The protection and security of personal data is our utmost priority. This is why we comply strictly with data protection rules. In the following section, we will inform you about the types of data we record, the purpose for which we collect it and the point at which we erase any data stored. We will also provide information on the rights of the data subjects concerned:
I. Name and Address of Data Controller
In accordance with the GDPR and other data protection laws and regulations, the data controller is the
Academy of Fine Arts Leipzig / Hochschule für Grafik und Buchkunst
Agnes Wegner, Rector
Telephone: +49 (0)341 2135 0
Telefax: +49 (0)341 2135 166
II. Name and Address of the Data Protection Officer
The data protection officer acting on behalf of the data controller is:
Dresdner Institut für Datenschutz
(further contact details at www.dids.de)
III. Website Provision and the Creation of Log Files
1. Description and Scope of Data Processing
Each time you visit our website, our system automatically records log files from the accessing computer system. This data includes the type and version of the browser and operating system, the referring URL (the last website visited) and the IP address of the accessing computer. It also includes the date and time of the server request as well as the client’s file request (file name and URL). This information is not stored with any other personal data from the user.
2. Legal Basis of Data Processing
Our justified interest in data processing pursuant to point (f) of Art. 6 (1) of the GDPR also lies in such purposes.
3. Purpose of Data Processing
In order to make our website available to the user’s computer, our system must temporarily store the user’s IP address for the duration of the session. We store log files to ensure the functioning of our website. This data helps us to optimise our website, ensure the security of our information technology systems and perform statistical evaluations. We do not evaluate any data for marketing purposes.
4. Storage Period
Any data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collection for the provision of our website, this is considered to be the end of a session. Storage beyond this period is possible; in this case, user IP addresses are deleted or anonymized so they can no longer be connected to the accessing client.
5. Right to Objection and Erasure
The recording of data for the provision of our website and the storage of data in log files is essential to the operation of our website. The user may not therefore object to this use.
2. Legal Basis for Data Processing
3. Purpose of Data Processing
4. Storage Period, Right to Objection and Erasure
1. Description and Scope of Data Processing
Our website offers the option to sign up for a free newsletter. To receive this newsletter, we only need you to provide your email address. Please note that we use a so-called double opt-in procedure. After signing up, you will automatically receive a confirmation email. Only upon receiving your confirmation will we use your data to send out our newsletter. We will not use your data for any other purposes and will not share it with third parties. In accordance with current legislation, we do, however, log the following data:
2. Legal Basis for Data Processing
In accordance with point (a) of Art. 6 (1) of the GDPR, the legal basis for processing data after a user has signed up for the newsletter is the user’s consent.
3. Purpose of Data Processing
We record the user’s email address in order to deliver the newsletter. User data is solely used for sending out the newsletter.
4. Storage Period
User data is only stored for the duration of the newsletter subscription. Should you withdraw your consent, we will immediately erase your data from our mailing list but will retain your data for a period of 3 years for verification purposes. 5. Right to Objection and Erasure The user can cancel their newsletter subscription at any time. To this end, each newsletter contains a link to unsubscribe.
VI. Third Parties
1. YouTube and Vimeo
Our website may contain links to videos provided by the companies (1) YouTube LLC (901 Cherry Ave., San Bruno, CA, 94066, USA) and (2) Vimeo LLC (555 West 18th Street, New York, New York, 10011, USA). The viewing of videos through these providers requires the transfer to them of user data, in particular, IP addresses. Without an IP address, their content cannot be sent to the user’s respective browser. IP addresses are thus required in order to display this content. We have no control over the extent to which the two providers (each based in the USA) collect further data from you and use it beyond their delivery of content. Information regarding their data collection and use can be found at: (1) https://www.google.de/intl/de/policies/privacy (for YouTube) and (2) https://vimeo.com/privacy (for Vimeo). If you hold a Youtube or Vimeo account and do not wish for YouTube or Vimeo to collect data concerning you through our website and connect this data to member data stored by YouTube or Vimeo, you must log out of these accounts before visiting our website.
