Data Protection Regulations
Version: June 2023
I – Preamble
II – Data Controller / Date Protection Officer / Supervisory Authority
III – Definitions
IV – General Principles / Information
V – Data Controller / Date Protection Officer / Supervisory Authority
VI – Data processing for the purpose of newsletter / advertising / marketing / press work
VII – Possible recipients of data / persons authorized to access data
VIII – Data processing outside the EEA
IX – Obligation to provide personal data (so-called mandatory data)
X – Processing of data for the environment of claims / fulfillment of legal obligations
XI – Rights of the data subject
XII – Alterations of the Data Protection Declaration, Language Versions
I – Preamble
With the following Privacy Notice we, Fotografiska Berlin GmbH, (in the following: Fotografiska) like to inform you comprehensively and in detail how we protect your privacy and how personal data is processed in the context of the use of our websites and/or online platforms. If the following information is not sufficient or not comprehensible, please do not hesitate to contact us under the contact details published in Section II.
II – Data Controller / Date Protection Officer / Supervisory Authority
Fotografiska Berlin GmbH
Tel: +49 15172209481
Data Protection Officer
There is currently no obligation to appoint a data protection officer.
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Tel: +49 30 13889-0
Fax: +49 30 2155050
III – Definitions
The definitions and terms used within this Privacy Notice are governed by the Regulation (EU) 679/2016 on the protection of natural persons with regard to processing of personal data, free movement of such data and the repealing of Directive 95/46/EC (hereinafter “General Data Protection Regulation” or “GDPR“) as well as by the Federal Data Protection Act (“BDSG”).
IV – General Principles / Information
1 – General handling of personal data
We collect and process personal data of our customers or users for the purpose of providing our web or online services (including mobile apps) if this is necessary for the provision of the aforementioned services and/or offers, or if the collection and/or processing of personal data for other purposes is permitted by another legal basis.
2 – Legal basis
For any processing of personal data based on the data subject’s consent, Art. 6 (1) lit. a GDPR is the legal basis for the processing.
In cases where data is processed for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR is the legal basis; this also applies to processing necessary for the implementation of pre-contractual measures.
If personal data is processed to comply with a legal obligation to which we are subject, Art. 6 (1) lit. c GDPR is the legal basis. If processing of personal data is necessary in order to protect vital interests of the data subject or any other natural person, Art. 6 (1) lit. d GDPR is the legal basis.
If processing takes place to protect a legitimate interest of our company or a third party, provided that the data subject’s interests or fundamental rights and freedoms do not outweigh this interest, Art. 6 (1) lit. f GDPR is the legal basis of the processing.
If processing of personal data takes place in the context of a so-called change of purpose, i.e. data is processed for other purposes than for the purposes for which it has been collected in the first place, Art. 6 (4) GDPR is the legal basis.
In cases where special categories of personal data within the meaning of Art. 9 GDPR are processed, the express consent of the data subject pursuant to Art. 9 (2) lit. a in conjunction with Art. 6 (1) lit. a GDPR and/or a permission pursuant to Art. 9 (2) lit. b-j GDPR is the legal basis for the processing.
3 – Enforcement of claims / legal compliance
We reserve the right to process personal data for enforcing claims within the scope of our legitimate interests pursuant to Art. 6 (1) lit. f GDPR; this includes, in particular, a transfer of data to a General Credit Protection Agency (e.g. “Schufa”), authorities and/or courts. In addition, personal data might be processed and/or transferred in the fulfilling of legal or regulatory obligations (e.g. disclosure to authorities etc.); in this case, Art. 6 (1) lit. c GDPR is the legal basis.
4 – Obtaining consent / right to revoke
Consent declarations in the meaning of Art. 6 (1) lit. a GDPR will be obtained in writing, in text form or electronically. If a consent shall be obtained electronically, it will be granted by ticking a opt-in-check box; the granting of the consent will be documented electronically. In the case of electronic consent, the so-called double opt-in procedure (https://www.onlinemarketing-praxis.de/glossar/double-opt-in) may be used to identify the user, as far as legally required.
Right to revoke: Please note that consent once given may be – in whole or in part – revoked at any time with effect for the future. The lawfulness of the processing that has taken place until such revocation shall remain unaffected. If you wish to revoke your consent, please use the contact details provided in Section II (data controller or data protection officer).
5 – Possible recipients of personal data
In order to provide our services (including our web and/or online platforms), we may use third-party service providers (subcontractors), who will, when providing their services, operate on our behalf and in accordance with our instructions. These service providers may receive or may have access to personal data when providing their services and shall constitute third parties or recipients within the meaning of GDPR.
In such cases, we ensure that our service providers have taken adequate security measures, that suitable technical and organizational measures are in place and that any processing complies with the requirements of the GDPR and guarantees the safeguarding of the data subject’s rights (see Art. 28 GDPR).
If personal data is transferred to third parties and/or recipients outside of a data processing in the meaning of Art. 28 GDPR, we ensure that this transfer complies with the requirements of GDPR and will be conducted only if a corresponding legal basis exists (e.g. Art. 6 (4) GDPR; see also Section IV.2).
6 – Processing of personal data in so-called third countries
The processing of your personal data will generally take place within the EU or the European Economic Area (“EEA“).
Only in few exceptional cases (e.g. in connection with the calling-in of service providers for rendering web analysis services) may information be transferred to and/or processed to/in so-called “third countries”. “Third countries” are countries outside of the European Union and/or the Agreement on the European Economic Area, which do not automatically safeguard an adequate level of data protection as required by the EU.
