Privacy Policy

Privacy Policy

Introduction and Overview

We have written this Privacy Policy (version 15.03.2024-312746810) to provide you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, with an explanation of what personal data (referred to simply as “data”) we process as the responsible party — and the processors we engage (e.g. service providers) — what data we will process in the future, and what lawful options you have. All terms used are to be understood in a gender-neutral manner. In short: We inform you comprehensively about the data we process about you.

Scope

This Privacy Policy applies to all personal data processed by us within the company, and to all personal data processed by companies (processors) engaged by us. By personal data, we mean information within the meaning of Art. 4 No. 1 GDPR, such as a person’s name, email address, and postal address. The processing of personal data enables us to offer and bill for our services and products, whether online or offline. The scope of this Privacy Policy covers:

  • All online presences (websites, online shops) that we operate
  • Social media presences and email communication
  • Mobile apps for smartphones and other devices

In short: This Privacy Policy applies to all areas in which personal data is processed in a structured manner within the company through the channels mentioned above. Should we enter into legal relationships with you outside of these channels, we will inform you separately where appropriate.

Legal Bases

In the following Privacy Policy, we provide you with transparent information about the legal principles and regulations — i.e. the legal bases under the General Data Protection Regulation — that allow us to process personal data. With regard to EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can of course read this EU General Data Protection Regulation online on EUR-Lex, the gateway to EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

  • Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of data you entered in a contact form.
  • Legal obligation (Article 6(1)(c) GDPR): Where we are subject to a legal obligation, we process your data. For example, we are legally required to retain invoices for accounting purposes. These generally contain personal data.
  • Legitimate interests (Article 6(1)(f) GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data in order to operate our website securely and economically. This processing therefore constitutes a legitimate interest.

Other conditions, such as the performance of tasks carried out in the public interest, the exercise of official authority, or the protection of vital interests, generally do not apply to us. Where such a legal basis is nonetheless relevant, it will be indicated at the appropriate point.

In addition to EU regulations, national laws also apply:

  • In Austria, this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), or DSG for short.
  • In Germany, the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) applies.

Where further regional or national laws apply, we will inform you in the sections below.

Contact Details of the Controller

If you have any questions about data protection or the processing of personal data, the contact details of the responsible person or body are as follows:

Christiane Rhein Potsdamer Strasse 93 10785 Berlin Authorised representative: NN Email: info@gallery-weekend-berlin.de Phone: +49 30 70038771 Legal notice: https://www.gallery-weekend-berlin.de

Retention Period

It is our general policy to store personal data only for as long as is necessary for the provision of our services. This means that we delete personal data as soon as the reason for the data processing no longer exists. In some cases, we are legally obliged to retain certain data even after the original purpose has ceased — for example, for accounting purposes.

If you request the deletion of your data or withdraw your consent to data processing, the data will be deleted as quickly as possible, provided there is no obligation to retain it.

We will inform you further below about the specific duration of the respective data processing, where we have additional information available.

If you believe that the processing of your data violates data protection law or that your data protection rights have been infringed in any other way, you may lodge a complaint with the supervisory authority. In Austria, this is the Data Protection Authority, whose website can be found at https://www.dsb.gv.at/. In Germany, each federal state has its own data protection commissioner. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

Berlin Data Protection Authority State Commissioner for Data Protection: Meike Kamp Address: Alt-Moabit 59–61, 10969 Berlin Phone: 030/138 89-0 Email: mailbox@datenschutz-berlin.de Website: https://www.datenschutz-berlin.de/

Data Processing Security

To protect personal data, we have implemented both technical and organisational measures. Where possible, we encrypt or pseudonymise personal data. This makes it as difficult as possible, within our means, for third parties to infer personal information from our data.

Art. 25 GDPR refers to this as “data protection by design and by default,” meaning that security is always considered — and appropriate measures taken — for both software (e.g. forms) and hardware (e.g. access to the server room). Where necessary, we will address specific measures further below.

When you contact us by phone, email, or online form, personal data may be processed. The data is processed for the purpose of handling and responding to your enquiry and the related business transaction. Data is stored for as long as the transaction requires or as the law prescribes.

Data subjects: All individuals who contact us via the communication channels we provide.

Phone: When you call us, call data is stored in pseudonymised form on the relevant device and by the telecommunications provider used. Additionally, data such as name and phone number may subsequently be sent by email and stored for the purpose of responding to your enquiry. Data is deleted once the business transaction has been completed and legal requirements permit.

Email: When you communicate with us by email, data may be stored on the relevant device (computer, laptop, smartphone, etc.) and on the email server. Data is deleted once the business transaction has been completed and legal requirements permit.

Online forms: When you communicate with us via an online form, data is stored on our web server and may be forwarded to one of our email addresses. Data is deleted once the business transaction has been completed and legal requirements permit.

Legal bases for data processing:

  • Art. 6(1)(a) GDPR (Consent): You give us consent to store your data and use it further for purposes related to the business transaction.
  • Art. 6(1)(b) GDPR (Contract): Processing is necessary for the performance of a contract with you or a processor such as a telephone provider, or we need to process the data for pre-contractual activities, such as preparing a quote.
  • Art. 6(1)(f) GDPR (Legitimate interests): We wish to handle customer enquiries and business communications in a professional manner, which requires certain technical facilities such as email programmes, Exchange servers, and mobile network operators.

Data we may collect and process includes: name, contact address, email address, phone number, and metadata (IP address, device information).

Retention period: We delete customer data when it is no longer required to fulfil our contractual obligations and purposes, and when it is no longer needed for potential warranty and liability obligations — for example, when a business contract ends. After this, the standard limitation period is generally 3 years, though longer periods may apply in individual cases. We of course comply with statutory retention obligations. Your customer data will not be passed on to third parties without your explicit consent.

Legal Basis

The legal bases for processing your data are Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract or pre-contractual measures), Art. 6(1)(f) GDPR (legitimate interests), and in special cases (e.g. medical services) Art. 9(2)(a) GDPR (processing of special categories of data).

For the protection of vital interests, data processing is carried out in accordance with Art. 9(2)(c) GDPR. For purposes of healthcare, occupational medicine, medical diagnosis, care or treatment in the health or social sector, or the management of health or social systems and services, personal data is processed pursuant to Art. 9(2)(h) GDPR. Where you voluntarily provide data belonging to special categories, processing is based on Art. 9(2)(a) GDPR.

Duration of Data Processing

If you unsubscribe from our email/newsletter mailing list, we may retain your address for up to three years on the basis of our legitimate interests, in order to be able to demonstrate your former consent. We may only process this data if we need to defend ourselves against potential claims.

If, however, you confirm that you gave us consent to subscribe to the newsletter, you may submit an individual deletion request at any time. If you permanently object to the consent, we reserve the right to store your email address on a blocklist. For as long as you have voluntarily subscribed to our newsletter, we will of course retain your email address.

Right to object: You may cancel your newsletter subscription at any time by simply revoking your consent. This normally takes only a few seconds or one or two clicks. Most often, a link to unsubscribe can be found directly at the bottom of each email. If you genuinely cannot find a link in the newsletter, please contact us by email and we will cancel your subscription without delay.

Legal basis: The sending of our newsletter is based on your consent (Article 6(1)(a) GDPR). This means we may only send you a newsletter if you have actively signed up for it beforehand. Where applicable, we may also send you promotional messages if you have become a customer and have not objected to the use of your email address for direct marketing.

Information about specific email marketing services and how they process personal data can be found — where applicable — in the sections below.