documenta archiv

Data Protection

Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to simply as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used are not gender-specific.
Status: December 12, 2025

Controller

documenta und Museum Fridericianum gGmbH
Friedrichsplatz 18
34117 Kassel
T +49 561 70727-0
F +49 561 70727-39
Imprint

You can contact our data protection officer using the following contact details:

You can reach our external data protection officer, Mr. Blazy (GDPC GbR), by telephone at +49 (0) 561 830 99 165, by post at the above address with the addition “– Data Protection Officer –”, and by email at datenschutzbeauftragter@documenta.de.

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Should more specific legal bases be applicable in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6(1) sentence 1 lit. a GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

  • Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR) – The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.

  • Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR) – The processing is necessary to safeguard the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject requiring the protection of personal data do not override those interests.

National Data Protection Regulations in Germany

In addition to the data protection regulations of the GDPR, national data protection provisions apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains, in particular, special provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer of data, as well as automated decision-making in individual cases, including profiling. Furthermore, the data protection laws of the individual German federal states may also apply.

Security Measures

In accordance with the statutory requirements, and taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access relating to their use, input, disclosure, availability assurance, and separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data breaches. In addition, we take the protection of personal data into account already in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect users’ data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure successor to SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and in encrypted form.

Transfer of personal data

In the course of our processing of personal data, it may occur that such data are transferred to, or disclosed to, other entities, companies, legally independent organizational units, or individuals. Recipients of such data may include, for example, service providers entrusted with IT-related tasks or providers of services and content integrated into a website. In such cases, we comply with the statutory requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to ensure the protection of your personal data.

International Data Transfers

Data processing in third countries: Where we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs in the context of using third-party services or the disclosure or transfer of data to other persons, bodies, or companies (which may be identifiable from the respective provider’s postal address or where the privacy policy explicitly refers to data transfers to third countries), this is always carried out in compliance with the statutory requirements.

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a secure legal framework by an adequacy decision of the European Commission dated July 10, 2023. In addition, we have concluded Standard Contractual Clauses (SCCs) with the respective providers in accordance with the requirements of the European Commission, which establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF constitutes the primary level of protection, while the Standard Contractual Clauses serve as an additional security measure. Should changes occur within the scope of the DPF, the Standard Contractual Clauses will apply as a reliable fallback mechanism. In this way, we ensure that your data remains adequately protected at all times, even in the event of political or legal changes.

For each individual service provider, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses (SCCs) are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply accordingly, in particular Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the European Commission at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. Where personal data concerning you are processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing.

  • Right to withdraw consent: You have the right to withdraw any consent you have given at any time.

  • Right of access: You have the right to request confirmation as to whether personal data concerning you are being processed and, where this is the case, to access such data as well as further information and a copy of the data in accordance with the statutory provisions.

  • Right to rectification: In accordance with the statutory provisions, you have the right to request the completion of personal data concerning you or the rectification of inaccurate personal data concerning you.

  • Right to erasure and restriction of processing: In accordance with the statutory provisions, you have the right to request that personal data concerning you be erased without undue delay or, alternatively, to request a restriction of the processing of such data.

  • Right to data portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, in accordance with the statutory provisions, or to request that such data be transmitted to another controller.

  • Right to lodge a complaint with a supervisory authority: In accordance with the statutory provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Provision of the Online Offering and Web Hosting

We process users’ data in order to provide our online services to them. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the users’ browser or device.

  • Types of data processed: Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);
    meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); log data (e.g. log files relating to logins or data retrieval or access times).

  • Data subjects: Users (e.g. website visitors, users of online services).

  • Purposes of processing: Provision of our online offering and user-friendliness;
    information technology infrastructure (operation and provision of information systems and technical equipment such as computers and servers); security measures.

  • Storage and deletion: Deletion in accordance with the information provided in the section “General information on data storage and deletion.”

  • Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

  • Provision of the online offering on rented server space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a server provider, Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen (also referred to as the “web hoster”); Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

  • Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files.” These server log files may include the address and name of the retrieved web pages and files, date and time of access, amount of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files may be used, on the one hand, for security purposes, for example to prevent server overload (in particular in the event of abusive attacks, so-called DDoS attacks), and, on the other hand, to ensure server utilization and stability; Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Deletion of data: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes are excluded from deletion until the respective incident has been finally clarified.

