Privacy policy in accordance with the GDPR

Data protection is an important concern for Kiel University (CAU). We therefore attach great importance to data-minimising data processing when processing personal data in connection with the performance of our tasks.

This privacy policy also applies to the processing of personal data and information within the meaning of Section 25 of the German Telemedia Act (TDDDG) in the context of this website, including the services offered there.

1. NAME AND ADDRESS OF THE CONTROLLER

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is:

Christian-Albrechts-Universität zu Kiel
Christian-Albrechts-Platz 4
24118 Kiel, Germany
Telephone: +49 (0)431 880-00
Email: mail@uni-kiel.de

Internal contact:
Kunsthalle zu Kiel
Managed by Acting Director Dr. habil. Regina Göckede
Düsternbrooker Weg 1
24105 Kiel, Germany
Phone: +49 (0)431 88057-56
Email: info@kunsthalle-kiel.de

2. NAME AND ADDRESS OF THE DATA PROTECTION OFFICER

Please contact our data protection officer directly with any questions regarding data protection and data security:

actago GmbH
Weidenstraße 66
94405 Landau a. d. Isar
Telephone: +49 (0)9951 99990-500
Email: datenschutz@uv.uni-kiel.de
Website: www.actago.de

3. General information
3.1 Purposes and legal basis for the processing of personal data

The purpose of processing is to fulfil the public tasks assigned to us by law.
Unless otherwise specified, the legal basis for the processing of your data is § 3 (1) of the Schleswig-Holstein Law on the Protection of Personal Data (LDSG (SH)) in conjunction with Art. 6 (1) lit. e of the General Data Protection Regulation (GDPR). According to this, we are permitted to process the data necessary to fulfil a task incumbent upon us.
If you have consented to processing, data processing is based on Article 6(1)(a) GDPR.

3.2 Recipients of personal data

The technical operation of our data processing systems is carried out by
gradwerk GmbH
Konrad-Adenauer-Straße 6
23558 Lübeck

If necessary, your data will be transferred to the competent supervisory and auditing authorities for the purpose of exercising their respective control rights.

3.3 Duration of storage of personal data

Your data will only be stored for as long as is necessary to fulfil the task, in compliance with statutory retention periods.

3.4 Your rights

Insofar as we process your personal data, you as the data subject have the following rights:

You may request information as to whether we process your personal data. If this is the case, you have the right to obtain information about this data and other information related to the processing (Art. 15 GDPR). Please note that this right to information may be restricted or excluded in certain cases (see in particular Section 9 LDSG (SH)).
If incorrect personal data is processed, you have the right to have it corrected (Art. 16 GDPR).
If the legal requirements are met, you can request the deletion or restriction of processing (Art. 17 and 18 GDPR). However, the right to erasure under Art. 17(1) and (2) GDPR does not apply if the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Art. 17(3)(b) GDPR).
If you have consented to the processing and the processing is based on this consent, you can revoke your consent at any time for the future. This does not affect the lawfulness of data processing carried out on the basis of your consent until revocation.
You have the right to object to the processing of your data at any time for reasons arising from your particular situation (Art. 21 GDPR). If the legal requirements are met, we will no longer process your personal data. Further restrictions, modifications and, where applicable, exclusions of the aforementioned rights may arise from the General Data Protection Regulation or national legislation. You can also obtain more detailed information on these rights from our data protection officer.

3.5 Right to lodge a complaint with the supervisory authority

You also have the right to lodge a complaint with the ULD – Independent Centre for Data Protection Schleswig-Holstein. You can contact them using the following details:

Postal address: Postfach 71 16, 24103 Kiel
Address: Holstenstraße 98, 24103 Kiel
Telephone: 0431 988-1200
Fax: 0431 988-1223
Online reporting: https://www.datenschutzzentrum.de/meldungen/

4. Information about the website
4.1 Logging

When you visit this or other websites, your internet browser transmits data to our web server. The following data is recorded during an ongoing connection for communication between your internet browser and our web server:

Date and time of the request
Name of the requested file
Page from which the file was requested
Access status (file transferred, file not found, etc.)
Web browser and operating system used
Full IP address of the requesting computer
Amount of data transferred.

For technical security reasons, in particular to defend against attempts to attack our web server, we store this data. After seven days at the latest, the data is anonymised by shortening the IP address at domain level so that it is no longer possible to establish a link to individual users.

