Privacy Policy
Preamble
With the following privacy policy, we aim to outline the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. The privacy policy applies to all the processing of personal data we carry out, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within our external online presence, such as our social media profiles (hereinafter collectively referred to as “online offering”).
The terms used are not gender-specific.
Last revised: April 9, 2025
Table of contents
Preamble
Controller
Relevant legal bases
Security measures
Transfer of personal data
International data transfers
Rights of the data subjects
Provision of the online offering and web hosting
Use of cookies
Contact and request management
Audio content
Newsletter and electronic notifications
Web analysis, monitoring, and optimization
Social Listening / Press Clipping
Presence in social networks (social media)
Plug-ins and embedded functions and content
Data protection for job applications and in the application process
Data protection information for participation in events
Amendments and updating
Controller
documenta und Museum Fridericianum gGmbH
Friedrichsplatz 18
34117 Kassel
T +49 561 70727-0
F +49 561 70727-39
Imprint
You can reach our data protection officer using the following contact details:
Our external data protection officer Mr. Blazy (GDPC GbR) can be contacted by telephone on +49 (0) 561 830 99 165, by mail at the above address with the addition “Data Protection Officer”, and by e-mail at datenschutzbeauftragter@documenta.de.
Relevant legal bases
Relevant legal bases under the GDPR: The following provides an overview of the legal bases for our processing of personal data according to the GDPR. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.
Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or so that we take steps at the request of the data subject prior to entering into a contract.
Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
National data protection regulations in Germany: In addition to the data protection regulations under the GDPR, there are national data protection regulations that apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). Notably, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, the data protection laws of the individual federal states may also apply.
Security measures
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as controlling access authorization, input, transfer, safeguarding of availability, and separation of such data. We have also established procedures to ensure that data subjects’ rights are exercised, data are deleted, and we respond to data threats. Furthermore, we take into account the protection of personal data as early as the development or selection of hardware, software, and processes in accordance with the principle of data protection, through technology design, and through data protection-friendly default settings.
Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transferred via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information that is transmitted between the website or app and the user’s browser (or between two servers), which protects the data from unauthorized access. TLS is the advanced and more secure version of SSL and therefore ensures that any data transfer meets the highest security standards. If a website is secured by an SSL/TLS certificate, this is indicated by the letters HTTPS displayed in the URL. This indicates to users that their data are transferred securely and encrypted.
Transfer of personal data
As we process personal data, it may occur that they are transferred or disclosed to other bodies, companies, legally independent organizational units, or persons. The recipients of these data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, most notably, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.
International data transfers
Data processing in third countries: If we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies, or companies (which can be recognized by the postal address of the respective provider or if the data privacy policy expressly refers to the transfer of data to third countries), this will always take place in accordance with the legal requirements.
For data transfers to the USA, we rely primarily on the Data Privacy Framework (DPF), which was recognized as a secure legal framework in an adequacy decision by the European Commission on July 10, 2023. In addition, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the European Commission and stipulate contractual obligations to protect your data.
This dual safeguard guarantees comprehensive protection of your data: The DPF forms the primary level of protection, while the standard contractual clauses serve as additional security. Should changes occur within the framework of the DPF, the standard contractual clauses act as a reliable fallback option. In this way, we ensure that your data always remain appropriately protected, even in the event of any political or legal changes.
For the individual service providers, we will inform you whether they are certified in accordance with the DPF and whether any standard contractual clauses (SCCs) are in place. You can find more information on the DPF and a list of certified companies on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/
For data transfers to other third countries, appropriate security measures apply, most notably standard contractual clauses, explicit consent, or legally required transfers. Details of third country transfers and applicable adequacy decisions are available in the information material provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de
Rights of the data subjects
Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:
Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data that concern you, which is based on point (e) or (f) of Art. 6(1) GDPR; this also applies to profiling based on those provisions. Where the personal data that concern you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw your consent at any time.
