Privacy Policy

§ 1 information on the collection of personal data

(1) This notice is to inform you about the collection of personal data during the use of our website. Personal data is all data that can be linked to you personally, e.g. name, address, e-mail address, user behaviour.

(2) The controller within the meaning of Section 4 (7) of the EU General Data Protection Regulation (hereinafter: GDPR) is: Städel Museum / Städelsches Kunstinstitut und Städtische Galerie, Dürerstrasse 2, 60596 Frankfurt am Main, Director: Dr Philipp Demandt (see also Imprint). You can contact our data protection officer at datenschutz@staedelmuseum.de or at our postal address with the extension "to the data protection officer".

(3) If you contact us by e-mail or using an online contact form, the data you provide (e.g. your e-mail address, as applicable your name and telephone number) are stored by us so that we can handle your enquiry or answer your questions. We delete the data arising in this context once storage is no longer necessary, or restrict its processing if there are statutory storage obligations.

(4) If we work with contracted service providers for individual functions of our offer, or would like to use your data for advertising purposes, we will inform you, as described in detail below, about the processes involved. Below we also set out the criteria established for the duration of storage.

§ 2 your rights

You have the following rights vis-à-vis the Städel Museum with respect to your personal data. To exercise these rights, you can contact us at, for example, the contact data given under § 1 (2).

(1) Right of objection (Section 7 GDPR)
If we process your data for the purposes of direct marketing, you have the right at any time, and with effect for the future, to lodge an objection against the processing of your personal data for the purpose of such marketing; this also applies to profiling if it is in connection with such direct marketing. You also have the right, for reasons arising out of your specific situation, to lodge an objection any time, and with effect for the future, against the processing of your personal data that takes place in accordance with Section 6 (1) (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. You can exercise your right of objection free of charge.

(2) Right to information (Section 15 GDPR)
You have the right at all times to obtain from us a confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to access the personal data and the other information mentioned in Section 15 GDPR.

(3) Right to rectification (Section 16 GDPR)
You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you (Section 16 GDPR). Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(4) Right of erasure ("right to be forgotten") (Section 17 GDPR)
You have the right to obtain from us the erasure of personal data concerning you without undue delay, where any of the grounds cited in Section 17 (1) GDPR apply and the processing is not necessary for any of the purposes cited in Section 17 (3) GDPR.

(5) Right to restriction of processing (Section 18 GDPR)
You also have the right to obtain a restriction of the processing of your personal data if any of the conditions set out in Section 18 (1) (a) to (d) GDPR apply.

(6) Right to data portability (Section 20 GDPR)
Under the conditions cited in Section 20 (1) GDPR, you have the right to receive the personal data concerning you, that you provided us with, in a structured, commonly used and machine-readable format. You also have the right to transmit that data to another controller without hindrance from us. In exercising your right to data portability, you shall have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

(7) Right to withdraw consent (Section 7 GDPR)
Where processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

(8) Right of complaint (Section 77 GDPR)
You have the right to lodge a complaint with the supervisory authority responsible for our company. The supervisory authority responsible for our company is:
Der Hessische Datenschutzbeauftragte, PO Box 3163, 65021 Wiesbaden
E-mail: Poststelle@datenschutz.hessen.de, www.datenschutz.hessen.de
Telefon: +49 611 1408–0, Telefax: +49 611 1408 – 900

§ 3 collection of personal data when you visit our website

(1) If you use our website purely for information purposes, i.e. if you do not register or send us any other information, we only automatically collect the personal data that your browser sends to our server. This includes the following data, which we require for technical purposes in order to show you our website and guarantee its stability and security. (The legal basis is Section 6 (1) (1) (f) GDPR.):

  • IP address
  • date and time of the enquiry
  • time zone difference to Greenwich Mean Time (GMT)
  • content of the request (actual site)
  • access status / HTTP status code
  • data quantity transferred in each case
  • website from which the request comes
  • browser
  • operating system and its user interface
  • language and version of the browser software

(2) In addition to the aforementioned data, so-called cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard disc for the browser you are using, and that send certain information to the provider who set the cookie (in this case us). Cookies cannot execute programs or infect your computer with viruses. Their purpose is to make the overall internet offer more user-friendly and effective.