If the transferred information includes personal data, we ensure, prior to such transfer, that an adequate level of data protection is safeguarded in the respective third country or at the respective recipient in the third country. This may be ensured by a so-called “adequacy decision” of the European Commission, by using the so-called “EU Standard Contractual Clauses” or other measures subject to Art. 44 GDPR (e.g. Art. 49 GDPR).
7 – Data deletion and storage periods in “Third countries”
Personal data of data subjects will be deleted as soon as they are no longer required for the respective purpose of processing. Instead of deletion, data may, if necessary, be stored with restrictions on processing if provided for by European or national legislators in EU ordinances, laws or other regulations to which our company is subject, in particular e.g.
- in order to meet statutory storage obligations (e.g. the General Fiscal Law (“Abgabenordnung – AO”) or the German Commercial Code (“Handelsgesetzbuch – HGB”), currently 6 to 10 years) and/or
- if a legitimate interest in the storage of data exists (e.g. for the purpose of legal defense within the scope of the statute of limitations (Art. 195 ff. German Civil Code (“BGB”), currently 3 up to 30 years).
In this case, Art. 6 (1) lit. c respectively lit. f GDPR are the legal basis. Data shall be deleted at the latest when the storage period specified by the principles stated below expires, unless further storing of the data is necessary for the conclusion of a contract or for other purposes (e.g. legitimate interests according to Art. 6 (1) lit. f GDPR).
8 – Rights of the data subject
The GDPR grants certain rights to the data subjects, i.e. persons affected by the data processing (so-called data subjects rights, in particular Art. 12 to 22 GDPR). The individual rights of the data subjects are specified in Section XI. If you wish to exercise one or more of these rights, you may contact us at any time. For that purpose, please use the contact details provided above in Section II.
V – Data processing for the provision of our websites / online platforms
In the context of the provision of our homepages and/or online platforms, we process personal data as follows:
1 -Data processing for the provision of our website/collection of log files
When a user visits our website, our system automatically processes data and information from the accessing device/computer system in an automated manner. The following data is processed (hereinafter “Log Data”):
- information on the type of browser and the version used
- the user’s operating system
- the user’s Internet service provider
- the user’s IP address
- date and time of access,
- websites from which the user’s system accesses our website,
- websites accessed by the user’s system via our website
- the user’s movements on our website (e.g. click rates, duration of use); the so-called log data do not allow a personal reference to the user
1.1 – Purpose and legal basis
The collection and processing of Log Data (in particular the IP address) take place for the purpose of making available to the user the content on our website, i.e. for the purpose of communication between the user and our web- or online platform. The IP address is temporarily stored for the duration of the respective communication process. This is necessary for addressing the communication between the user and our web and/or online platform and/or for using our web and/or online platform. Art. 6 (1) lit. b GDPR and/or Section 9 TTDSG – for the duration of your website visit – are the legal basis for such data processing.
Any processing and storage of the IP address in log files beyond the communication process take place for the purpose of ensuring the functionality of our web and online platforms, optimizing these platforms and ensuring the security of our IT systems. Art. 6 (1) lit. f GDPR (protection of legitimate interests) and/or Section 165 TKG are the legal basis for any storage of the IP address for these purposes beyond the communication process.
1.2 – Data deletion and storage period
We will delete data as soon as they are no longer necessary for attaining the purpose for which we processed it. In case of data collection for providing the website, the data will be deleted when the respective session – the website visit – has ended. Any further storage of Log Data, including the IP address, for the purpose of system security shall take place for a period of no more than seven days after the user’s access to the website has ended. Following the expiration of the aforementioned seven-day storage period, further processing and/or storage of Log Data will be possible and permissible if the users’ IP addresses are deleted or masked to such an extent that it is no longer possible to allocate the Log Data to an IP address. This applies except for further processing of data in the cases listed below (e.g. cookies etc.)
1.3 – Possibility of objection and removal
The processing of Log Data for the provision of the website, including the storage of Log Data in log files within the aforementioned limits, is essential for the operation of our website. Therefore, the user has no possibility to object to it. This shall not apply to the processing of Log Data for analysis purposes, c.f. Section V.3 (depending upon the respective analysis tool used and the type of data analysis (personal / anonymous / pseudonymous)).
For cookies which make a personal identification possible, we obtain your consent for such utilisation via a so-called cookie banner (see section V.2.3 below). Further information concerning cookies can be found in the cookie notices accessible via our cookie banner or the tab, “Cookie Settings.”
We differentiate between two types of cookies: (i) technically necessary or essential cookies and (ii) cookies which require the consent of the users:
(i) We use technically necessary or essential cookies to make our web and/or online offerings more user-friendly. The following data are stored in our technically necessary cookies and transferred to our systems:
- adoption of language settings
- memorising of search terms
- data on the end device / PC and its settings
- articles in an online shopping cart
- log-in data
(ii) “Cookies which require consent,” including so-called “functional cookies”, contain all cookies for whose installation or utilisation prior granting of consent by the user is required. Such cookies can include comfort, performance, statistical/analytic and/or advertising or marketing cookies:
- Functional or comfort cookies enable us to improve the comfort and user-friendliness of our websites and to provide a range of different functions. E.g.: Comfort cookies can be used to store search results, language, layout and/or display settings.
- Performance cookies collect data on how you use our websites. For example, performance cookies help us to identify especially popular parts of our websites. This enables us to adjust the content of our websites to your needs and thus to improve our offers for you.
- We utilise statistical or analytic cookies to analyse user interaction with our web and/or online offers for the purpose of advertisement, market research or optimisation of our offerings. Further information can be found on our cookie banners.