Right of access: You have the right to obtain confirmation as to whether the data in question are being processed and to information about these data, as well as further information and a copy of the data in accordance with the legal requirements.
Right to rectification: In accordance with the legal requirements, you have the right to have incomplete personal data completed or to have incorrect personal data rectified.
Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to demand the erasure of personal data concerning you without undue delay or, alternatively, to demand that the processing of the data be restricted in accordance with the legal requirements.
Right to data portability: You have the right to receive the personal data concerning you, which you provided to us, in a structured, commonly used, and machine-readable format or to have it transferred to another controller, in accordance with the legal requirements.
Lodging a complaint with a supervisory authority: In accordance with the legal requirements and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State of your habitual residence or the supervisory authority of your place of work or place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.
Provision of the online offering and web hosting
We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.
Types of data processed: usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, time data, identification numbers, persons involved); log data (e.g. log files relating to logins or the retrieval of data or access times).
Persons affected: users (e.g. website visitors, users of online services).
Purposes of the processing: provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.
Storage and deletion: deletion in accordance with the information in the section “General information on data storage and deletion”.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing operations, procedures, and services:
Provision of online offering on rented storage space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider, namely Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen (also referred to as “web host”). Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the event of abusive attacks, so-called DDoS attacks), and also to ensure the utilization of the servers and their stability. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes are excluded from deletion until the respective incident has been definitively resolved.
Use of cookies
The term “cookies” refers to functions that store information on users’ end devices and read it from them. Cookies can also be used for various purposes, for example to ensure the functionality, security, and convenience of online offerings and to analyze visitor flows. We use cookies in accordance with the statutory provisions. If necessary, we obtain the user’s consent in advance. If consent is not required, we rely on our legitimate interests. This applies if the storage and reading of information is essential in order to be able to provide expressly requested content and functions. This includes, for example, saving users’ settings and ensuring the functionality and security of our online offering. Consent can be revoked at any time. We provide clear information about its scope and about which cookies are used.
Information on the legal basis in relation to data protection law: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and processes.
Storage period: With regard to the storage period, a distinction is made between the following types of cookies:
Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their end device (e.g. browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the end device is closed. This means, for example, that a user’s log-in status can be saved and their preferred content displayed directly when they visit a website again. The user data collected with the help of cookies can likewise be used to measure reach. If we do not provide users with explicit information on the type of cookies and duration of storage (e.g. when obtaining consent), they should assume that they are permanent and that the duration of storage can be up to two years.
General information on revocation and objection (opt-out): Users can revoke the consent they have given at any time and also object to the processing in accordance with the legal requirements, including through the privacy settings of their browser.
Types of data processed: meta, communication, and process data (e.g. IP addresses, time data, identification numbers, persons involved); usage data (e.g. page views and length of stay, click paths, intensity, and frequency of use, device types and operating systems used, interactions with content and functions).
Persons affected: users (e.g. website visitors, users of online services).
Purposes of the processing: provision of our online offering and user-friendliness.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).
Further information on processing operations, procedures, and services:
Processing of cookie data on the basis of consent: We use a consent management solution in which user consent is obtained for the use of cookies or for the procedures and providers named in the consent management solution. This procedure is used to obtain, log, manage, and revoke consent, in particular with regard to the use of cookies and similar technologies that are used to store, read, and process information on users’ end devices. As part of this procedure, user consent is obtained for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure. Users also have the option of managing and revoking their consent. The declarations of consent are stored in order to avoid repeated requests and so that we are able to provide proof of consent in accordance with legal requirements. Storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies so that the consent can be assigned to a specific user or their device. If no specific information is available on the providers of consent management services, the following general information applies: The duration of storage for consent is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, information on the scope of consent (e.g. relevant categories of cookies and/or service providers), and information on the browser, system, and end device used. Legal basis: consent (Art. 6(1)(a) GDPR).