(3) Use of cookies:
a) This website uses the following types of cookies, the extent and function of which are explained in the following:

  • transient cookies (see b) and
  • persistent cookies (see c).

b) Transient cookies are automatically deleted when you close the browser. These include in particular the session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the shared session. This will allow your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.
c) Persistent cookies are deleted automatically after a specified period which can vary depending on the cookie. You can delete the cookies in the security settings of your browser at any time.
d) You can configure your browser settings according to your own requirements and, for example, refuse to accept third-party cookies or all cookies. Please be advised, however, that you may then not be able to use all functions of this website.
e) We use cookies so that we can identify you on subsequent visits if you have an account with us. Otherwise you would have to log in again every time you visited our website.

§ 4 other functions and offers of our website

(1) In addition to the use of our website for purely informational purposes, we also offer various services you can use if you are interested. To use these services, you generally have to provide further personal data which we use to provide the respective service, and to which the aforementioned data processing principles apply.

(2) Sometimes we use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and subject to regular inspection.

(3) We can also pass your personal data on to third parties when campaign participations, prize draws, contract conclusions or similar services are being offered by us in conjunction with partners. You will receive further information on this when you provide your personal data, or below in the description of the offer.

(4) If any of our service providers or partners are based in a state outside of the European Economic Area (EEA), we will inform you about the consequences of this in the description of the offer.

§ 5 use of the blog functions

(1) You can post public comments on our blog, where we post various contributions on topics related to our activities. Your comment will be posted on the blog with your given username. We recommend using a pseudonym instead of your common name. The username and e-mail address are required; all further information is voluntary. When you leave a comment, we will save your IP address, which we delete after one week. The storage is necessary for us in order to defend ourselves against legal liability claims in cases of a possible publication of unlawful content. We need your e-mail address to contact you if a third party objects to your comment as unlawful. Legal bases are Section 6 (1) (1) (b) and (f) GDPR. The comments will be checked by us before publication. We reserve the right to delete comments if third parties object to them as unlawful.

§ 6 use of our webshop

(1) If you would like to order anything in our webshop, it is necessary for the conclusion of the contract that you provide the personal data we require to handle the order. The obligatory information for processing the contract is marked accordingly; any further data is voluntary. We process the data provided by you for the purpose of handling your order. For this purpose we may also pass your payment data on to our bank. The legal basis for this is Section 6 (1) (1) (b) GDPR.

(2) For reasons of commercial and tax law, we are obliged to store your address, payment and order data for a period of ten years. We do, however, restrict processing after two years, i.e. your data is used only to fulfil legal obligations.

(3) To prevent unauthorized access to your personal data, in particular financial data, by third parties, the ordering process is encrypted using TLS technology.

§ 7 download products and activation of content requiring registration

(1) If you take advantage of download offers or activate content requiring registration, we store your e-mail address and personal data (address, etc.) for the duration of the contract for purposes of identification, contact and examination of the authorization to purchase. The legal basis for this is Section 6 (1) (b) GDPR.

§ 8 Newsletter

(1) By giving your consent, you can subscribe to our newsletter, in which we inform you about our current offers.

(2) For the subscription to our newsletter, we use the so-called double opt-in procedure. This means that, after you have subscribed, we send an e-mail to the stated e-mail address in which we request your confirmation that you want to receive the newsletter. If you do not confirm your subscription within 24 hours, your personal data is blocked and automatically deleted after one month. We also store the IP addresses used and the times of the subscription and confirmation. The purpose of this procedure is to verify your subscription and, as applicable, clarify any possible abuse of your personal data.

(3) The only information necessary for the sending of the newsletter is your e-mail address. The provision of other, separately marked data is voluntary, and will only be used to address you personally. After we receive your confirmation, we store your e-mail address for the purpose of sending the newsletter. The legal basis is Section 6 (1) (1) (a) GDPR.

(4) You can withdraw your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. You can declare your revocation by clicking on the link provided in every e-mail newsletter, by writing an e-mail to newsletter@staedelmuseum.de, or by sending a message to the contacts given in the “Imprint”.

(5) Our newsletters may contain so-called "web beacons". These are small electronic images that are called up by our server or the Inxmail server when the newsletter is opened. These web beacons do not contain any personal data and are used only for statistical purposes so that we know whether and which links contained in the newsletters are clicked. The data is collected exclusively in pseudonymized form and not linked with your other personal data so that it cannot be linked to you.

(6) In some cases the newsletters are not sent directly by us, but by Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, with server location in Germany, within the framework of order processing commissioned by us. Inxmail does not use the data, however, to write to you directly. No data is passed on to third parties in connection with the data processing for the dispatch of newsletters.