4.2 Secure data transmission

When you access this information service, we offer an HTTPS and Perfect Forward Secrecy encrypted connection, which is secured with at least the TLS 1.2 encryption protocol, so that your data is protected from being accessed by third parties during data transmission. We recommend that you keep your internet browser up to date to use this option.

5. Cookies

We use cookies to ensure the correct technical and functional provision of this information service. Cookies are small text files that are stored on the device you are using.
The legal basis for the storage of information and the processing of personal data using technically necessary cookies is Section 25 (2) TDDDG and Art. 6 (1) lit. e GDPR in conjunction with Section 3 LDSG (SH). Technically necessary cookies are only valid for the current session and are automatically deleted as soon as you close your browser.

The use of functional cookies is voluntary. If these cookies are blocked, certain functions may not be available in full. The legal basis for the use of cookies that are not technically necessary is the user's consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) lit. a GDPR. When you access this website, we store cookies (small files) on your device. These have the following validity:

Name / storage period:

cms_cookie / 24 hours
__cf_bm / 30 minutes
cms_stat / 400 days
_cfuvid / session
player_clearance / 22 hours

6. Contacting us by e-mail
6.1 Description and scope of data processing

You can contact us via the e-mail address provided. Your personal data transmitted with the e-mail will be stored. In this context, the data will not be passed on to third parties.
The data will be used exclusively for processing the conversation.

6.2 Legal basis for data processing

The legal basis for the processing of your personal data transmitted in the course of sending an email is Art. 6 (1) (e) GDPR in conjunction with § 3 LSDG (SH). If the purpose of contacting us by e-mail is to conclude a contract, the additional legal basis for processing is Art. 6 (1) lit. b GDPR.

6.3 Purpose of data processing

The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

6.4 Duration of storage

Your personal data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. For personal data sent by e-mail, this is the case when the respective conversation with you has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

6.5 Right to object and right to erasure

You have the right to object to the processing of your personal data at any time in the future when contacting us by email. In such a case, the conversation between you and us cannot be continued. All personal data stored in the course of contacting us will be deleted in this case.

7. Electronic mail (e-mail)

Information that you send to us unencrypted by electronic mail (e-mail) may be read by third parties during transmission. As a rule, we cannot verify your identity and do not know who is behind an e-mail address. Legally secure communication by simple e-mail is therefore not guaranteed. Like many email providers, we use filters against unwanted advertising (‘spam filters’), which in rare cases may also automatically classify normal emails as unwanted advertising and delete them. Emails containing harmful programs (‘viruses’) are automatically deleted by us in any case.
If you have concerns about transmitting personal data or other sensitive data, please agree on a suitable encryption method with the recipient (our employees) before transmission, or use postal mail.

8. Active components

Active components such as JavaScript, Java applets or ActiveX controls are used in the information provided. You can disable this function by adjusting the settings in your internet browser.

9. Photo requests
9.1 Description and scope of data processing

Our website features a form that can be used to submit photo requests for possible publication. If you choose to do so, the data entered in the input mask will be transmitted to us and stored. This data includes:

Contact person:

First name*
Surname*
Email*

Billing address:

Institution / museum / person*
Additional address information
Street, house number*
Postcode*
City*
Country*
Invoice subject*
Order date*
Latest delivery date*

Intended use:

Type of publication
Title of publication
Publisher
Year of publication
Publisher
Print run
Scope
Language
Size of illustration
Additional information and comments

Objects:

Object description
*Mandatory field

Your consent will be obtained for the processing of your data during the submission process and reference will be made to this privacy policy. In this context, no data will be passed on to third parties. The digital images will be provided for a processing and reproduction fee.
The data will be used exclusively for the processing of your enquiry.

9.2 Legal basis for data processing

The legal basis for processing your personal data in connection with your enquiry is Article 6(1)(b) GDPR.

9.3 Purpose of data processing

We process your personal data from the input mask solely for the purpose of processing your enquiry. The other personal data processed during the sending process serves to prevent misuse of the form and to ensure the security of our information technology systems.

9.4 Duration of storage

Your personal data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. For personal data from the input mask of the form for ordering souvenirs, this is the case when the respective conversation with you has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

9.5 Right to object and right to erasure

You have the right to object to the processing of your personal data at any time when contacting us via the souvenir order form. In such cases, the conversation between you and us cannot be continued. All personal data stored in the course of contacting us will be deleted in this case.

