Municipal Museum Schloss Rheydt
Dr. Karlheinz Wiegmann
Types of data processed
- Inventory data (required for login/use of the app: e-mail address).
- Contact details (can be used under pseudonym, contact details on a voluntary basis in the profile).
- Content data (e.g. text input, photographs, videos, geodata of content).
- Meta/communication data (IP addresses in the server log file, temporary storage during use, location data during use).
In the app we do NOT collect any usage data such as visited websites, interest in content, access times!
Profiling is not carried out.
Categories of data subjects
Users of the app (In the following we refer to the affected persons as "users").
Purpose of processing
- Provision of the online offer, its functions and contents.
- Provision and acceptance of content, communication with users.
- Safety measures.
“Personal data” refers to all information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is regarded as identifiable, if he/she can be directly or indirectly identified, especially by means of association with an identifier such as a name, with an identification number, with location data, with an online identifier (e.g. cookies) or with one or several special features reflecting the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.
"Processing" means any operation carried out with or without the aid of automated procedures or any such series of operations in connection with personal data. The term is broad and covers virtually every aspect of dealing with data
"Pseudonymisation" means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data are not attributed to an identified or an identifiable natural person.
"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
"Data controller" refers to the natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data.
A "processor " is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller.
Applicable legal bases
In accordance with art. 13 GDPR, we inform you of the legal basis of our data processing. For users within the scope of the General Data Protection Regulation (GDPR), i.e. the EU and the EEC, as long as the legal basis in the data protection declaration is not mentioned, the following applies:
The legal basis for obtaining consent is art. 6 para. 1 (a) and art. 7 GDPR
The legal basis for processing for the fulfilment of our services and the execution of contractual measures as well as for replying to enquiries is art. 6 para. 1 (b) GDPR
The legal basis for processing to fulfil our legal obligations is art. 6 para. 1 (c) GDPR
In the event that vital interests of the data subject or another natural person require processing of personal data, art. 6 para. 1 (d) GDPR applies as the legal basis.
The legal basis for the processing required to carry out a task in the public interest or in the exercise of official authority which has been entrusted to the controller is article 6 para. 1 (e) GDPR.
The legal basis for processing to protect our legitimate interests is art. 6 para. 1 (f) GDPR.
The processing of data for purposes other than those for which they were collected is determined in accordance with art. 6 para. 4 GDPR.
The processing of special categories of data (in accordance with art. 9 para. 1 GDPR) is determined in accordance with the provisions of art. 9 para. 2 GDPR.
In accordance with legal requirements, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account current technology, implementation costs, the nature, scope, context and purposes of processing, and the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and its separation. Furthermore, we have established procedures that guarantee the exercise of data subjects' rights, deletion of data, and reaction to data risks. In addition, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly defaults.
Collaboration with processors, mutually responsible persons and third parties
If, in the context of our processing, we disclose data to other persons and companies (processors, mutually responsible persons or third parties), transmit it to them or otherwise grant access to the data, this will only be done on the basis of a legal permission (e.g. if the data has been transmitted to third parties, such as payment service providers, to fulfil the contract), users have consented to a legal obligation to do so or on the basis of our legitimate interests (e.g. the use of agents, web hosters, etc.).
Insofar as we disclose data to other companies in our group, convey it or otherwise grant access to it, this is done in particular for administrative purposes as a legitimate interest and, moreover, on a basis that complies with the legal requirements.
Transfer of data, login administration and transfers to third countries
The processing of the data generated in the app is carried out in Germany (Server: Server4You), as well as German and Dutch partners.
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or in the context of the use of third party services or disclosure, or transmission of data to other persons or companies, this will only happen if it is to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Except as expressly provided or required by law, we process or disclose the data only in third countries with a recognised level of privacy, including those certified under the Privacy Shield, or on the basis of specific warranties, such as contractual obligations under so-called standard safeguards of the EU Commission, the existence of certifications or binding internal data protection regulations (articles 44 to 49 GDPR, information page of the European Commission).).
