Leichte Sprache 
Data protection for visitors
Information on data protection for visitors with regard to photo and video recordings, especially at public events
In accordance with the legal requirements, we would like to inform you about how we process your personal data
data and what rights you have under the European General Data Protection Regulation (GDPR) and the
the Federal Data Protection Act (BDSG). The responsibility for data processing lies with the
Organisation August Horch Museum Zwickau gGmbH (hereinafter referred to as ‘we’ or ‘us’).
Responsibilities
Responsible for the processing of your personal data is:
August Horch Museum Zwickau gGmbH
Thomas Stebich
Audistraße 7
08058 Zwickau
Zwickau, Germany
Phone: 0375 / 2717380
E-mail: info@horch-museum.de
Contact details of the data protection officer:
You can reach our data protection officer using the following contact details
Sebastian Tausch
IT Rechenwerk GmbH
Eichenkamp 14
32479 Hille
E-Mail: datenschutz@it-rechenwerk.de
Telephone: 05 71 / 951 968 00
Information on data protection from our external data protection officer can be found at
https://datenschutzwegweiser.de/datenschutz/
When contacting our external data protection officer directly, please state that your enquiry relates to us.
General information on the principles and legal bases of data processing
According to Art. 4(1) GDPR, ‘personal data’ means ‘any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
In accordance with the principles for the processing of personal data pursuant to Art. 5 para. 1 GDPR, personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes in accordance with Article 89(1) (‘purpose limitation’)
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of the data subject (‘storage limitation’)
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (‘integrity and confidentiality’)
The processing of personal data takes place on the legal basis of Article 6 GDPR. Please note that processing can sometimes have several legal bases. For example, the provision of services is based on the legal basis of Art. 6 para. 1 lit. b GDPR ‘fulfilment of contract’. The data generated in the course of processing is often tax-relevant, which means that we are obliged to store it in accordance with tax regulations. The legal basis from Art. 6 is then Art. 6 para. 1 lit. c GDPR.
Legal bases
We process personal data on the basis of the following legal bases:Art. 6 para. 1 lit. a
The data subject has given their consent to the processing of their personal data for one or more specific purposes; this consent is voluntary and can be revoked at any time with effect for the future.
Art. 6 para. 1 lit. b
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Art. 6 para. 1 lit. c
Processing is necessary for compliance with a legal obligation to which the controller is subject.
Art. 6 para. 1 lit. f
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Storage duration of personal data
Unless otherwise described for individual processing operations, personal data is processed for as longnecessary for the respective purpose or as
provided for by law.
Please note that the processing of personal data may result in a statutory retention period. This is the case, for example, if tax-relevant data is processed.
In individual cases, data may be stored for a longer period within the scope of the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR if this data is required, for example, for the assertion, exercise or defence of legal claims, compliance with regulations or settlement of claims.
Processing when exercising your rights
If you wish to exercise your rights in accordance with Articles 15 to 22 of the GDPR, we will process the personal data you provide in order to implement these rights and to be able to provide proof of this.Disclosure to third parties
We may disclose your personal data to third parties. These may be recipients of your personal data, e.g. to fulfil the notification obligation under Art. 19 GDPR, but also our external data protection officer, legal representatives and supervisory authorities.
Storage / deletion period
We will process the data stored for the provision of information and preparation exclusively for this purpose and for the purposes of data protection control and otherwise restrict processing in accordance with Article 18 of the GDPR.
Legal basis
These processing operations are based on the legal basis of Article 6(1)(c) GDPR in conjunction with Articles 15 to 22 GDPR and Section 34(2) BDSG. As proof of the processing of your enquiry or enquiries, we document the necessary data by default for 3 years after completion of the respective procedure to fulfil the legal requirement pursuant to Art. 6 para. 1 lit. c GDPR in conjunction with the ‘accountability obligation’ pursuant to Art. 5 para. 2 GDPR. Longer storage of the data may be necessary - even in the event of a request for deletion in accordance with Art. 17 GDPR - if other regulations require longer storage, for example § 7 a UWG, or if longer storage is necessary to safeguard legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR. Legitimate interests include the assertion, exercise or defence of legal claims.