Our main page contains a link to our web presence at https://www.facebook.com/hgb.galerie by Facebook Inc. (1 Hacker Way, Menlo Park, CA, 94025, USA). By clicking on this link, you will be redirected to the Facebook website. On this website (based in the USA), your data will be processed and used by Facebook. We have no control over the data Facebook collects from you, nor how they use it. Information regarding Facebook’s data collection and use can be found at https://www.facebook.com/privacy/explanation. If you do not wish for Facebook to connect to your Facebook account any data related to your visit to our website, you must log out of Facebook before visiting our website. For more information on the purpose and extent of Facebook’s further data processing and use as well as your respective rights and options for privacy settings, please visit Facebook’s data protection information at https://www.facebook.com/policy.php
VII. Rights of the Data Subject
If any of your personal data is processed, you are a data subject as defined by the GDPR, which entitles you to assert the following rights against the data controller:
1. Right to Information
You have the right to ask the data controller for confirmation as to whether or not personal data concerning you is being processed. Where that is the case, you may ask the controller to provide the following information: (1) the purposes of processing your personal data; (2) the categories of personal data concerned; (3) the recipients or categories of recipient to whom the personal data concerning you has been or will be disclosed; (4) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (5) the existence of the right to request from the controller rectification or erasure of personal data concerning you, restriction of the processing of personal data by the controller or the option to object to such processing; (6) the right to lodge a complaint with a supervisory authority; (7) where the personal data is not collected from the data subject, any available information as to its source; (8) the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You have the right to be informed as to whether or not your personal data is transferred to a third country or to an international organisation. To this end, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 relating to the transfer.
2. Right to Rectification
You have the right to obtain from the controller the rectification and/or completion of any processed personal data concerning you, provided that it is inaccurate or incomplete. The data controller must rectify this data without undue delay.
3. Right to Restriction of Processing
You have the right to obtain from the controller restriction of the processing of data concerning you where one of the following applies: (1) the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data; (2) the processing is unlawful and you oppose the erasure of your personal data and instead request the restriction of its use; (3) the controller no longer needs the personal data for the purpose of the processing, but you require it for the establishment, exercise or defence of legal claims; (4) you have objected to processing pursuant to Art. 21(1) of the GDPR pending verification of whether the legitimate grounds of the controller override your rights as a data subject. Where processing of personal data concerning you has been restricted, with the exception of storage, such data shall only be processed with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest of the European Union or of a member state. If processing has been restricted in accordance with the above conditions, you shall be informed by the controller before the restriction of processing is lifted.
4. Right to Erasure
a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies: (1) the personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (2) you withdraw the consent upon which the processing is based according to point (a) of Art. 6(1), or point (a) of Art. 9(2) of the GDPR, and where there is no other legal ground for the processing; (3) you object to the processing pursuant to Art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or else you object to the processing pursuant to Art. 21(2) of the GDPR; (4) the personal data concerning you has been unlawfully processed; (5) the personal data concerning you must be erased in order to comply with a legal obligation under Union or member state law to which the controller is subject; (6) the personal data concerning you has been collected in relation to the offer of Information Society services referred to in Art. 8(1) of the GDPR.
b) Information Transferred to Third Parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17(1) of the GDPR to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to—or copies or replications of—the personal data.
The right to erasure shall not apply to the extent that processing is necessary: (1) for exercising the right of freedom of expression and information; (2) for compliance with a legal obligation which requires processing by Union or member state law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9(2) as well as Art. 9(3) of the GDPR; (4) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Art. 89(1) of the GDPR, in so far as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (5) for the establishment, exercise or defence of legal claims.
5. Right to Notification
If you have exercised your right to obtain from the controller the rectification, erasure or restriction of processing, the controller shall communicate this rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to ask the controller to be informed about the recipients.
6. Right to Data Portability
You have the right to receive in a structured, commonly used and machine-readable format the personal data concerning you and which you have provided to a controller. You also have the right to transmit this data to another controller without hindrance by the controller to which the personal data has been provided, where: (1) the processing is based on consent pursuant to point (a) of Art. 6(1) of the GDPR or point (a) of Art. 9(2) of the GDPR or on a contract pursuant to point (b) of Art. 6(1) of the GDPR; and (2) the processing is carried out by automated means. In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another where technically feasible. This may not affect the freedoms and rights of other persons. The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to Object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to Withdraw
GDPR Consent You have the right to withdraw your GDPR consent at any time. The withdrawal of consent shall not affect the lawfulness of processing prior to the withdrawal of consent.
9. Automated Individual
Decision-Making, Including Profiling You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision (1) is necessary for entering into, or adhering to, a contract between you and the data controller; (2) is authorised by Union or member state law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or (3) is based on your explicit consent. These decisions shall not be based on special categories of personal data referred to in Art. 9(1) of the GDPR, unless point (a) or (g) of Art. 9(2) applies and suitable measures to safeguard the rights and freedoms and your legitimate interests are in place. In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard the rights and freedoms and your legitimate interests, at minimum the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the member state of your habitual residence, workplace or place of the alleged infringement, if you consider personal data concerning you to be unlawfully processed under the GDPR. The supervisory authority to which the complaint has been submitted shall inform the appellant of the progress and the outcome of the complaint including any possible judicial remedy in accordance with Art. 78 of the GDPR.