- We utilise cookies for marketing purposes in order to send you relevant advertisement and promotional information, e.g., based on the websites you have visited. Advertisement cookies are, as a rule, not from our web servers, but from third-party providers. This includes for example the integration of the ‘like’ button. When it is clicked on, Facebook leaves its ‘own’ cookie on the relevant browser. The cookies of third-party providers can never be sought and/or analysed by us. The third-party providers, who set the respective Cookies based on your consent, are solely responsible for the use of such cookies; we have no possibility or influence to/on its usage and/or the processing of data based on such cookies. You can prevent the placing of third party providers’ cookies by taking the measures described in Section V.2.3. If you do not allow these cookies, you will experience less personalised advertisement.
2.1 – Purpose and legal basis
The purpose of using Essential Cookies is to simplify website usage. They are essential for certain website features, which require the recognition of the browser even after a website change. We use Essential Cookies for the following purposes:
- adopting language settings,
- memorising search terms,
- data on the end device / PC and its settings
- articles in an online shopping cart
- log-in information.
The user data collected by Essential Cookies is not used for creating profiles. The legal basis for the use of Essential Cookies is Art. 6 (1) lit. b GDPR, as far as there is the possibility to establish a personal link to the user and the use is necessary for the purpose of providing our web and/or online services in the interest of a contract fulfilment. Otherwise, Art. 6 (1) lit. f GDPR is the legal basis since the use is also made to safeguard legitimate interests for the purpose of providing web and/or online services.
Cookies which require consent are used to improve the quality of our website, its content and/or its usability. Because of such cookies, we learn more about the usage of the website, which enables us to optimize our websites continually (see above). With Performance and/or statistical/analytic Cookies we collect data on how our website is used. This enables us to improve the content and the user-friendliness of our website, e.g. through personalization. Cookies for Marketing Purposes are used to send you relevant advertisement and other similar promotional information. The above-mentioned cookies can be placed either by ourselves or third-party providers whose services we use on our websites. The third-party service providers are exclusively responsible for these cookies, we do not have any influence on their use; the use including the purposes and legal bases of the data processing are stated in the third-party’s data privacy terms. For further information please refer to our Cookie notice.
2.2 – Data deletion and storage period
Cookies are stored on the respective device of the user (smart device / PC) and will be transmitted from there to our websites. We differentiate between so-called permanent cookies and session cookies. Session cookies are stored during the duration of a browser session and will be deleted when the browser is closed. Permanent cookies will not be deleted when the respective browser session ends but are stored on the user’s device for a longer period.
2.3 – Possibility of objection and removal
3 – Web analysis/use of analysis tools
Such analyses enables us to adapt the design of our websites or optimise content in cases where, for example, we discover that a significant number of visitors uses new technologies or fails to find, or has difficulty finding, an existing piece of information.
On our web and online platforms, we carry out the following analyses and use the following web analysis tools:
3.1 – Analysis of Log-Daten
The use of Log Data for analysis purposes takes place exclusively on an anonymous basis; there is neither a link between Log Data and personal data of the user, nor between Log Data and an IP address or a cookie. Therefore, such analysis of Log Data is not subject to the provisions of the GDPR under data protection law.
3.2 – Google Analytics / Google 360
For analysing website usage, we use the web analysis service “Google Analytics” respectively Google 360 from Google (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). This tools use “cookies” to analyse the customers’ use of the website on a pseudonymous and/or anonymous basis.
The information generated by such cookie concerning your use of the website will be transferred to a Google server in the USA for storage. On this website, IP Anonymization is activated so that your IP address will be shortened prior transfer within the Member States of the European Union or in other contracting states to the Agreement on the European Economic Are. Only in exceptional cases, your full IP address will be transferred to a Google server in the USA and will then be shortened there. On our behalf, Google will use the aforementioned information to evaluate the use of the website, to put together reports on the website activities and to provide the website operator with other services relating to website and Internet usage. The IP address transmitted by your browser within Google Analytics will not be combined with other Google data.
You can prevent the storage of cookies by setting your browser software accordingly. Please note, however, that you may then be unable to use all our website features.
If you do not wish to have your data evaluated by Google Analytics, you have the following options:
- By clicking on the following link, you can install an add-on, which places an opt-out cookie preventing the future collection of your data by Google Analytics: http://tools.google.com/dlpage/gaoptout?hl=de
Note: If you delete your cookies, the opt-out cookie will also be deleted and you need to re-activate it, if necessary.
- By downloading and installing the browser plugin available under the link (http://tools.google.com/dlpage/gaoptout?hl=de), you can prevent the processing of data (including your IP address) generated by the Google Analytics cookie relating to your use of the website.
We use Google Analytics for statistical purposes and for evaluating data from AdWords and the double-click cookie. You may deactivate Google Analytics via the Ad Preferences Manager (http://www.google.com/settings/ads/onweb/?hl=de).
3.3 – Google Tag Manager
We partly use the Google Tag Manager on our websites. Google Tag Manager is a solution that allows marketers to manage website tags through one interface. The tool itself (which implements the tags) is a cookie-less domain and does not collect any personal information. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If disabled at the domain or cookie level, it will remain disabled for all tracking tags implemented with Google Tag Manager.
3.4 – HubSpot
If necessary, we also use the services of the software producer HubSpot on our websites. HubSpot is a software company based in the USA with a branch office in Ireland (HubSpot European Headquarters, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland).