CookieConsent: consent management – procedures for obtaining, logging, managing, and revoking consent, in particular for the use of cookies and similar technologies for storing, reading, and processing information on users’ end devices and their processing. Service provider: execution on servers and/or computers under own responsibility according to data protection law. Legal bases: legitimate interests (Art. 6(1)(f) GDPR). Website: https://cookieconsent.orestbida.com/.
Overview of the cookies used
Functionality
These cookies enable basic interactions and features. They allow access to selected functions of our website and facilitate communication with us.
Google reCAPTCHA v3 – Provider: Google
This service is invisible and does not set conventional cookies. It analyzes user behavior in the background (e.g., mouse movements, time spent on the site, IP address, device and browser information) to distinguish between human users and bots.
Data recipient: Google LLC, USA
Storage duration: no cookies, but immediate transfer of personal data
Legal basis: legitimate interest pursuant to Art. 6 (1) lit. f GDPR
Further information: Google Privacy Policy, Terms of Service
Experience
These cookies help us improve the quality of your user experience and enable interaction with external content, networks, and platforms.
YSC – Provider: YouTube (Google), Storage duration: session
VISITORINFO1LIVE – Provider: YouTube (Google), Storage duration: 6 months
PREF – Provider: YouTube (Google), Storage duration: 8 months
Measurement
These cookies help us measure traffic and analyze user behavior in order to improve our service.
fathom – Provider: Fathom Analytics, Storage duration: 1 week
Fathom Analytics is a privacy-focused web analytics service that operates in compliance with the GDPR and does not store personal data or build tracking profiles. More information: Fathom Docs
Contact and request management
When a person contacts us (e.g. by post, contact form, e-mail, telephone, or via social media) and in the context of existing user and business relationships, the data of the inquiring persons are processed insofar as this is necessary to respond to the inquiries and any requested measures.
Types of data processed: basic data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. text or image messages and contributions as well as the information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, time data, identification numbers, persons involved).
Persons affected: communication partners.
Purposes of the processing: communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form); provision of our online offering and user-friendliness.
Storage and deletion: deletion in accordance with the information in the section “General information on data storage and deletion”.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR); performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Further information on processing operations, procedures, and services:
Contact form: When a person contacts us via our contact form, by e-mail, or through other communication channels, we process the personal data transmitted to us in order to respond to and process the respective request. This usually includes details such as name, contact information, and, if applicable, other information that is provided to us and is required for appropriate processing. We use these data exclusively for the stated purpose of establishing contact and communication. Legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
Audio content
We use hosting offers from service providers so that we can make our audio content available for listening and downloading. As part of this, we use platforms that make it possible to upload, save, and distribute audio material.
Types of data processed: usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, time data, identification numbers, persons involved); log data (e.g. log files relating to logins or the retrieval of data or access times).
Persons affected: users (e.g. website visitors, users of online services).
Purposes of the processing: measuring reach (e.g. access statistics, recognition of returning visitors); conversion measurement (measurement of the effectiveness of marketing measures); profiles with user-related information (creation of user profiles); provision of our online offering and user-friendliness;
Storage and deletion: deletion in accordance with the information in the section “General information on data storage and deletion”.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing operations, procedures, and services:
Soundcloud: SoundCloud – music hosting. Service provider: SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Website: https://soundcloud.com. Privacy policy: https://soundcloud.com/pages/privacy.
Newsletter and electronic notifications
We send newsletters, e-mails, and other electronic notifications (hereinafter “newsletters”) exclusively with the consent of the recipients or arising from a legal basis. If the newsletter subscription process includes mention of the content of the newsletter, such content is decisive for the user’s consent. To subscribe to our newsletter, it is normally sufficient to enter your e-mail address. However, in order to be able to offer you a personalized service, we may ask you to provide your name so that we can address you personally in the newsletter, or to provide further information if this is necessary for the purpose of the newsletter.