  • Use of the content management system “Kirby”: We use the content management system Kirby to operate this website, provided by The Kirby Company (Bastian Allgeier GmbH), Germany. The processing of personal data serves exclusively to provide the content of our website and to ensure its secure and stable presentation. Kirby is hosted locally on the controller’s own servers. Depending on technical requirements, the following data may be processed in the course of using Kirby: server and access data (IP address, time of server request, HTTP status codes, technical browser information, operating system, referrer URL); system and error logs used for diagnostic and security analysis; form data, insofar as you enter data via an integrated contact or participation form. Kirby itself does not set any cookies and, without additional plugins, does not process users’ personal data for analytics or marketing purposes. Legal bases: Art. 6(1) lit. f GDPR (legitimate interest) – our interest lies in the secure and efficient provision of the website and its technical stability; Art. 6(1) lit. b GDPR, insofar as you transmit data via forms that are required for the performance of a contract or pre-contractual measures; Art. 6(1) lit. c GDPR, insofar as log files must be retained by law for the prevention or documentation of security-relevant incidents. Storage period: Server log files are stored for a maximum of 30 days in accordance with our security and compliance requirements and are subsequently deleted or anonymized, unless longer retention is required to clarify security-relevant events.

Use of Cookies

The term “cookies” refers to functions that store information on users’ end devices and read information from them. Cookies may also be used for various purposes, such as ensuring functionality, security, and convenience of online services, as well as for creating analyses of visitor flows. We use cookies in accordance with statutory provisions. Where required, we obtain users’ prior consent. If consent is not required, we rely on our legitimate interests. This applies where the storage and retrieval of information is essential in order to provide explicitly requested content and functions. This includes, for example, the storage of settings and the safeguarding of the functionality and security of our online offering. Consent may be withdrawn at any time. We provide clear information about its scope and about which cookies are used.

Information on data protection legal bases: Whether we process personal data using cookies depends on consent. Where consent has been given, it constitutes the legal basis. Where consent is not required, we rely on our legitimate interests, as explained above in this section and in the context of the respective services and procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest once a user leaves an online service and closes their end device (e.g. browser or mobile application).

  • Persistent cookies: Persistent cookies remain stored even after the end device is closed. For example, the login status may be saved and preferred content displayed directly when the user revisits a website. Usage data collected via cookies may also be used for reach measurement. If we do not provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are persistent and that the storage duration may be up to two years.

General information on withdrawal and objection (opt-out): Users may withdraw their consent at any time and may also object to processing in accordance with statutory provisions, including by using the privacy settings of their browser.

  • Categories of data processed: Meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved). Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).

  • Data subjects: Users (e.g. website visitors, users of online services).

  • Purposes of processing: Provision of our online offering and user friendliness.

  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Overview of Cookies Used

Functionality
In the operation of this website, a technically necessary session cookie of the content management system Kirby is used.

Kirby (session cookie)
When accessing the website, a so-called session cookie named kirby_session may be set. This cookie is used exclusively for the technical provision and stability of the website.

The cookie is required to manage server-side session information and to ensure the secure operation of the content management system. It is particularly relevant for administrative functions in the backend of the website. For visitors to the public frontend of the website, this cookie has no content-related or tracking-related function.

The kirby_session cookie:

  • does not contain personal data in the strict sense,

  • is not used for analysis or tracking of user behavior,

  • is used exclusively for technical purposes,

  • is time-limited and is automatically deleted, at the latest after the end of the session or after a limited runtime.

The legal basis for the use of this cookie is Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in the secure, stable, and functional provision of the website.

Contact and Inquiry Management

When contacting us (e.g. by post, contact form, email, telephone, or via social media), as well as within existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to respond to contact inquiries and any requested measures.

  • Categories of data processed: Inventory data (e.g. full name, postal address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers);
    Content data (e.g. textual or visual messages and contributions and the related information, such as authorship or time of creation); Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).

  • Data subjects: Communication partners.

  • Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collection of feedback via online forms); provision of our online offering and user friendliness.

  • Storage and deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion.”

  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further information on processing operations, procedures, and services:

  • Contact form: When contacting us via our contact form, by email, or through other communication channels, we process the personal data transmitted to us in order to respond to and handle the respective inquiry. This generally includes information such as name, contact details, and any additional information provided that is necessary for appropriate processing. We use this data exclusively for the stated purpose of contact and communication; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as “newsletters”) exclusively with the consent of the recipients or on the basis of a statutory authorization. If the contents of the newsletter are specified during the registration process, these contents are decisive for the users’ consent. As a rule, providing your email address is sufficient to subscribe to our newsletter. However, in order to offer you a personalized service, we may ask for your name to address you personally in the newsletter, or for additional information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to demonstrate that consent was previously given. The processing of these data is restricted to the purpose of a potential defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In cases where we are obliged to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocking list (so-called “blocklist”).

