(1) This notice is to inform you about the collection of personal data during the use of our website. Personal data is all data that can be linked to you personally, e.g. name, address, e-mail address, user behaviour.
(2) The controller within the meaning of Section 4 (7) of the EU General Data Protection Regulation (hereinafter: GDPR) is: Städel Museum / Städelsches Kunstinstitut und Städtische Galerie, Dürerstrasse 2, 60596 Frankfurt am Main, Director: Dr. Philipp Demandt (see also Imprint). You can contact our data protection officer at or at our postal address with the extension “to the data protection officer”.
(3) If you contact us by e-mail or using an online contact form, the data you provide (e.g. your e-mail address, as applicable your name and telephone number) are stored by us so that we can handle your enquiry or answer your questions. We delete the data arising in this context once storage is no longer necessary, or restrict its processing if there are statutory storage obligations.
(4) If we work with contracted service providers for individual functions of our offer, or would like to use your data for advertising purposes, we will inform you, as described in detail below, about the processes involved. Below we also set out the criteria established for the duration of storage.
You have the following rights vis-à-vis the Städel Museum with respect to your personal data. To exercise these rights, you can contact us at, for example, the contact data given under § 1 (2).
(1) Right of objection (Section 7 GDPR)
If we process your data for the purposes of direct marketing, you have the right at any time, and with effect for the future, to lodge an objection against the processing of your personal data for the purpose of such marketing; this also applies to profiling if it is in connection with such direct marketing. You also have the right, for reasons arising out of your specific situation, to lodge an objection any time, and with effect for the future, against the processing of your personal data that takes place in accordance with Section 6 (1) (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. You can exercise your right of objection free of charge.
(2) Right to information (Section 15 GDPR)
You have the right at all times to obtain from us a confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to access the personal data and the other information mentioned in Section 15 GDPR.
(3) Right to rectification (Section 16 GDPR)
You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you (Section 16 GDPR). Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(4) Right of erasure (“right to be forgotten”) (Section 17 GDPR)
You have the right to obtain from us the erasure of personal data concerning you without undue delay, where any of the grounds cited in Section 17 (1) GDPR apply and the processing is not necessary for any of the purposes cited in Section 17 (3) GDPR.
(5) Right to restriction of processing (Section 18 GDPR)
You also have the right to obtain a restriction of the processing of your personal data if any of the conditions set out in Section 18 (1) (a) to (d) GDPR apply.
(6) Right to data portability (Section 20 GDPR)
Under the conditions cited in Section 20 (1) GDPR, you have the right to receive the personal data concerning you, that you provided us with, in a structured, commonly used and machine-readable format. You also have the right to transmit that data to another controller without hindrance from us. In exercising your right to data portability, you shall have the right to have the personal data transmitted directly from us to another controller, where technically feasible.
(7) Right to withdraw consent (Section 7 GDPR)
Where processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
(8) Right of complaint (Section 77 GDPR)
You have the right to lodge a complaint with the supervisory authority responsible for our company. The supervisory authority responsible for our company is:
Der Hessische Datenschutzbeauftragte, PO Box 3163, 65021 Wiesbaden
E-mail: Poststelle@datenschutz.hessen.de, www.datenschutz.hessen.de
Telefon: +49 611 1408–0, Telefax: +49 611 1408 – 900
(1) If you use our website purely for information purposes, i.e. if you do not register or send us any other information, we only automatically collect the personal data that your browser sends to our server. This includes the following data, which we require for technical purposes in order to show you our website and guarantee its stability and security. (The legal basis is Section 6 (1) (1) (f) GDPR.):
(2) In addition to the aforementioned data, so-called cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard disc for the browser you are using, and that send certain information to the provider who set the cookie (in this case us). Cookies cannot execute programs or infect your computer with viruses. Their purpose is to make the overall internet offer more user-friendly and effective.
a) This website uses the following types of cookies, the extent and function of which are explained in the following:
b) Transient cookies are automatically deleted when you close the browser. These include in particular the session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the shared session. This will allow your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.
c) Persistent cookies are deleted automatically after a specified period which can vary depending on the cookie. You can delete the cookies in the security settings of your browser at any time.
d) You can configure your browser settings according to your own requirements and, for example, refuse to accept third-party cookies or all cookies. Please be advised, however, that you may then not be able to use all functions of this website.
(1) In addition to the use of our website for purely informational purposes, we also offer various services you can use if you are interested. To use these services, you generally have to provide further personal data which we use to provide the respective service, and to which the aforementioned data processing principles apply.
(2) Sometimes we use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and subject to regular inspection.