HubSpot is a service platform. The service we use for our website is an integrated software solution we use to administer customer data and to carry out various aspects of our online marketing. These include, amongst other things, analysis of landing pages and reporting. Therefore, so-called “web beacons” are used and cookies stored on your end device.
For this purpose, the following personal data can be collected, e.g.:
- IP address,
- geographic location,
- browser type,
- visit duration,
- pages visited.
The collected data, as well as the content of our website, are stored on the servers of our software partner, HubSpot Ireland. We utilise HubSpot to analyse how our website is used. This enables us to continuously optimise the website and make it more user-friendly. Furthermore, we use the data to determine which of our company’s services customers and newsletter subscribers find interesting and to contact customers and newsletter subscribers for advertising purposes. In addition, such analysis helps us to optimise our web offerings for you.
However, we use your IP address only in the abbreviated form. This means that, within the member states of the European Union or in other states that are signatories to the Agreement on the European Economic Area, HubSpot abbreviates users’ IP addresses. Only in exceptional cases will the full IP address be transferred to a server of HubSpot in the USA and be abbreviated there.
The HubSpot cookies usually have a lifespan of 13 months. In addition, we delete the personal data collected by HubSpot as soon as the purpose for which they were collected has been fulfilled, unless statutory retention periods preclude this (see also subsection 0.7).
The storage of cookies occurs on the basis of Art. 6 Sec. 1 lit. a GDPR. Consent is obtained via our cookie banner; users can revoke their consent at any time. If data generated by cookies, are transferred to servers of Google in the USA and stored there, the consent obtained via our cookie banner shall be deemed also as consent in the meaning of in Art. 49 (1) lit. a GDPR.
For further information about the functions of HubSpot please refer to: Datenschutzerklärung der HubSpot Inc.
3.5 – Facebook-Pixel
We also use Facebook-Pixel from Facebook, a social media network of the company Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, for analysing the website usage.
They implement a code on the website, which analyses the behaviour of the users who get to this website via Facebook advertisement. This may be used for improving Facebook advertisement and Facebook collects and stores this data. We cannot view the collected data, we can only use them in the context of advertisement placement. By using Facebook-Pixel codes, cookies are set.
By using Facebook-Pixel, the user’s visit of our website will be reported to Facebook so that the user will see matching advertisement. If you have a Facebook account and you are logged in, your following websites visits will be allocated to your Facebook account. We do not have any influence on this process and we are not responsible for data protection. For further information on the use of Facebook-Pixel for advertising campaigns, please refer to https://www.facebook.com/business/learn/facebook-ads-pixel.
You can change your settings for advertisements on Facebook via https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen, if you are logged into your account. You can manage your preferences regarding user based online advertisement via http://www.youronlinechoices.com/de/praferenzmanagement/. There, you can deactivate or activate many providers at once or change the settings for individual providers. For further information in the Facebook data protection policy, please refer to https://www.facebook.com/policy.php.
3.6 – LinkedIn Insight Tag/Pixel
The LinkedIn Insight Tag allows us to collect data for each visit on our website, including URL, Referrer-URK, IP address, device and browser characteristics, timestamp and page views. This data will be encrypted, automatized within seven days and the automated data will be deleted within 90 days. LinkedIn does not disclose any personal data to us, but it provides us with summarized reports about the website target group and the display performance. LinkedIn also offers a retargeting for website visitors so that, with the help of this data, we can display targeted advertisement outside of our website without the member being identified. Members of LinkedIn can configure the usage of their personal data in their account settings.
We use the LinkedIn Insight Tag to get detailed campaign reports and information about the visitors of our website and to serve our advertisement and marketing interests. Being customers of LinkedIn Marketing Solutions, we use the LinkedIn Insight Tag to track conversions, to carry out a retargeting of our website visitors and to earn additional information about the LinkedIn members who check our advertisement. Details about the collection of data (purpose, scope, further processing, use) as well as your rights and setting options, please refer to the data protection information of LinkedIn under https://www.linkedin.com/legal/privacy-policy.
Art. 6 (1) lit. f. GDPR is the legal basis for the processing of personal data, i.e. a legitimate interest on our part. Our legitimate interest lies in the above-mentioned purposes.
The data will be encrypted, anonymized within seven days and then the anonymized data will be deleted within 90 days. As a user, you may at any time decide about the execution of the Java-Script-Codes via your browser settings. By changing the settings in your internet browser, you can deactivate the Java-Script, limit it or prevent storing. Please note: If the execution of Java-Cript is deactivated, you may no longer be able to use all website features completely.
If you are a member of LinkedIn and you do not want that LinkedIn collects data from you via our website and links your visit with your stored LinkedIn member data, you have to log out of LinkedIn before you visit our website.
You can prevent the execution of the Java-Script-Code necessary for the tool by changing the respective setting in your browser software.
You can also end further tracking by LinkedIn via the Opt-Out provided by us, for more info click HERE.
4 – Marketing / Layout / Social Media PlugIns
On our web and online platforms, we offer you to register for our newsletter; the information in Section X applies accordingly. Furthermore, advertisement tools and Social Media PlugIns are used. In detail:
4.1 – Web Fonts
For uniform representation of fonts, we use Web Fonts provided by Monotype GmbH (fonts.com respectively fast.fonts.net). When you access our website, your browser downloads the necessary fonts in the browser cash in order to correctly display the website content.
For this purpose, your browser has to connect to the servers of fonts.com. Thereby, Monotype GmbH registers that your IP address accessed our website. We use Fonts.com’s Web Fonts for a uniform display of our online platforms. This corresponds to a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. If your browser does not support Web Fonts and/or you have blocked Web Fonts in your browser, your computer will use a standard font.