Erasure and restriction of processing: We may store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove that consent was previously given. The purpose of processing these data is limited to potential defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blocklist for this purpose alone.
The subscription process is logged on the basis of our legitimate interests for the purpose of proving that it was carried out properly. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure mailing system.
Contents:
Information about us, our services, promotions, and offers.
Types of data processed: basic data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); meta, communication, and process data (e.g. IP addresses, time data, identification numbers, persons involved); usage data (e.g. page views and length of stay, click paths, intensity, and frequency of use, device types and operating systems used, interactions with content and functions).
Persons affected: communication partners.
Purposes of the processing: direct marketing (e.g. by e-mail or post); measuring reach (e.g. access statistics, repeat visitor recognition).
Legal basis: consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
Right to object (opt-out): You can unsubscribe from our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to unsubscribe from the newsletter at the end of each newsletter, or you can do so using one of the contact options listed above, preferably e-mail.
Further information on processing operations, procedures, and services:
Measurement of opening and click rates: The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from our server, or the server of a mailing service provider if we are using one, when the newsletter is opened. As part of this retrieval, technical information, such as details of the browser and your system, as well as your IP address and the time of retrieval are initially collected. This information is used for technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or the access times. This analysis also includes determining whether and when the newsletters are opened and which links are clicked on. The information is assigned to the individual newsletter recipients and stored in their profiles until it is deleted. The evaluations are used to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. Measurement of opening and click rates as well as storage of the results of such measurement in the user profiles and their further processing take place on the basis of user consent. Separate revocation of the performance measurement is unfortunately not possible, as it would involve cancelling or objecting to the entire newsletter subscription. This would mean that the stored profile information would then be deleted. Legal basis: consent (Art. 6(1)(a) GDPR).
Brevo: e-mail dispatch and automation services. Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.brevo.com/. Privacy policy: https://www.brevo.com/legal/privacypolicy/. Data processing agreement: provided by the service provider.
Web analysis, monitoring, and optimization
Web analysis (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offering or its functions or content are most frequently used or invite reuse. We are also able to understand which areas require optimization.
In addition to web analysis, we may also use test procedures, for example to test and optimize different versions of our online offering or its components.
Unless otherwise stated below, profiles, i.e. data summarized for a usage process, can be created for these purposes, and information can be stored in a browser or in an end device and then read. The information collected includes, in particular, websites visited and the elements used there, as well as technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data from us or from the providers of the services we use, it is also possible to process location data.
In addition, the IP addresses of users are stored, but we use an IP masking procedure (i.e. pseudonymization through abbreviation of the IP address) to protect users. In general, it is the pseudonyms rather than any clear user data (such as e-mail addresses or names) that are stored in the context of web analysis, A/B testing, and optimization. This means that neither we nor the providers of the software used know the actual identity of the users; only the information stored in their profiles for the purpose of the respective procedures is known.
Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is that consent. Otherwise, user data are processed on the basis of our legitimate interests (i.e. interest in providing efficient, economical, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
Types of data processed: usage data (e.g. page views and length of stay, click paths, intensity, and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, time data, identification numbers, persons involved).
Persons affected: users (e.g. website visitors, users of online services).
Purposes of the processing: measuring reach (e.g. access statistics, repeat visitor recognition); profiles with user-related information (creation of user profiles).
Storage and deletion: deletion in accordance with the information in the section “General information on data storage and deletion”. Storage of cookies for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
Security measures: IP masking (pseudonymization of the IP address).
Legal basis: consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing operations, procedures, and services:
fathom: Web analysis and reach measurement (no use of cookies; measurement is limited to our online offering; use of data protection-compliant pseudonymization procedures; see https://usefathom.com/data). Service provider: Conva Ventures Inc. BOX 37058 Millstream PO, Victoria, BC, V9B 0E8, Canada. Legal basis: consent (Art. 6(1)(a) GDPR). Website: https://usefathom.com/. Privacy policy: https://usefathom.com/privacy.