§ 9 use of analysis tools

a) Google Analytics
(1) This website uses Google Analytics, a web analysis tool from Google Inc. ("Google"). Google Analytics employs "cookies", i.e. text files which are saved to your computer and enable your use of the website to be analyzed. The information about your use of this website generated by the cookie is generally transferred to and saved on a Google server in the USA. When IP anonymization is activated on this website, your IP address will be truncated in advance within Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website to evaluate your usage of the website, to create reports on website activities, and to provide the website operator with other services related to website and internet usage.

(2) The IP address transmitted by your browser within the context of Google Analytics will not be combined with any other data held by Google.

(3) You can prevent cookies from being stored on your computer by making the corresponding setting in your browser software. We would like to point out, however, that in this case you may not be able to use all of this website’s functions without restrictions. You can also prevent the collection of the data generated by the cookie and referring to your use of the website (including your IP address), as well as the processing of this data by Google, by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de

(4) This website uses Google Analytics with the extension "_anonymizeIp()". This means that IP addresses are further processed in truncated form; any direct personal link can thus be ruled out. If the data collected has any personal association with you, this is immediately ruled out, and the personal data immediately deleted.

(5) We use Google Analytics to analyze the use of our website and continually improve it. The statistics compiled help us to improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Section 6 (1) (1) (f) GDPR.

(6) Third-party provider Information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms and conditions of use: http://www.google.com/analytics/terms/de.html, overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, as well as the data privacy policy: http://www.google.de/intl/de/policies/privacy.

(7) This website also uses Google Analytics for a cross-device analysis of visitor flows executed with a user ID. You can deactivate the cross-device analysis of your usage in your customer account under "My Data", "Personal Data".

b) Dynamic Remarketing
Our website uses the functions of Google Analytics Remarketing in connection with the cross-device functions of Google AdWords and Google DoubleClick by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). These functions serve the purpose of analysis of visitor behaviour and visitor interests. Google uses cookies to carry out the analysis of the website usage, which forms the basis for the creation of interest-related advertisements. The cookies are used to register the visits to the website as well as anonymized data about the use of the website. This function allows us to link the marketing target groups identified with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, it is possible to show, on a terminal device (e.g. tablet or PC) belonging to you, interest-related, personalized marketing messages that were adapted to you on the basis of your previous usage and surfing behaviour on a different terminal device (e.g. mobile phone).

If you have given your consent to this, Google links your web and app browser history with your Google account for this purpose. This means that the same personalized advertising messages can be shown on any terminal device which you use to log in to your Google account.

To support this function, Google Analytics registers Google-authenticated IDs of the users that are temporarily linked with our Google Analytics data to define and identify target groups for the cross-device marketing.

Your data will also be transmitted to the USA as applicable. Data transmissions to the USA are covered by an adequacy decision of the European Commission. The data is processed subject to Section 6 (1) (f) GDPR on the basis of the legitimate interest of addressing visitors to the website with targeted marketing by showing personalized, interest-related advertisements for visitors to the website of the provider when they visit other websites in the Google Display network.

You have the right, for reasons arising from your specific situation, to object at any time to this processing of the personal data concerning you on the basis of Section 6 (1) (f) GDPR. To do this, you can permanently deactivate the use of cookies by Google by clicking on the following link and downloading and installing the plug-in provided there: https://support.google.com/ads/answer/7395996?hl=de

You can permanently object to the cross-device remarketing/targeting by deactivating personalized advertising in your Google account. To do this, click here: https://www.google.com/settings/ads/onweb/

For further information and the data protection regulations, please see the data privacy policy of Google at: http://www.google.com/policies/technologies/ads/

§ 10 use of social media plugins and other tools

This website uses plugins, which are small add-on programs from the social networks and services named below, are operated by third parties, and with which files can be sent to the respective social network by pressing a button, for example to evaluate, recommend or share content with other users. In this we are pursuing the purpose and the legitimate interest of making our offers better known. We configure these plugins in such a way that data is transmitted only when you press the button. The legal basis for the data transmission in this case is Section 6 (1) (f) GDPR. The respective provider is responsible for processing the data in compliance with the data protection regulations.

a) Facebook Social Plugins
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and commercial operation of our website within the meaning of Section 6 (1) (f) GDPR) we use social plugins ("plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins can represent interaction elements or content (e.g. videos, graphics or texts) and can be recognized by one of the Facebook logos (white "f" on a blue tile, the term "like" or a "thumbs up" icon) or are marked with the extension "Facebook Social Plugin". You can view the Facebook social plugins and what they look like here: https://developers.facebook.com/docs/plugins/.

Facebook is certified under the privacy shield framework, thus offering a guarantee that it is in compliance with European data protection law. https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.