For further information about Web Fonts please refer to https://www.fonts.com/info/legal and the Data Protection Declaration of Fonts under https://www.fonts.com/info/legal/privacy/ and the data protection declaration of Monotype GmbH: https://www.monotype.com/legal/privacy-policy/.
4.2 – Google Maps
On our websites, we partially incorporate maps from the service Google Maps of Google LLC via API. In order to fully display the content in your browser, Google has to collect your IP address; otherwise, Google can not deliver/display the incorporated map content. In the event of contract fulfilment, Art. 6 (1) lit. b GDPR is the legal basis for such data processing as well as Art. 6 (1) lit. f GDPR in the context of a legitimate interest while using our website as the IP address is necessary for displaying the content. Regarding this processing, we cooperate with Google on the basis of a contract about the shared responsibility according to Art. 26 GDPR, which can be referred to under https://privacy.google.com/intl/de/businesses/mapscontrollerterms/. Please note that Google has its own Data Protection Regulations, which are independent from ours. We take no responsibility or liability for these regulations and procedures. For further information about the data processing by Google, please refer to the Google Data Protection Regulation under https://www.google.de/intl/de/policies/privacy/.
4.3 – Google Remarketing
We use the Remarketing Technology of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).
Through this technology, users, who already visited our website and/or online platforms and who are interested in our services, will be addressed again with targeted advertisement on the websites of the Google Partner Networks. The display of advertisement is carried out via cookies. With the help of these cookies, the user behaviour on our websites can be analysed and then be used for targeted product recommendation and interest-based advertisement. Google does not merge the data collected in the context of remarketing with your personal data. Google uses pseudonymization in the context of remarketing.
By using our services, you agree to the processing of the collected data by Google in the manner and for the purpose described herein. Please note that Google has its own Data Protection Regulations, which are independent to ours. We take no responsibility or liability for these regulations and procedures.
4.4 – Social Networks / Social Media Plugins
We incorporated plugins of several social media networks on our websites. These plugins provide different features whose subject and scope will be defined by the operators of the social networks. We use a 2-click-procedure for a better protection of your personal data. By clicking the button directly next to the respective plugin, the plugin will be activated which will be marked by a colour change of the plugin button from grey to colourful. Afterwards, you can use the respective plugin by clicking on the plugin button. Please note that the IP address of your browser session can be linked to your own profile on the respective social media network if you are logged in at this time. Equally, a visit of our website can be linked to your social media network profile if it recognizes you through a previously set social network cookie that is still present on your computer.
Please note that we are not the providers of the social media networks and that we do not have any influence on their data processing. For further information, please refer to the following links or addresses:
We incorporate plugins of the social media network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA on our websites. You recognize the Facebook plugins by the Facebook logo or the “Like-button” on our website. For an overview on the Facebook plugins, please refer to: http://developers.facebook.com/docs/plugins/.
If you activate the plugin, your browser will be directly linked to the Facebook server. Thereby, Facebook receives the information that you visited our site with your IP address.
Please note that we as provider of the website do not have any knowledge about the content of the transferred data and their usage by Facebook and that we are not responsible for the data processing by Facebook. For further information, please refer to the Facebook Dara Protection Declaration under http://de-de.facebook.com/policy.php.
We incorporate features of the social media network LinkedIn on our websites. These features are provided by LinkedIn Ireland Limited, 77 Sir John Rogerson’s Quay, Dublin 2, Ireland. In this process, data is transferred to LinkedIn. Please note that we as provider of the website do not have any knowledge about the content of the transferred data and their usage by LinkedIn. For further information please refer to the LinkedIn Data Protection Declaration under: http://www.linkedin.com/static?key=privacy_policy.
On our websites we incorporate features of Xing provided by XING AG, Gänsemarkt 43, 20354 Hamburg. If you activate and use the plugin, your browser is establishing a direct link to the servers of Xing. The content of the plugin will be directly transferred to your browser, which then incorporates it on the website. By activating the plugin, Xing gets the information that you visited the respective website of our online platform. If you are logged in, Xing can allocate your visit to your Xing account. For further information on the purpose and scope of the data collection, the following data processing and use of the data by Xing as well as your rights and setting possibilities in this respect, please refer to the Xing Data Protection Regulations.
In connection with our websites and online offerings, we make limited use of functions of the service, Instagram. These functions are provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.
When you logged in to your Instagram account, you can link the content of our pages with your Instagram profile by clicking on the Instagram button. Instagram will then be able to connect your visit to our pages to your user account. Please note that as a website provider, we receive no information about the content or the use of the data transferred by Instagram.
For further information, please refer to the privacy statement of Instagram: https://instagram.com/about/legal/privacy/.
As far as we integrate “YouTube videos” in our websites and online services which are stored on http://www.youtube.com and can be played via our website, the following applies: YouTube videos are all integrated into the “expanded data-protection mode,” i.e., no data pertaining to you as a user are transferred to YouTube when you do not play these videos. Only if you play the videos, the data, mentioned in the following paragraph, are transferred. We have no influence on this transfer of data.
If you visit the website, YouTube will be informed that you have accessed the corresponding lower part of our website. In addition, the data mentioned in part 2 of this statement will be transferred. This occurs whether or not YouTube provides a user account in which you are logged in or if no user account exists. When you are logged in to your Google account, your data are directly linked to your account. If you do not want to have your data linked to your YouTube profile, you will need to log off before activating the relevant button. YouTube will store your data as a user profile and will use them for purposes of advertisement, market research and/or need-based modification of their website. Such analysis occurs in particular (even with users who are not logged in) to provide need-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles; to exercise this right you will need to contact YouTube directly.