(3) We can also pass your personal data on to third parties when campaign participations, prize draws, contract conclusions or similar services are being offered by us in conjunction with partners. You will receive further information on this when you provide your personal data, or below in the description of the offer.
(4) If any of our service providers or partners are based in a state outside of the European Economic Area (EEA), we will inform you about the consequences of this in the description of the offer.
(1) You can post public comments on our blog, where we post various contributions on topics related to our activities. Your comment will be posted on the blog with your given username. We recommend using a pseudonym instead of your common name. The username and e-mail address are required; all further information is voluntary. When you leave a comment, we will save your IP address, which we delete after one week. The storage is necessary for us in order to defend ourselves against legal liability claims in cases of a possible publication of unlawful content. We need your e-mail address to contact you if a third party objects to your comment as unlawful. Legal bases are Section 6 (1) (1) (b) and (f) GDPR. The comments will be checked by us before publication. We reserve the right to delete comments if third parties object to them as unlawful.
(1) If you would like to order anything in our webshop, it is necessary for the conclusion of the contract that you provide the personal data we require to handle the order. The obligatory information for processing the contract is marked accordingly; any further data is voluntary. We process the data provided by you for the purpose of handling your order. For this purpose we may also pass your payment data on to our bank. The legal basis for this is Section 6 (1) (1) (b) GDPR.
(2) For reasons of commercial and tax law, we are obliged to store your address, payment and order data for a period of ten years. We do, however, restrict processing after two years, i.e. your data is used only to fulfil legal obligations.
(3) To prevent unauthorized access to your personal data, in particular financial data, by third parties, the ordering process is encrypted using TLS technology.
(1) If you take advantage of download offers or activate content requiring registration, we store your e-mail address and personal data (address, etc.) for the duration of the contract for purposes of identification, contact and examination of the authorization to purchase. The legal basis for this is Section 6 (1) (b) GDPR.
(1) By giving your consent, you can subscribe to our newsletter, in which we inform you about our current offers.
(2) For the subscription to our newsletter, we use the so-called double opt-in procedure. This means that, after you have subscribed, we send an e-mail to the stated e-mail address in which we request your confirmation that you want to receive the newsletter. If you do not confirm your subscription within 24 hours, your personal data is blocked and automatically deleted after one month. We also store the IP addresses used and the times of the subscription and confirmation. The purpose of this procedure is to verify your subscription and, as applicable, clarify any possible abuse of your personal data.
(3) The only information necessary for the sending of the newsletter is your e-mail address. The provision of other, separately marked data is voluntary, and will only be used to address you personally. After we receive your confirmation, we store your e-mail address for the purpose of sending the newsletter. The legal basis is Section 6 (1) (1) (a) GDPR.
(4) You can withdraw your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. You can declare your revocation by clicking on the link provided in every e-mail newsletter, by writing an e-mail to , or by sending a message to the contacts given in the “Imprint”.
(5) Our newsletters may contain so-called “web beacons”. These are small electronic images that are called up by our server or the Inxmail server when the newsletter is opened. These web beacons do not contain any personal data and are used only for statistical purposes so that we know whether and which links contained in the newsletters are clicked. The data is collected exclusively in pseudonymized form and not linked with your other personal data so that it cannot be linked to you.
(6) In some cases the newsletters are not sent directly by us, but by Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, with server location in Germany, within the framework of order processing commissioned by us. Inxmail does not use the data, however, to write to you directly. No data is passed on to third parties in connection with the data processing for the dispatch of newsletters.
a) Google Analytics
(1) This website uses Google Analytics, a web analysis tool from Google Inc. (“Google”). Google Analytics employs “cookies”, i.e. text files which are saved to your computer and enable your use of the website to be analyzed. The information about your use of this website generated by the cookie is generally transferred to and saved on a Google server in the USA. When IP anonymization is activated on this website, your IP address will be truncated in advance within Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website to evaluate your usage of the website, to create reports on website activities, and to provide the website operator with other services related to website and internet usage.
(2) The IP address transmitted by your browser within the context of Google Analytics will not be combined with any other data held by Google.
(3) You can prevent cookies from being stored on your computer by making the corresponding setting in your browser software. We would like to point out, however, that in this case you may not be able to use all of this website’s functions without restrictions. You can also prevent the collection of the data generated by the cookie and referring to your use of the website (including your IP address), as well as the processing of this data by Google, by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de
(4) This website uses Google Analytics with the extension “_anonymizeIp()”. This means that IP addresses are further processed in truncated form; any direct personal link can thus be ruled out. If the data collected has any personal association with you, this is immediately ruled out, and the personal data immediately deleted.