Social listening / press clipping
Meltwater – social listening tool / press clipping tool
We use the Meltwater service from Meltwater Deutschland GmbH, Unter den Linden 21, 10117 Berlin, to carry out:
Social listening: analysis of publicly accessible content in social networks, blogs, forums, news sites, etc.
Media monitoring / press clipping: recording and evaluation of press releases and online media for reporting on our company, our brands, or relevant topics.
Purposes of the processing:
Reputation management and strategic communication planning
Market and trend analyses
Identifying public opinion
Evaluating PR and marketing measures
Legal basis:
The processing of personal data in the context of social listening and media monitoring is based on Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in effective public relations, analyzing and improving our communication strategies, and protecting our corporate image.
The data processed comes from publicly accessible sources, in particular:
Social networks (e.g. Twitter/X, Instagram, Facebook – if publicly visible)
Online media and news sites
Blogs, forums, video platforms, and comments section
Websites (worldwide), provided there is a connection to our company and our activities
These sources are selected by Meltwater in accordance with a contractual agreement. Depending on the context of the publication, the following personal data may be processed:
Name or user name of the publishing person (e.g. author of a post)
Content of the publication (text, images, videos, sound if applicable)
Date and time of publication
Source / URL
Language and, if applicable, location (if publicly visible or specified)
We do not carry out any further profiling and do not link these data with other personal information.
The data are processed by Meltwater Deutschland GmbH on our behalf. Meltwater acts as a processor in accordance with Art. 28 GDPR. A corresponding contractual agreement has been concluded. Data will only be passed on to third parties if this is necessary to fulfill the purpose or if there are legal obligations.
The data will only be stored for as long as is necessary for the stated purposes. The storage period of the data collected by Meltwater varies depending on the type of content:
Editorial content (news): will be stored until 2009.
Social media content: stored over a rolling period of 15 months.
Specific social media platforms:
• Facebook: 450 days (15 months) of historical data after authentication.
• YouTube: 30 days for videos and comments.
• Comments on websites: 15 months.
The maximum search range for news and social media content is one year in each case.
The data will be deleted automatically at the end of the specified periods, or on request.
Presence in social networks (social media)
We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.
We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce user rights.
Furthermore, user data within social networks are generally processed for market research and advertising purposes. For example, user behavior and the resulting interests of users may be utilized to create user profiles. These may then be utilized in turn, for example, to place advertisements inside and outside the networks that presumably correspond to the interests of the users. For this, cookies are generally stored on the user’s computer so that their usage behavior and interests can be saved. In addition, data can also be stored in the user profiles independently of the devices they use (especially if they are members of the respective platforms and are logged in there).
For a detailed description of the respective forms of processing and the opt-out options, please refer to the data privacy policies and information provided by the operators of the respective networks.
In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. They are the only ones who have access to the user data and can take appropriate measures and provide information directly. If you still need help, you can contact us.
Types of data processed: contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. text or image messages and contributions and the information relating to them, such as information on authorship or time of creation); usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, time data, identification numbers, persons involved).
Persons affected: users (e.g. website visitors, users of online services).
Purposes of the processing: communication; feedback (e.g. collecting feedback via online form); public relations.
Storage and deletion: deletion in accordance with the information in the section “General information on data storage and deletion”.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).
Further information on processing processes, procedures and services:
Instagram: Social network, allows you to share photos and videos, comment on and favorite posts, send messages, subscribe to profiles and pages; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for third country transfers: Data Privacy Framework (DPF).