You will find further information as to the purpose and scope of this data collection and the processing of your data by YouTube in the privacy statement of YouTube. You will find further information concerning your rights and settings for the protection of your privacy at: https://www.google.de/intl/de/policies/privacy.
5 – Contact form and E-Mail contact
On our website, you can find a contact form, which the user can use for electronic contacting. If the user submits this contact form, the data entered in the input mask will be transferred to us and then stored by us. This data are:
- first name*
- last name*
- phone number*
- E-mail address*
- message field
- zip code*
*mandatory information, which are necessary for the registration, are marked with an asterisk as mandatory field (in the input mask).
At the time of sending the message, the following data will also be processed and stored:
- the user’s IP address
- date and time of the sending
Alternatively, you can also contact us via the indicated email address. In this case, all data transferred with the email will be stored. In no case, data will be transferred to third parties, except, when we have to resort to third parties for the processing of the request.
5.1 – Purpose and legal basis
Data will only be processed for the purpose of the processing of the respective request respectively the respective user request. All further data collected during the sending process serve to prevent a misuse of the contact form and to ensure the security of our information technology systems.
If the data processing takes place for the purpose of the fulfilment of a customer order or a customer request, Art. 6 (1) lit. b GDPR is the legal basis, no matter whether the contacting takes place via the contact form or via email. In case of the existence of a user consent,
Art. 6 (1) lit. a GDPR is the legal basis for the processing. Legal basis for the collection of additional data during the sending process is Art. 6 (1) lit. f GDPR; the legitimate interest lies in the prevention of misuse and ensuring system security.
5.2 – Data deletion and storage period
Data will be generally deleted as soon as we do no longer need it for attaining the purpose for which we collected it. In respect to the personal data from the input mask of the contact form and the data sent by email, we will delete the data when the respective communication with the user has ended and/or the user’s enquiry has been answered definitively. The communication shall be deemed ended, or the enquiry definitively answered, if it is evident from the circumstances that the matter concerned has been definitively resolved. If continued storage of the data is necessary for the reasons specified in Section 0.7, the data shall be stored and blocked instead of being deleted.
Data collected additionally during the sending process will be deleted as soon as they are no longer necessary for the purpose of their collection.
5.3 – Right to object and removal
The user has the option of discontinuing the communication with us and/or withdrawing his/her enquiry and objecting to the corresponding use of his/her data at any time. In such case, all communication is stopped and all personal data stored in the course of contact with the user will be deleted, subject to further storage of the data for the reasons mentioned in Section IV.7.
VI – Data processing for the purpose of newsletter / advertising / marketing / press work
The use of personal data for the purpose of advertising and/or marketing measures (e.g. newsletters), for carrying out customer satisfaction surveys and for the purpose of press and public relations work (hereinafter collectively referred to as “marketing”) shall only take place in the presence of a corresponding consent or another legal basis which also permits this without the presence of consent. In detail:
1 – Newsletter Registration
If you would like to receive our newsletter, we require a valid e-mail address from you. In order to be able to check whether you are the owner of the specified e-mail address or whether its owner agrees to receive the newsletter, we send an automated e-mail to the specified e-mail address after the first registration step (so-called “double opt-in”). Only after confirmation of the newsletter registration via a link in the confirmation e-mail do we include the specified e-mail address in our distribution list. We do not collect any further data beyond the e-mail address and the details for confirming the registration.
Your data is processed for the purpose of sending the newsletter you have ordered. The legal basis for this processing is Art. 6 (1) lit. a GDPR or Section 7 Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb (“UWG”) (see below). You can unsubscribe from the newsletter at any time; the explanations on the right to revoke consent under section IV.4 apply in addition.
2 – Use of personal data for advertising and marketing purposes / customer surveys
Your personal data will only be used for the purpose of advertising and/or marketing approaches as well as for carrying out customer satisfaction surveys if you have given your consent or if there is another legal basis which permits an advertising and/or marketing approach even without consent. As far as legally permissible, we reserve the right in this context to address customers for advertising purposes also on the basis of publicly accessible data and/or address data of third parties which they obtain from publicly accessible sources (e.g. data from directory media, the Internet, company homepages, public registers or similar). In detail:
- The legal basis for advertising and/or marketing measures based on express consent is Art. 6 (1) lit. a GDPR; the explanations on consent under section IV.4 apply accordingly.
- The legal basis for the use of personal data for the purpose of direct mail advertising is Art. 6 para. 1 lit. f GDPR (legitimate interests); the legitimate interest here is to address potential customers for the purpose of direct advertising for our products and services.
- The legal basis for advertising and/or marketing measures by telephone call is Section 7 (2) No. 2 UWG; this requires express consent in the case of consumers, and at least presumed consent in the case of other market participants; for the requirement of express consent see above as well as point IV.4.
- For advertising and/or marketing measures via e-mail for the purpose of direct advertising for our own similar goods or services, the legal basis is Section 7 (3) UWG, provided that (i) we have received your e-mail address in connection with the sale of a good or service, (ii) you have not objected to the use of your e-mail address for the purpose of direct advertising and (iii) when collecting the e-mail address and at each use, we clearly inform you that you can object to such use of your e-mail at any time (for the right to object, see section XI.6).
Personal data is stored and used for advertising purposes for an indefinite period of time, depending on the respective legal basis for the advertising measure (consent or legitimate interests), until you have objected to the use of your data for advertising purposes or you have revoked your consent.