Rights of the data subject
The data protection regulations provide for the following rights for you as the data subject if the legal requirements are met.data subject the following rights.
- Right of access to personal data concerning you, in accordance with Art. 15 GDPR
- Right to rectification of inaccurate personal data concerning you, in accordance with Art. 16 GDPR
- Right to erasure of personal data concerning you, in accordance with Art. 17 GDPR and Section 35 BDSG-new
- Right to restriction of processing of personal data concerning you, in accordance with Art. 18 GDPR
- Right to be informed about the notification of recipients of personal data concerning you, in accordance with Art. 19 GDPR
- Right to data portability of personal data concerning you, in accordance with Art. 20 GDPR
- Right to object to the processing of personal data concerning you, pursuant to Art. 21 GDPR
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Right to revoke consent given with effect for the future, in accordance with Art. 7 para. 3 GDPR
- Right to lodge a complaint with the supervisory authority in accordance with Art. 77 GDPR
Devrientstraße 5, 01067 Dresden, website: https://datenschutz.sachsen.de
Information on the processing of personal data
Purpose of the processingWe process your personal data to the extent necessary to fulfil the following purposes:
- Marketing and advertising purposes
Legal basis
The legal basis for the processing of your personal data for the above-mentioned purposes is / are
- Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)
- Legitimate interest (Art. 6 para. 1 lit. f GDPR)
- Special categories of personal data pursuant to Art. 9 para. 2 lit. e GDPR
Sources of the personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data.- Voluntary self-disclosure
- Collected from the data subject
- Public data accessible to everyone
- Automatic transmission for technical reasons
- Recordings made during the event
Categories of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the categories of data concerned.- Inventory data
- Content data
- Meta/communication data
- Information in connection with the respective event, such as the name of the event, date, etc.
- Health data
- Genetic and biometric data
- Sexual orientation
- Political affiliation
- Religious affiliation
- Trade union membership
Legitimate interests
The indication of the ‘legitimate interests’ of the controller or the third party pursued with the processing ofprocessing of personal data refers to Art. 6 para. 1 sentence 1 lit. f GDPR.
- The processing is carried out within the scope of the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR
- a) for the documentation of events and
- b) for public relations work
b) The legitimate interest of the controller is to use photographs of events - especially public events - for public relations work and to send them to the press for this purpose, as well as to publish them on the website and in social networks. Experience has shown that articles about events with images are more likely to be published in the press and receive more hits than pure text articles or articles with pure object photos.
The employee responsible was sensitised to the fact that the provisions of Sections 22 and 23 of the German Art Copyright Act (KunstUrhG) provide guidance when taking and subsequently selecting images for public relations work.
Storage period
We will inform you about the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration.Published images, for example in press products, are regularly archived permanently. Images, videos and associated information that are not required for documentation and public relations purposes are deleted once they are no longer needed.
Data recipients
Recipients of personal data outside the organisation
Article 4(9) of the General Data Protection Regulation (GDPR) defines the term ‘recipient’ as ‘the natural or legal person, public authority, agency or any other body, to which the personal data are disclosed, whether a third party or not’.- Press
- Social networks
- Online presence / website(s)
Transfer of data to a third country or international organisation
A transfer of personal data to an ‘international organisation’ (within the meaning of Art. 4 No. 26 GDPR) or to controllers, processors or other recipients in a country outside the European Union (EU) and the European Economic Area (EEA) entails particular data protection risks from the perspective of the data subject.We transfer personal data to the following recipients outside the European Union (EU) and the European Economic Area (EEA):
- Access outside the EU and EEA is possible through publication on our website and social media presences (Meta Platforms Ireland Limited for Facebook and Instagram).
Adequacy decision of the EU Commission
A transfer of personal data to a country outside the European Union (EU) and the European Economic Area (EEA) or to an international organisation is permitted if the European Commission has determined that the country in question, the territory in question or one or more specific sectors within that country or the international organisation in question guarantee an adequate level of protection.We transfer personal data to the following recipients outside the European Union (EU) and the European Economic Area (EEA) for which an adequacy decision exists:
- If neither an adequacy decision nor appropriate safeguards pursuant to Art. 46 GDPR exist, data may be transferred in accordance with the derogations pursuant to Art. 49 GDPR.