10. Order or shop enquiry Publications
10.1 Description and scope of data processing

Our website features a form that can be used to submit enquiries regarding publications from the Kunsthalle. If you make use of this option, the data entered in the input mask will be transmitted to us and stored. This data includes:

Title of the publication:

Please select the title*

Billing and delivery address:

First name*
Surname*
Street, house number*
Additional address details
Postcode*
Town/city*
Email*
Telephone
Message
*Mandatory field

Your consent will be obtained for the processing of the data during the sending process and reference will be made to this privacy policy.

10.2 eCommerce and payment providers

We collect, process and use personal data only to the extent necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. We collect, process and use personal data relating to the use of this website (usage data) only to the extent necessary to enable the user to use the service or to bill for it. The customer data collected will be deleted after completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.

11 Press distribution list
11.1 Description and scope of data processing

Our website offers a distribution list for press representatives, through which you can receive all dates and information about exhibitions and events in advance by email. To do so, you must provide a first name (optional), a surname (optional), a valid press medium for which you work, and a valid email address. By subscribing to the distribution list, you agree to receive the distribution list and the procedures described.

11.2 Legal basis for data processing

The legal basis for the processing of your personal data in the context of mailing list distribution is the existence of consent pursuant to Art. 6(1)(a) GDPR.

11.3 Purpose of data processing

The collection of your personal data serves to send you information from the mailing list. The purpose of processing your personal data in the context of sending out the mailing list is to inform you about dates and information relating to exhibitions and events.

11.4 Duration of storage

Your personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. Your personal data will therefore be stored for as long as your subscription to the mailing list is active.

11.5 Right to object and right to erasure

You can unsubscribe from the mailing list at any time. For this purpose, there is a corresponding link in every message. After you unsubscribe, your personal data will be deleted. Unsubscribing also allows you to withdraw your consent.

12. Newsletter and mailing service provider
12.1 Description and scope of data processing

Our website offers you a newsletter in which we inform you about current events and offers. If you would like to subscribe to the newsletter, you must provide a first name (optional), a surname (optional) and a valid email address. By subscribing to the newsletter, you agree to receive the newsletter and the procedures described.

When you subscribe to our newsletter, we process the data required for this purpose (e-mail address and, if applicable, name and other voluntary information). The newsletter is sent via the newsletter system in CMS 6 of gradwerk GmbH, Konrad-Adenauer-Str. 6, 23558 Lübeck, as a technical service provider with whom we have a contract for order processing in accordance with Art. 28 GDPR. The data is used exclusively for sending the newsletter and managing the recipient lists and is not passed on to other third parties. In order to optimise our newsletter service, we carry out anonymous statistical evaluations, for example on opening and click rates. No personal data is evaluated in this process and the results do not allow any conclusions to be drawn about individual recipients.

The data will be stored for the duration of the newsletter subscription and deleted after unsubscribing from the newsletter, provided that there are no legal retention obligations. Further information on data protection at gradwerk GmbH can be found at www.gradwerk.de/datenschutz.

12.2 Legal basis for data processing

The legal basis for the processing of your personal data in the context of sending the newsletter is the existence of consent pursuant to Art. 6 (1) (a) GDPR.

12.3 Purpose of data processing

The collection of your personal data serves to send you the newsletter. The purpose of processing your personal data in connection with sending the newsletter is to inform you about current events and offers.

12.4 Duration of storage

12.5 Right to object and right to erasure

You can unsubscribe from the newsletter at any time. There is a link for this purpose in every newsletter. Your personal data will be deleted after you unsubscribe. Unsubscribing also constitutes a revocation of your consent.

13. Google APIs

We use the Google APIs service as interface software on our website. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Using this service may result in data being transferred to a third country (the USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection. Further information can be found in the provider's privacy policy at the following URL: https://business.safety.google/privacy.

14. Google Web Fonts

This website may use Google Web Fonts to ensure consistent font display. When using these fonts, your browser downloads the required fonts from our website system. These are then temporarily stored in the browser cache to display the fonts correctly. Your browser does not establish a connection to Google's servers. This ensures that Google does not obtain any knowledge of your visit or your IP address.

15. Google Static

We use a content delivery network (CDN) to optimise the performance and availability of our website. To do this, the service provider that provides this network processes your IP address and information about when you visited our website. All further information on data processing by this service provider can be found in its privacy policy. This processing is based on consent that can be revoked at any time in accordance with Art. 6 (1) (a) GDPR.