When a user calls up a function of this website that contains such a plugin, his device makes a direct connection with the Facebook servers. The content of the plugin is sent directly by Facebook to the device of the user and integrated there in the website. Usage profiles of the users can be drawn up from the processed data. We therefore have no influence on the extent of the data that Facebook collects with these plugins, and therefore inform the users according to our own present knowledge.

Through the integration of the plugins, Facebook receives the information that a user has accessed the respective page of the online offer. If the user is logged in on Facebook, Facebook can assign the visit to his Facebook account. When you interact with plugins, for example by pressing the "like" button or posting a comment, the corresponding information is sent from your device directly to Facebook and stored there. If a user is not a member of Facebook, it is still possible that Facebook will learn his IP address and store it. According to Facebook, only an anonymized IP address is stored in Germany.

For the purpose and extent of the data collection and the further processing and use of the data by Facebook, as well as the respective rights and setting options to protect the private sphere of the users, please see the Facebook data privacy policy: https://www.facebook.com/about/privacy.

If a user is a Facebook member and does not want Facebook to collect data about him/her through this website or link it with his/her member data stored with Facebook, he/she has to log out of Facebook before using our website and delete his/her cookies. Further settings and objections to the use of data for marketing purposes are possible using the Facebook profile settings: https://www.facebook.com/settings?tab=ads or on the USA site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are made on a platform-independent basis, i.e. they are activated on all devices such as desktop computers or mobile devices.

b) Twitter
Functions and features of the service "Twitter" are embedded in our website. These features are provided through Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. This can include content such as images, videos or texts and buttons with which users can signify their appreciation of the content or the authors of the content or subscribe to our articles. If the users are members of the platform Twitter, Twitter can assign the call-up of the abovementioned content and functions to the profiles of the users there. Twitter is certified under the privacy shield framework, thus offering a guarantee that it is in compliance with European data protection law https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active. Data privacy policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.

c) Instagram
Our website may contain functions and content of the service Instagram, provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. This can include content such as images, videos or texts and buttons with which users can signify their appreciation of the content or the authors of the content or subscribe to our articles. If the users are members of the platform Instagram, Instagram can assign the call-up of the abovementioned content and functions to the profiles of the users there. Data protection policy of Instagram: http://instagram.com/about/legal/privacy/.

d) Pinterest
Our website uses plugins of the social network Pinterest, which is operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA ("Pinterest"). If you call up a website of our Internet presence which contains such a plug-in, your browser establishes a direct link to the servers of Pinterest. The plugin transmits protocol data to the Pinterest server in the USA. This data can contain your IP address, the address of the websites visited that also include Pinterest functions, type and settings of the browser, date and time of the enquiry, your type of use of Pinterest, as well as cookies. For further information on the purpose, extent and further processing and use of data by Pinterest as well as your respective rights and options to protect your private sphere, go to the data privacy policy of Pinterest at: https://about.pinterest.com/de/privacy-policy

e) Google+ Plugins (e.g. „+1“-Button)
Our website uses plugins of the social network Google+, which is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA ("Google"). The plugins can be recognized, for example, by buttons with the sign "+1" on a white or coloured background. For an overview of the Google plugins and what they look like, click here: https://developers.google.com/+/plugins. When you access a page on our website that contains such a plugin, your browser creates a direct connection with the servers of Google. The content of the plugin is sent directly by Google to your browser and integrated in the site. Through this integration, Google receives the information that your browser has called up the respective page of our website, even if you have no profile with Google+ or are not currently logged in with Google+. This information (including your IP address) is sent directly by your browser to a server of Google in the USA and stored there. If you are logged in with Google+, Google can assign the visit to our website to your Google+ profile. If you interact with the plugins, for example by pressing the "+1" button, the respective information is also sent directly to a server of Google and stored there. The information will also be published on Google+ and your contacts shown there. For further information on the purpose and extent of the data collection and the further processing and use of the data by Google, as well as your rights in this regard and the setting options for the protection of your private sphere, please see the Google data privacy policy: http://www.google.com/intl/de/+/policy/+1button.html.
. If you do not want Google to assign the data collected through our website directly to your profile on Google+, you have to log out of Google+ before visiting our website. You can also completely prevent the loading of the Google plugins with add-ons for your browser with, e.g., the script blocker "NoScript" http://noscript.net/.

f) Google Maps
This website uses Google Maps API for the visual display of geographical information. When Google Maps is used, Google also collects, processes and uses data about the use of the map functions by visitors. For further information on the data processing by Google, please see the Google data privacy policy. You can also change your personal data privacy settings in the data protection centre there.

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies. Find out more.