The logging of the registration process is carried out on the basis of our legitimate interests for the purpose of documenting its proper execution. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.

Contents:
Information about us, our services, activities, and offers.

  • Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); meta, communication, and procedural data (e.g. IP addresses, time stamps, identification numbers, involved persons); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).

  • Data subjects: Communication partners.

  • Purposes of processing: Direct marketing (e.g. by email or post); reach measurement (e.g. access statistics, recognition of returning visitors).

  • Legal bases: Consent (Art. 6(1) sentence 1 lit. a GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

  • Right to object (opt-out): You may unsubscribe from our newsletter at any time, i.e. revoke your consent or object to further receipt. A link to unsubscribe can be found at the end of each newsletter, or you may alternatively use one of the contact options listed above, preferably by email.

Further information on processing operations, procedures, and services:

  • Measurement of open and click rates: The newsletters contain so-called “web beacons,” i.e. pixel-sized files that are retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. As part of this retrieval, technical information such as details about the browser and your system, as well as your IP address and the time of retrieval, are initially collected. This information is used to technically improve our newsletter based on technical data or on target groups and their reading behavior, taking into account their access locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until deletion. The evaluations serve to identify our users’ reading habits and to adapt our content to them or to send different content according to users’ interests. The measurement of open and click rates, the storage of measurement results in user profiles, and their further processing are carried out on the basis of users’ consent. A separate revocation of performance measurement is unfortunately not possible; in this case, the entire newsletter subscription must be canceled or objected to. In such cases, the stored profile information will be deleted. Legal basis: Consent (Art. 6(1) sentence 1 lit. a GDPR).

  • Brevo: Email dispatch and automation services; service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
    Website: https://www.brevo.com/; Privacy policy: https://www.brevo.com/legal/privacypolicy/. Data processing agreement: Provided by the service provider.

Social Listening / Press Clipping

Meltwater – Social Listening Tool / Press Clipping Tool

We use the Meltwater service provided by Meltwater Deutschland GmbH, Unter den Linden 21, 10117 Berlin, for the following purposes:

  • Social listening: analysis of publicly accessible content on social networks, blogs, forums, news websites, etc.

  • Media monitoring / press clipping: collection and evaluation of press publications and online media coverage relating to our organization, our brands, or relevant topics.

Purposes of processing:

  • Reputation management and strategic communications planning

  • Market and trend analyses

  • Identification of public opinion trends

  • Evaluation of PR and marketing activities

Legal basis:
The processing of personal data in the context of social listening and media monitoring is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interests). Our legitimate interest lies in effective public relations work, the analysis and improvement of our communication strategies, and the protection of our organizational reputation.

The processed data originate exclusively from publicly accessible sources, in particular:

  • Social networks (e.g. Twitter/X, Instagram, Facebook – insofar as content is publicly accessible)

  • Online media and news websites

  • Blogs, forums, video platforms, and comment sections

  • Websites worldwide, insofar as there is a connection to our organization and activities

The selection of sources is carried out by Meltwater in accordance with contractual agreements. Depending on the context of the publication, the following personal data may be processed:

  • Name or username of the publishing person (e.g. author of a post)

  • Content of the publication (text, images, videos, possibly audio)

  • Date and time of publication

  • Source / URL

  • Language and, where publicly visible or stated, location

We do not carry out any further profiling and do not link this data with other personal information.

The data are processed on our behalf by Meltwater Deutschland GmbH, which acts as a processor pursuant to Art. 28 GDPR. A corresponding data processing agreement is in place. Data are only disclosed to third parties if this is necessary to fulfil the stated purposes or if there is a legal obligation to do so.

Data are stored only for as long as necessary for the aforementioned purposes. The retention period for data collected by Meltwater varies depending on the type of content:

  1. Editorial content (news): stored back to the year 2009

  2. Social media content: stored on a rolling basis for 15 months

  3. Specific social media platforms:

    • Facebook: 450 days (15 months) of historical data after authentication

    • YouTube: 30 days for videos and comments

    • Website comments: 15 months

The maximum searchable period for both news and social media content is one year.

After the expiry of these periods, the data are automatically deleted or deleted upon request.

Presences on Social Networks (Social Media)

We maintain online presences within social networks and, in this context, process user data in order to communicate with users active on these platforms or to provide information about us.