You can revoke your consent to the processing of personal data at any time with effect for the future. You can object to processing on the basis of legitimate interests at any time; a right of objection exists in particular in the case of profiling in accordance with Art. 21 GDPR. If a revocation and/or an objection is made, the personal data will no longer be processed for the respective purposes concerned; this does not include the processing of data that is still required for the purpose of fulfilling a contract (Art. 6 (1) (b) GDPR), including statutory retention obligations, and/or if the data is still required for legitimate interests (Art. 6 (1) (b) GDPR) (e.g. in the case of an objection to advertising, the processing of data in a so-called blacklist in order to prevent future advertising approaches).
We are happy to provide you with further information on our handling of data in the area of marketing and/or the sources of our data upon request; please contact us for this purpose using the contact details provided in section II.
3 – Press and public relations work
For the purpose of press and public relations work, we collect and process master data, contract implementation data or third-party data from journalists and/or press representatives. This may include, in particular, the provision of press information, the processing of press enquiries, addressing press representatives or organising and inviting them to (press) events. The legal basis for such data processing is Art. 6 (1) lit. b GDPR (fulfilment of contract / implementation of pre-contractual measures), insofar as this takes place for the fulfilment of a corresponding agreement and/or in the context of a specific enquiry. Otherwise, the data processing is carried out within the framework of legitimate interests according to
Art. 6 (1) lit. f GDPR; legitimate interest here lies in the organisation of press and public relations work for the benefit of Fotografiska.
VII – Possible recipients of data / persons authorised to access data
Within the scope of providing our services and the associated processing of personal data, our employees have access to data according to the so-called “need-to-know” principle. In order to fulfil the aforementioned purposes, our employees have access to data according to the so-called “need-to-know principle”. This means that the group of persons authorised to access the data is limited to those employees who are required to fulfil the respective processing purpose.
In order to fulfil the aforementioned purposes, data may also be processed by (technical) service providers, service providers, subcontractors, vicarious agents and/or service partners who are active on behalf of Fotografiska for the fulfilment of the aforementioned purposes, in particular within the framework of the execution of the contract. Furthermore, data may be processed and transmitted in the context of payment transactions (e.g. to banks, payment service providers). In addition, data may be transmitted to courts, lawyers, debt collection agencies and/or public authorities for the purpose of enforcing claims and/or fulfilling legal obligations, see also section X.
With regard to any recipients of data and the general organisation of access authorisations to data in our company, we also refer to the explanations in section X.
VIII – Data processing outside the EEA
Data processing outside the European Union (EU) and/or the European Economic Area (EEA) may take place, for example, in the case of the use of deliveries and services by customers outside the EEA, e.g. in the case of the acquisition of operating resources in Russia or Belarus. Such data processing outside the EEA for the purpose of executing the contract is permissible under Art. 49 GDPR, in particular under Art. 49 (1) lit. b and/or lit. c of the GDPR. Insofar as Art. 49 GDPR does not intervene and Fotografiska is responsible for the data processing on site under data protection law, Fotografiska will take the measures mentioned in section IV.6 to ensure an appropriate level of data protection. We will be happy to provide further information on this on request..
XI – Obligation to provide personal data (so-called mandatory data)
Data that is required for the establishment, conclusion or performance of a business relationship, including the fulfilment of associated contractual obligations and/or which we are legally obliged to collect, is mandatory data. Mandatory data are marked with an asterisk in our forms. If this data is not provided, we may not be able to provide a contract and/or service, or only to a limited extent; we reserve the right to refuse to conclude a contract if mandatory data is not provided.
X – Processing of data for the enforcement of claims / fulfilment of legal obligations
We reserve the right to use personal data for the extrajudicial and judicial enforcement of claims. The legal basis for such processing of data is Art. 6 (1) lit. b GDPR (contract fulfilment / implementation of pre-contractual measures) or Art. 6 (1) lit. f GDPR (legitimate interests). Likewise, data may be processed and/or transmitted for the purpose of fulfilling legal or statutory obligations (e.g. information from authorities, etc.); the legal basis for this is Art. 6 (1) lit. c GDPR.
XI – Rights of the data subject
According to GDPR, the user is entitled to the following rights of the data subject:
1 – Right to information (Art. 15 GDPR)
You have the right to request information on whether or not we process your personal data. If our company processes your personal data, you are entitled to information on
- the purposes for which the data is processed;
- the categories of personal data (type of data) processed;
- the recipients, or categories of recipients, to whom your data has been disclosed to or is yet to be disclosed; this shall particularly apply, if data has been disclosed, or is to be disclosed, to recipients in third countries outside of the application of the GDPR;
- the planned storage period, if possible; if it is not possible to specify the storage period, the criteria for defining the storage period (e.g. statutory retention periods or the like) will in any case be communicated;
- your right to correction and deletion of your data, including the right to have processing restricted and/or the option of opting out (see also the following subsections in this respect);
- the existence of a right to complain to a supervisory authority;
- the origin of the data in the case of personal data not collected directly from you.
Furthermore, you are entitled to information on whether your personal data is the subject matter of an automated decision as specified in Art. 22 GDPR and, if so, what decision-making criteria are taken as a basis for such automated decision (logic), and what effects and implications this automated decision could have for you.
If personal data is transferred to a third country outside of the scope of application of the GDPR, you are entitled to information on whether and, if so, under what guarantees an adequate level of protection, within the meaning of Art.s 45 and 46 GDPR, has been safeguarded at the data recipient in the third country.