Login management with Google Firebase
Your personal information will be transmitted to Google Firebase. Firebase is a Google subsidiary based in San Francisco (CA), USA.
Firebase is a real-time database that lets you embed real-time information into your own website. Here, the user data is anonymously transmitted to Firebase in order to use the database. The transmission of data is based on our legitimate interests in accordance with art. 6 para. P. 1 (f) GDPR for the above purposes. For more information about privacy related to Google Firebase, visit: https://www.firebase.com/terms/privacy-policy.html.
Integration of external map material
In our app, we integrate maps via Google Maps and Apple Maps APIs. In order for the map to be displayed, your IP address and location will be transmitted to Google Maps. The integration takes place on the basis of art. 6 para. 1 clause 1 (f) GDPR. This is done to make our app more user-friendly and interesting. This is a legitimate interest within the meaning of the above provision.
Rights of data subjects
You have the right to request confirmation as to whether the data in question is being processed and for information about this data as well as for further information and copying of the data in accordance with legal requirements.
You have the right, in accordance with the legal requirements, to demand the completion of the data concerning you or the correction of the incorrect data concerning you.
In accordance with the statutory provisions, you have the right to demand that the relevant data be deleted immediately, or alternatively to demand a restriction of the processing of the data in accordance with the statutory provisions.
You have the right to request the data concerning you that you have provided to us in accordance with art. 20 GDPR and to request its transmission to other controllers.
You also have the right, in accordance with the statutory provisions, to submit a complaint to the competent supervisory authority.
Right to cancel/revoke orders
You have the right to withdraw granted consent with effect for the future.
Right of objection and deletion of data
You may object to the future processing of your data in accordance with legal requirements at any time by deleting your user account.
Users can create a user account. Users will be informed of the mandatory information required during registration and this information will be processed on the basis of Art. 6 para. 1 (b) GDPR for the purpose of providing the user account. The processed data includes, in particular, the login information (e-mail address). The data entered during registration will be used to reset the password.
We use the social login feature of the providers Facebook, Twitter and Google. Accounts created in this way fall under local data protection rules.
Backup of content data of the user-created data does not take place outside of the user account. If an account is deleted, all contents will be irretrievably deleted.
We store the IP address and the time of the respective user's activity as part of the use of our registration and login functions, as well as the use of the user account. This data is stored on the basis of our legitimate interests, and to protect the user against misuse and other unauthorised use. A passing on of this data to third parties does not take place in principle, unless it is necessary for the pursuit of our claims or there is a legal obligation in accordance with Art. 6 para. 1 (c) of the GDPR. IP addresses are anonymised or deleted after 7 days at the latest.
Comments and posts
If users leave comments or other posts, their IP addresses can be stored for 7 days on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR. This takes place for our security, in case someone leaves illegal contents in comments and posts (abuse, forbidden political propaganda, etc.). In this case, we ourselves could be prosecuted for the comment or post and are therefore interested in the identity of the author.
Furthermore, we reserve the right, on the basis of our legitimate interests pursuant to art. 6 para. 1 lit. f. GDPR, to process user information for the purpose of spam detection.
Any information provided in the comments and contributions of the person, any contact and website information as well as the content, are stored by us indefinitely unless the user requests the information to be deleted.
Hosting and email delivery
The hosting services we use serve from the provider Time4VPS to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services and technical maintenance services that we use for the purpose of operating this online offering.
Hereby, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta data and communication data of customers, potential customers and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer according to art. 6 para. 1 lit. f GDPR in conjunction with art. 28 GDPR (fulfilment of order processing agreement).
Collection of access data and log files
We, or our hosting provider, collect data on the basis of our legitimate interests within the meaning of art. 6 para. 1 lit. f. GDPR regarding each access to the server on which this service is located (known as server log files). Access data includes the name of the requested website, file, date and time of access, amount of data transferred, report whether the site was successfully retrieved, browser type and version, the user's operating system, the referrer URL (the site visited before coming to our site), the user's IP address, and the requesting internet service provider.
Log file information is stored for a maximum of seven days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data which must be retained as potential evidence is not deleted until the relevant incident has been ultimately clarified.