Please note that user data may be processed outside the European Union. This may result in risks for users, as the enforcement of users’ rights may, for example, be more difficult.

Furthermore, user data within social networks are generally processed for market research and advertising purposes. For example, usage profiles may be created based on users’ behaviour and resulting interests. These profiles may in turn be used to display advertisements within and outside the networks that presumably correspond to users’ interests. As a rule, cookies are stored on users’ devices in which usage behaviour and interests are recorded. In addition, data may be stored in usage profiles independently of the devices used by users (in particular if they are members of the respective platforms and logged in).

For a detailed description of the respective processing operations and the available options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

We also point out that requests for information and the assertion of data subject rights can be exercised most effectively with the respective platform providers, as only they have access to the user data and can take appropriate action and provide information directly. Should you nevertheless require assistance, you may contact us.

  • Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts, and related information such as authorship or time of creation); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).

  • Data subjects: Users (e.g. website visitors, users of online services).

  • Purposes of processing: Communication; feedback (e.g. collecting feedback via online forms); public relations.

  • Retention and deletion: Deletion in accordance with the information provided in the section “General information on data storage and deletion.”

  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).

Further information on processing operations, procedures, and services:

  • Instagram: Social network enabling the sharing of photos and videos, commenting on and favoriting posts, sending messages, and subscribing to profiles and pages; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.instagram.com; privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

  • Facebook Pages: Profiles within the Facebook social network – we are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page (so-called “fan page”). This data includes information on the types of content users view or interact with, or actions they take (see “What information do we collect?” in Facebook’s Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in the Facebook Data Policy). As explained under “How do we use this information?” in the Facebook Data Policy, Facebook also collects and uses information to provide analytics services known as “Page Insights” to page operators, enabling them to gain insights into how people interact with their pages and related content. We have entered into a specific agreement with Facebook (“Page Insights Information,” https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular the security measures Facebook must observe and in which Facebook agrees to fulfil the rights of data subjects (i.e. users may direct requests for information or deletion directly to Facebook). The rights of users (in particular the right of access, erasure, objection, and complaint to a competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Page Insights Information.” Joint controllership is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to transfers to its parent company Meta Platforms, Inc. in the USA; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).

  • LinkedIn: Social network – we are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitor data used to create “Page Insights” (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with and actions they take. In addition, details about the devices used are collected, such as IP addresses, operating system, browser type, language settings, and cookie data, as well as information from user profiles, such as job function, country, industry, seniority level, company size, and employment status. Information on LinkedIn’s processing of user data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy. We have entered into a specific agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum,” https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular the security measures LinkedIn must observe and in which LinkedIn agrees to fulfil data subject rights. Users’ rights (in particular the right of access, erasure, objection, and complaint to the competent supervisory authority) are not restricted by this agreement. Joint controllership is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to transfers to its parent company LinkedIn Corporation in the USA; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

  • TikTok: Social network enabling the sharing of photos and videos, commenting on and favoriting posts, sending messages, and subscribing to accounts; service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London EC1A 9HP, United Kingdom; legal basis: consent (Art. 6(1)(a) GDPR); website: https://www.tiktok.com; privacy policy: https://www.tiktok.com/de/privacy-policy. Basis for third-country transfers: Standard Contractual Clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).

  • X: Social network; service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://x.com; privacy policy: https://x.com/de/privacy.

  • YouTube: Social network and video platform; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1)(f) GDPR); privacy policy: https://policies.google.com/privacy; basis for third-country transfers: Data Privacy Framework (DPF). Opt-out option: https://myadcenter.google.com/personalizationoff.

  • Xing: Social network; service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; legal basis: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.xing.com/; privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

Plug-ins and embedded functions and content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or maps (hereinafter collectively referred to as “content”).

The integration of such content always requires that the third-party providers process the users’ IP addresses, as they would otherwise not be able to transmit the content to the users’ browsers. The IP address is therefore necessary for the display of this content or these functions. We endeavor to use only such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, time of visit, and further details on the use of our online offering, and may also be combined with such information from other sources.

Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for the data processing is such consent. Otherwise, users’ data are processed on the basis of our legitimate interests (i.e., our interest in efficient, economical, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g., page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

  • Data subjects: Users (e.g., website visitors, users of online services).

  • Purposes of processing: Provision of our online offering and user-friendliness; provision of contractual services and fulfillment of contractual obligations.

  • Storage and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion.” Storage of cookies for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of up to two years).

