the provider of “Zoom” that complies with the requirements of Art. 28 DSGVO.
An appropriate level of data protection is guaranteed on the one hand by its inclusion of the EU standard contractual clauses. As an additional protective measure, we have set up our “Zoom” configuration in such a way that only data centers in the EU, the EEA, or secure third countries such as Canada or Japan are used to conduct online meetings.