Facebook pages: profiles within the social network Facebook. We share joint controllership with Meta Platforms Ireland Limited for the collection (but not the further processing) of data on visitors to our Facebook page (so-called “fan page”). These data include information about the types of content users view or interact with, or the actions they take (see under “What information do we collect?” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under “Device information” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As described in the Facebook Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, known as “Page Insights”, for page operators to help them understand how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook (“Information about Page Insights”, https://www.facebook.com/legal/terms/page_controller_addendum), which governs in particular which security measures Facebook must observe, and in which Facebook has agreed to fulfill the rights of data subjects (i.e. users can, for example, send information or erasure requests directly to Facebook). The rights of users (in particular the right to information, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information is provided in the “Information about Page Insights Data” (https://www.facebook.com/legal/terms/information_about_page_insights_data). The joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which concerns, in particular, the transmission of the data to the parent company Meta Platforms, Inc. in the USA. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://www.facebook.com/legal/EU_data_transfer_addendum), Data Privacy Framework (DPF), standard contractual clauses (https://www.facebook.com/legal/EU_data_transfer_addendum)
LinkedIn: social network. We share joint controllership with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitors’ data used to create the “page insights” (statistics) of our LinkedIn profiles. These data include information about the types of content that users view or interact with and the actions they take. Details about the devices used are also recorded, such as IP addresses, operating system, browser type, language settings, and cookie data, as well as information from the user profiles, such as job function, country, industry, hierarchy level, company size, and employment status. Data protection information on the processing of user data by LinkedIn can be found in the LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy.
We have concluded a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, https://legal.linkedin.com/pages-joint-controller-addendum), which governs in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill the rights of the data subjects (i.e. users can, for example, send requests for information or deletion directly to LinkedIn). The rights of users (in particular the right to information, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. The joint controllership is limited to the collection and transfer of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to transferring data to the parent company LinkedIn Corporation in the USA. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.linkedin.com. Privacy policy: https://www.linkedin.com/legal/privacy-policy. Basis for third country transfers: Data Privacy Framework (DPF), standard contractual clauses (https://legal.linkedin.com/dpa), Data Privacy Framework (DPF) standard contractual clauses (https://legal.linkedin.com/dpa). Right to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.TikTok: social network, allows users to share photos and videos, comment on posts and mark them as favorites, send messages, and follow accounts. Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP. Legal basis: consent (Art. 6(1)(a) GDPR). Website: https://www.tiktok.com. Privacy policy: https://www.tiktok.com/de/privacy-policy. Basis for third country transfers: standard contractual clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms), standard contractual clauses (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
X: social network. Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Website: https://x.com. Privacy policy: https://x.com/en/privacy.
YouTube: social network and video platform. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Privacy policy: https://policies.google.com/privacy. Basis for third country transfers: Data Privacy Framework (DPF), Data Privacy Framework (DPF). Right to object (opt-out): https://myadcenter.google.com/personalizationoff.
Xing: social network. Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.xing.com/. Privacy policy: https://privacy.xing.com/en/privacy-policy.
Plug-ins and embedded functions and content
We incorporate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or city maps (hereinafter uniformly referred to as “content”).
The integration always requires that the third-party providers of this content process the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is therefore required to display this content or function. We endeavor to use only such content whose respective providers use the IP address solely to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and contain, among other things, technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offering, but may also be linked to such information from other sources.
Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is that consent. Otherwise, user data are processed on the basis of our legitimate interests (i.e. interest in providing efficient, economical, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.
Types of data processed: usage data (e.g. page views and length of stay, click paths, intensity, and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, time data, identification numbers, persons involved).
Persons affected: users (e.g. website visitors, users of online services).
Purposes of the processing: provision of our online offering and user-friendliness; performance of contractual services and fulfillment of contractual obligations.
Storage and deletion: deletion in accordance with the information in the section “General information on data storage and deletion”. Storage of cookies for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
Legal basis: consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing processes, procedures and services:
reCAPTCHA: We integrate the “reCAPTCHA” function in order to be able to recognize whether entries (e.g. in online forms) are made by humans and not by automatically acting machines (so-called “bots”). The processed data may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keyboard strokes, time spent on websites, previously visited websites, interactions with ReCAPTCHA on other websites, possibly cookies, and results of manual recognition processes (e.g. answering questions asked or selecting objects in images). Data processing is carried out on the basis of our legitimate interests in protecting our online offering from abusive automated crawling and spam. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.google.com/recaptcha/. Privacy policy: https://policies.google.com/privacy. Basis for third country transfers: Data Privacy Framework (DPF), Data Privacy Framework (DPF). Right to object (opt-out): opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for displaying advertisements: https://myadcenter.google.com/personalizationoff.