You have the right to demand a copy of your personal data. In principle, we provide data copies in electronic form, unless specified otherwise. The first copy will be free of charge; we may request an appropriate fee for further copies. The provision of such data copies is subject to the rights and freedoms of other persons possibly affected by the transfer of the data copy.
2 – Right to correction (Art. 16 GDPR)
You have the right to request that we correct your data if your data is incorrect, inapplicable and/or incomplete; this right to correction includes the right to complete your data by means of supplementary statements or notifications. Correction and/or supplementation shall take place promptly, i.e. without culpable delay.
3 – Right to deletion (Art. 17 GDPR)
You have the right to demand that we delete your personal data if
- your personal data is no longer needed for the purposes for which it was collected and processed;
- the data is being processed on the basis of consent given by you, and you have revoked your consent, unless there is some other legal basis for processing the data;
- you have objected to data processing in accordance with Art. 21 GDPR, and no overriding legitimate reasons for continued processing exits;
- you have objected to data processing for the purpose of direct advertising in accordance with Art. 21 (2) GDPR;
- your personal data has been processed unlawfully;
- the data concerned is a child’s data collected in connection with information society services in accordance with Art. 8 (1) GDPR.
No right to delete personal data exists if
- the right to freely express an opinion or the right to information conflicts with the request for deletion;
- the processing of personal data is (i) necessary for compliance with a legal obligation (e.g. statutory retention duties), (ii) for the performance of public tasks, or the protection of public interests, under European Union law and/or the law of its Member States (this includes interests in the field of public health) or (iii) for archiving and/or research purposes;
- the personal data is necessary for asserting, exercising or defending legal claims.
Deletion shall take place promptly, i.e. without culpable delay. If we have made personal data public (e.g. on the Internet), we shall, if this is technically possible and can be reasonably expected, ensure that third-party data processors are also informed of the deletion request, including the deletion of links, copies and/or replications.
4 – Right to restriction of processing (Art. 18 GDPR)
You have the right to have the processing of your personal data restricted in the following cases:
- If you have disputed the accuracy of your personal data, you may request that we do not use your data for other purposes and that their use is restricted, whilst we check the accuracy.
- If your data is unlawfully processed, you may request that we restrict the use of your data in accordance with Art. 18 GDPR instead of deleting it in accordance with Art. 17 (1), lit. d GDPR.
- If you need your personal data for asserting, exercising or defending legal claims, but further processing of your personal data is not necessary, you may request that we limit processing to the aforementioned legal defense purposes.
- If you have objected to data processing in accordance with Art. 21 (1) GDPR, and it has not yet been established whether our interests in processing outweigh your interests, you may request that we do not use your data for other purposes and that their use is restricted, until the outweighing of interests is confirmed.
We will process personal data, whose processing has been restricted at your request, only (i) with your consent, (ii) for asserting, exercising or defending legal claims, (iii) for protecting the rights of other natural persons or legal entities or (iv) for reasons of important public interest- except for storage. If a processing restriction is lifted, you will be informed thereof.
5 – Right to data portability (Art. 20 GDPR)
Subject to the following provisions, you have the right to request that your personal data be surrendered in a commonly used electronic, machine-readable data format. The right to data portability includes the right to transfer the data to another data controller. On request, we shall therefore – insofar as technically possible – transfer data directly to a data controller designated, or yet to be designated, by you. The right to data portability shall apply only to data provided by you and requires that the processing takes place on the basis of consent or for the implementation of a contract and be carried out with the aid of automated procedures. The right to data portability under Art. 20 GDPR does not affect the right to data deletion under Art. 17 GDPR. The data shall be transferred only if no rights or freedoms of other persons are impaired because of the data transfer.
6 – Right to object (Art. 21 GDPR)
If we process personal data for the performance of tasks that are in the public interest (Art. 6 (1) lit. e GDPR) or for the protection of legitimate interests (Art. 6 (1) lit. f GDPR), you may at any time, with effect for the future, object to the processing of your personal data. If you exercise your right to object, we shall refrain from all further processing of your data for the aforementioned purposes, unless
- the reasons for processing are compelling and worthy of protection and outweigh your interests, rights and freedoms, or
- the processing is necessary for asserting, exercising or defending legal claims.
You may object to the usage of your data for direct advertising at any time, with effect for the future; this shall also apply to profiling, if it relates to direct advertising. If you exercise your right to object, we shall refrain from all further processing of your data for direct advertising.
7 – Prohibition of automated decisions/profiling (Art. 22 GDPR)
Decisions, that entail a legal consequence for you or materially impair you, shall not be based exclusively on automated processing of personal data, including profiling. This shall not apply if such automated decision
- is necessary for the conclusion or performance of a contract with you;
- is permissible under legal provisions of the European Union or its Member States, insofar as these legal provisions contain appropriate measures for protecting your rights, freedoms and legitimate interests; or
- is made with your express consent.
In principle, decisions based exclusively on automated processing of particular categories of personal data are impermissible, unless Art. 22 (4) in conjunction with Art. 9 (2) lit. a or lit. g GDPR shall apply, and appropriate measures for protecting your rights, freedoms and legitimate interests have been taken.
8 – Legal protection options/right to complain to the supervisory authority
If you have any complaints, you may at any time turn to the relevant supervisory authority of the European Union or its Member States. For our company, the supervisory authority specified in Section II is the relevant supervisory authority.
XII – Alterations of the Data Protection Declaration, Language Versions
1 – We reserve the right to alter the data protection declaration in irregular intervals and will inform you about the significant changes and the impact they will have on the use of your personal data. You have access to the respective current version on our websites under the link “data protection”.