  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing operations, procedures, and services:

  • Use of AdmiralCloud:
    We use embedded videos from the service “AdmiralCloud” on our website. AdmiralCloud is a platform that enables, among other things, the playback of audio and video files. When you access a page on our website that contains an embedded player, the player establishes a connection to AdmiralCloud in order to ensure the technical transmission of the video or audio file. When the connection to AdmiralCloud is established, data are transmitted to AdmiralCloud AG. Service provider: AdmiralCloud AG, Gustav-Meyer-Allee 25, Building 12/2, 13355 Berlin, Germany. Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
    Website: https://www.admiralcloud.com. Privacy policy: https://www.admiralcloud.com/datenschutz/.

Data Protection in the Context of Applications and the Application Procedure

The processing of data primarily serves the conduct and administration of the application procedure and the assessment of whether suitability for the respective position exists. As a result, the processing of your applicant data is necessary in order to decide on the establishment of an employment relationship and thus on recruitment. The primary legal basis for this is Art. 6(1)(b) GDPR.

The processing of special categories of personal data takes place—where required for the decision on recruitment—on the basis of Art. 9(1) GDPR. If you have voluntarily provided us with special categories of personal data whose processing is not required for the decision on recruitment, their collection and processing is based on the consent granted by you upon submission.

We also collect and process personal data of applicants on the basis of legitimate interests for the defence against legal claims (in particular under the German General Equal Treatment Act, AGG) pursuant to Art. 6(1), sentence 1, lit. f GDPR.

Processing may also take place electronically. This is particularly the case if an applicant submits relevant application documents electronically, for example by email. For applications by email, we have set up a dedicated email address (bewerbung@documenta.de).

If an employment contract is concluded with an applicant, the transmitted data will be stored for the purpose of implementing the employment relationship in compliance with the statutory provisions. If no such contract is concluded, the application documents will be automatically deleted no later than six months after notification of the rejection decision, unless deletion conflicts with other legitimate interests on our part. An example of such a “legitimate interest” is the obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG).

Data Protection Information for Participation in Events

We process the personal data you provide to us during the registration process for the purpose of preparing and conducting the respective event and for capacity planning, on the basis of your consent granted through registration pursuant to Art. 6(1)(a) GDPR, and—depending on the nature of the event—on the basis of a contract pursuant to Art. 6(1)(b) GDPR.

You may revoke your consent at any time with effect for the future. Revocation will result in us no longer being able to use your personal data for the event requiring registration, and your participation in the event will therefore no longer be possible.

Where necessary, we process your data beyond your consent pursuant to Art. 6(1), sentence 1, lit. f GDPR in order to safeguard our legitimate interests or those of third parties, for example for the defence in legal disputes.

Please note that photo and/or video recordings are made at our events and that the image and/or video material may be published for the purpose of public relations work (in particular reporting on the respective event) on the internet, on websites operated by documenta and Museum Fridericianum gGmbH or its cooperation partners, on social media, and/or in publications of documenta and Museum Fridericianum gGmbH or its cooperation partners.

By participating in the event, you consent to the publication of photo and video recordings made during the event (§§ 22, 23 German Copyright Act – KUG). The collection, i.e. photographic recording, and processing thereof takes place for the purpose of illustrated reporting on the basis of Art. 6(1), sentence 1, lit. f GDPR.

We inform you that, pursuant to Art. 21(1) GDPR, you may object to this processing for reasons arising from your particular situation. In such cases, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims. The objection must be addressed to the contact details provided above.

Please note that documentation of the event may give rise to archival records worthy of preservation, which may be transferred to the holdings of the documenta archive. If archival materials contain personal data relating to you, we process such data on the basis of Art. 6(1)(c) GDPR in conjunction with §§ 7, 8, and 11 of the Hessian Archives Act (HArchivG). Any special categories of personal data processed in this context are processed on the basis of § 25 of the Hessian Data Protection and Information Security Act (HDSIG).

If you have any questions regarding this information, including your (data protection) rights, you may also contact our Data Protection Officer.

Amendments and Updates

We ask that you regularly review the content of our privacy policy. We will amend the privacy policy as soon as changes to the data processing activities carried out by us make this necessary. We will inform you if any amendments require your cooperation (e.g. consent) or any other individual notification.

Where we provide addresses and contact information of companies and organisations in this privacy policy, please note that addresses may change over time and we ask that you verify the information before making contact.

In the event of discrepancies between the German and English versions, the German version shall prevail.