Data protection for job applications and in the application process
The primary purpose of this data processing is to carry out and manage the job application process and to assess an applicant’s suitability for the position in question. As a result, the processing of your applicant data is necessary to enable us to decide on the establishment of an employment relationship and thus on recruitment. The primary legal basis for this is Art. 6(1)(b) GDPR. Processing of specific categories of personal data – where necessary for the decision on recruitment – is carried out on the basis of Art. 9(1) GDPR. If you have voluntarily provided us with particular categories of personal data, the processing of which is not necessary for the decision on recruitment, the collection and processing will be based on your consent given when you transfer such data. We also collect and process applicants’ personal data on the basis of legitimate interests for the defense of legal claims (in particular arising from the German General Equal Treatment Act (AGG), pursuant to Art. 6(1)(f) GDPR. Processing can also be carried out electronically. This is the case, in particular, if an applicant submits the relevant application documents to us electronically, for example by e-mail. We have set up a special e-mail address for applications by e-mail (bewerbung@documenta.de). If we conclude an employment contract with an applicant, the data transferred will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If no such contract is concluded with the applicant, the application documents will be automatically deleted no later than six months after the applicant is notified of the rejection, provided there are no other legitimate interests on our part that stand in the way of deletion. An example of “other legitimate interests” in the aforementioned sense is the burden of proof in proceedings under the General Equal Treatment Act (AGG).
Data protection information for participation in events
We process the personal data you provide to us as part of the registration process for the purpose of preparing for and holding the respective event and for capacity planning on the basis of your consent given by registering in accordance with Art. 6(1)(a) GDPR and, depending on the type of event, on the basis of a contract in accordance with Art. 6(1)(b) GDPR. You can revoke your consent at any time with effect for the future. If you withdraw your consent, we will no longer be able to use your personal data for the event, which requires registration, and you will therefore be unable to participate in the event.
If necessary, we process your data beyond your consent in accordance with Art. 6(1)(f) GDPR to protect our own or third parties’ legitimate interests, such as for defense in legal disputes. Please note that photographs or video recordings will be made at our events and that the image or video material may be published on the Internet, on the websites operated by documenta und Museum Fridericianum gGmbH or its cooperation partners, or on social media, and/or in one of the publications of documenta und Museum Fridericianum gGmbH or its cooperation partners. This is for the purpose of public relations (in particular reporting) on the respective event.
By participating in the event, you agree to the publication of photographs and video recordings made during the event (Sections 22, 23 of the Art Copyright Act – KUG). The collection, i.e. the photographic recording and its processing, is carried out for the purpose of illustrated reporting on the basis of Art. 6(1)(f) GDPR. We would like to point out that pursuant to Art. 21(1) GDPR, you can object to this processing for reasons arising from your particular situation. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims. The objection must be sent to the above address.
Please note that the documentation of the event may also result in data worthy of archiving, so it may become part of the holdings of documenta archiv. If archival records contain personal data about you, we process these data on the basis of Art. 6(1)(c) GDPR in conjunction with Sections 7, 8, and 11 of the Hessian Archives Act (HArchivG). We process the special categories of personal data that may be processed in this context on the basis of Section 25 of the Hessian Data Protection and Freedom of Information Act (HDSIG).
If you have any questions about this information, including about your (data protection) rights, you can also contact our data protection officer.
Amendments and updating
We urge you to keep yourself updated on the content of our privacy policy. We amend the privacy policy as soon as any changes in our data processing make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time, so please check these details before contacting us.