We use the Google Static service on our website. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Using this service may result in data being transferred to a third country (the USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection. Further information can be found in the provider's privacy policy at the following URL: https://policies.google.com/privacy.

16. MyFonts

Our website uses fonts provided by MyFonts Inc., 600 Unicorn Park Drive, Woburn, MA 01801, USA. When you visit the website, data is also retrieved from a MyFonts server, which means that MyFonts will at least obtain your IP address. Among other things, MyFonts also learns that you have accessed the font via our website, as well as some technical information about your browser. For more information on how MyFonts handles personal data, please visit: https://www.myfonts.com/legal/terms-and-conditions-of-business

17. Use of YouTube videos

Videos from the external video platform YouTube are embedded on our website. By default, only deactivated images from the YouTube channel are embedded, which do not establish an automated connection to YouTube's servers. This means that the operator does not receive any data from the user when the website is accessed.
You can decide for yourself whether the YouTube videos should be activated. Only when you enable playback of the videos by clicking on ‘Permanent activation’ do you give your consent for the necessary data (including the internet address of the current page and the user's IP address) to be transmitted to the operator.
In order to save the settings requested by the user, we set a cookie that stores the parameters. However, when setting these cookies, we do not store any personal data; they only contain anonymised data for customising the browser. The videos are then active and can be played by the user. If you wish to deactivate the automatic loading of YouTube videos again, you can remove the check mark for consent under the data protection icon. This will also update the cookie settings.

YouTube is a service provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, a subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. Further information on the purpose and scope of data processing (including outside the European Union and outside the USA) and information on settings options for protecting your privacy can be found in the privacy policy: https://policies.google.com/privacy?hl=de&gl=de
Google processes your personal data in the USA, among other places.

18. Vimeo

This website uses plugins from the video portal Vimeo. The provider is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. When you visit one of our pages equipped with Vimeo videos, a connection to the Vimeo servers is established. The Vimeo server is informed which of our pages you have visited. Vimeo also obtains your IP address. However, we have configured Vimeo so that it does not track your user activities and does not set any cookies.
We base the processing on Art. 6 (1) (a) GDPR; consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission and, according to Vimeo, on ‘legitimate business interests’. Details can be found here: https://vimeo.com/privacy. Further information on the handling of user data can be found in Vimeo's privacy policy at: https://vimeo.com/privacy.

19. Note on the privacy policy

Unless otherwise specified, the use of all information we have about you is subject to this privacy policy. The controller reserves the right to continuously adapt this privacy policy to the necessary security measures in line with technological developments and will announce any changes here.
As of: November 2025

20. Further information
20.1 Technical and organisational measures

The controller has taken technical and organisational measures to protect your data from loss, destruction or unauthorised access. In addition, both the controller's employees and any service providers are obliged to maintain confidentiality and comply with data protection regulations.

20.2 SSL or TLS encryption

For security reasons and to protect the transmission of confidential content that you send to us as the site operator, our website uses SSL or TLS encryption. This means that data you transmit via this website cannot be read by third parties. You can recognise an encrypted connection by the ‘https://’ address line of your browser and the lock symbol in the browser line.

Provider	gradwerk
Purpose	Speichert den Index der Suche nach Kunstwerken in der Sammlung online
Expiry	nie
Type	HTML

Provider	gradwerk
Purpose	Speichert das Suchwort der Suche nach Kunstwerken in der Sammlung online
Expiry	nie
Type	HTML

Provider	YouTube Google
Purpose	YouTube bandwidth measurement
Expiry	6 months
Type	HTTP

Provider	YouTube Google
Purpose	Registers a unique ID that is used by Google to keep statistics on how the visitor uses YouTube videos on different websites.
Expiry	8 months
Type	HTTP

Provider	YouTube Google
Purpose	Registers a unique ID to keep statistics of the videos from YouTube that the user has watched.
Expiry	Session
Type	HTTP

Provider	Vimeo
Purpose	Saves the user's preferences when playing embedded videos from Vimeo. Enables the correct functionality of these videos.
Expiry	1 year
Type	HTTP

Provider	Google
Purpose	Google uses cookies such as the NID to customise advertising in Google products such as Google Search. This cookie is used in Google Maps, for example.
Expiry	6 months
Type	HTTP