(5) We use Google Analytics to analyze the use of our website and continually improve it. The statistics compiled help us to improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Section 6 (1) (1) (f) GDPR.
(7) This website also uses Google Analytics for a cross-device analysis of visitor flows executed with a user ID. You can deactivate the cross-device analysis of your usage in your customer account under “My Data”, “Personal Data”.
b) Dynamic Remarketing
If you have given your consent to this, Google links your web and app browser history with your Google account for this purpose. This means that the same personalized advertising messages can be shown on any terminal device which you use to log in to your Google account.
To support this function, Google Analytics registers Google-authenticated IDs of the users that are temporarily linked with our Google Analytics data to define and identify target groups for the cross-device marketing.
Your data will also be transmitted to the USA as applicable. Data transmissions to the USA are covered by an adequacy decision of the European Commission. The data is processed subject to Section 6 (1) (f) GDPR on the basis of the legitimate interest of addressing visitors to the website with targeted marketing by showing personalized, interest-related advertisements for visitors to the website of the provider when they visit other websites in the Google Display network.
You can permanently object to the cross-device remarketing/targeting by deactivating personalized advertising in your Google account. To do this, click here: https://www.google.com/settings/ads/onweb/
c) Use of Facebook Custom Audiences
Our website uses the Facebook Custom Audiences feature of Facebook Inc. “(“Facebook”). This feature serves to present visitors to this website with advertisements (“Facebook ads”) that are tailored to their interests during their use of the social network Facebook as registered users. For this purpose, a special Facebook pixel is located in the invisible part of this website. This pixel establishes a direct connection to the Facebook servers when you visit the website. The information that you have visited this website is transmitted to the Facebook servers. Facebook then assigns this information to your personal Facebook account. For more information about Facebook's collection and use of this data, and about your rights and choices regarding your privacy, please see Facebook's Privacy Notice at If you do not wish the data of your visit to be collected and used in the manner described here, you can deactivate the “Facebook Custom Audiences” function at https://www.facebook.com/settings/?tab=ads at any time.
This website uses plugins, which are small add-on programs from the social networks and services named below, are operated by third parties, and with which files can be sent to the respective social network by pressing a button, for example to evaluate, recommend or share content with other users. In this we are pursuing the purpose and the legitimate interest of making our offers better known. We configure these plugins in such a way that data is transmitted only when you press the button. The legal basis for the data transmission in this case is Section 6 (1) (f) GDPR. The respective provider is responsible for processing the data in compliance with the data protection regulations.
a) Facebook Social Plugins
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and commercial operation of our website within the meaning of Section 6 (1) (f) GDPR) we use social plugins (“plugins”) of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins can represent interaction elements or content (e.g. videos, graphics or texts) and can be recognized by one of the Facebook logos (white “f” on a blue tile, the term “like” or a “thumbs up” icon) or are marked with the extension “Facebook Social Plugin”. You can view the Facebook social plugins and what they look like here: https://developers.facebook.com/docs/plugins/.
Facebook is certified under the privacy shield framework, thus offering a guarantee that it is in compliance with European data protection law. https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
When a user calls up a function of this website that contains such a plugin, his device makes a direct connection with the Facebook servers. The content of the plugin is sent directly by Facebook to the device of the user and integrated there in the website. Usage profiles of the users can be drawn up from the processed data. We therefore have no influence on the extent of the data that Facebook collects with these plugins, and therefore inform the users according to our own present knowledge.
Through the integration of the plugins, Facebook receives the information that a user has accessed the respective page of the online offer. If the user is logged in on Facebook, Facebook can assign the visit to his Facebook account. When you interact with plugins, for example by pressing the “like” button or posting a comment, the corresponding information is sent from your device directly to Facebook and stored there. If a user is not a member of Facebook, it is still possible that Facebook will learn his IP address and store it. According to Facebook, only an anonymized IP address is stored in Germany.
If a user is a Facebook member and does not want Facebook to collect data about him/her through this website or link it with his/her member data stored with Facebook, he/she has to log out of Facebook before using our website and delete his/her cookies. Further settings and objections to the use of data for marketing purposes are possible using the Facebook profile settings: https://www.facebook.com/settings?tab=ads or on the USA site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are made on a platform-independent basis, i.e. they are activated on all devices such as desktop computers or mobile devices.
Our website may contain functions and content of the service Instagram, provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. This can include content such as images, videos or texts and buttons with which users can signify their appreciation of the content or the authors of the content or subscribe to our articles. If the users are members of the platform Instagram, Instagram can assign the call-up of the abovementioned content and functions to the profiles of the users there. Data protection policy of Instagram: http://instagram.com/about/legal/privacy/.
e) Google Maps