H
G
B

Privacy Policy

The protection and security of personal data is our utmost priority. This is why we comply strictly with data protection rules. In the following section, we will inform you about the types of data we record, the purpose for which we collect it and the point at which we erase any data stored. We will also provide information on the rights of the data subjects concerned:



I. Name and Address of Data Controller

In accordance with the GDPR and other data protection laws and regulations, the data controller is the  

Academy of Fine Arts Leipzig / Hochschule für Grafik und Buchkunst  

Agnes Wegner, Rector

Wächterstr. 11 

04107 Leipzig

Telephone: +49 (0)341 2135 0 

Telefax: +49 (0)341 2135 166 

Email: hgb@hgb-leipzig.de

Internet: http://www.hgb-leipzig.de



II. Name and Address of the Data Protection Officer

The data protection officer acting on behalf of the data controller is:  

Dresdner Institut für Datenschutz

Email: datenschutz@hgb-leipzig.de

(further contact details at www.dids.de) 



III. Website Provision and the Creation of Log Files

1. Description and Scope of Data Processing
Each time you visit our website, our system automatically records log files from the accessing computer system. This data includes the type and version of the browser and operating system, the referring URL (the last website visited) and the IP address of the accessing computer. It also includes the date and time of the server request as well as the client’s file request (file name and URL). This information is not stored with any other personal data from the user.



2. Legal Basis of Data Processing

Our justified interest in data processing pursuant to point (f) of Art. 6 (1) of the GDPR also lies in such purposes. 



3. Purpose of Data Processing

In order to make our website available to the user’s computer, our system must temporarily store the user’s IP address for the duration of the session. We store log files to ensure the functioning of our website. This data helps us to optimise our website, ensure the security of our information technology systems and perform statistical evaluations. We do not evaluate any data for marketing purposes. 



4. Storage Period 

Any data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collection for the provision of our website, this is considered to be the end of a session. Storage beyond this period is possible; in this case, user IP addresses are deleted or anonymized so they can no longer be connected to the accessing client.



5. Right to Objection and Erasure

The recording of data for the provision of our website and the storage of data in log files is essential to the operation of our website. The user may not therefore object to this use.



IV. Use of Cookies
1. Description, Purpose and Scope of Data Processing 
Our website uses cookies. Cookies are text files which are saved in or by the internet browser of the user’s computer system. If a user visits our website, cookies can be saved on their operating system. Cookies contain a characteristic string of characters which enable the unequivocal identification of the browser if it is used to revisit our website. We use cookies to make our website more user-friendly. Some elements of our website make the identification of accessing browsers necessary even after you change pages. These cookies will only store and transmit a randomly generated identification number for the user’s session. All cookies will be deleted as soon as the browser is closed. Any information gathered by cookies regarding your use of our website will not be shared with any third party. 



2. Legal Basis for Data Processing

The legal basis for processing personal data through the use of cookies is governed by point (f) of Art. 6 (1) of the GDPR.



3. Purpose of Data Processing

Using technically necessary cookies serves the purpose of simplifying website user experiences. Some of our website functions cannot be offered without the use of cookies. These functions require browser recognition even after the user changes pages. 



4. Storage Period, Right to Objection and Erasure

Cookies are stored on the user’s computer, which then transmits them to our website. Consequently, you as the user are in full control of the use of cookies. By changing the settings for your internet browser, you can deactivate or limit the transfer of cookies. Cookies already saved can be deleted at any time. This may also be carried out by automated means. Deactivating cookies on our website may mean that certain website functions are no longer fully available.



5. Matomo – web analysis
We use the web analysis service Matomo to improve our website on the basis of your consent in accordance with Section 25 (1) TTDSG and Art. 6 (1) sentence 1 lit. a) GDPR. In order to implement a data protection-friendly analysis, the open source software Matomo is operated on the servers of the responsible body and without the use of cookies. Returning visitors to our website are recognized by means of a so-called digital fingerprint. In addition, user movements are processed in anonymized form using IP addresses with browser-side user settings, so that it is not possible for us to draw conclusions about the identity of individual visitors to our website. The information is stored for a period of 30 days. Further information on the functionality of the Matomo web analysis service can be found on the provider's website.

V. Newsletter

1. Description and Scope of Data Processing

Our website offers the option to sign up for a free newsletter. To receive this newsletter, we only need you to provide your email address. Please note that we use a so-called double opt-in procedure. After signing up, you will automatically receive a confirmation email. Only upon receiving your confirmation will we use your data to send out our newsletter. We will not use your data for any other purposes and will not share it with third parties. In accordance with current legislation, we do, however, log the following data:


When signing up: Date and time as well as any data you provide, most notably your email address and IP address.
When confirming your subscription: The text of the confirmation email, including the time it was sent, the recipient’s email address, the date and time the subscription was confirmed via the confirmation link as well as the confirming email address.

For the purpose of sending out newsletters, we will not share any data with third parties. We store data in an internal database. Should we at some point in the future use a service provider for the maintenance and support of our database without being able to exclude access to user data, we will conclude a contract in accordance with Art. 28 of the GDPR to protect your data, and we will adapt this privacy policy accordingly.



2. Legal Basis for Data Processing

In accordance with point (a) of Art. 6 (1) of the GDPR, the legal basis for processing data after a user has signed up for the newsletter is the user’s consent.



3. Purpose of Data Processing

We record the user’s email address in order to deliver the newsletter. User data is solely used for sending out the newsletter.

4. Storage Period
User data is only stored for the duration of the newsletter subscription. Should you withdraw your consent, we will immediately erase your data from our mailing list but will retain your data for a period of 3 years for verification purposes.

5. Right to Objection and Erasure 
The user can cancel their newsletter subscription at any time. To this end, each newsletter contains a link to unsubscribe.



VI. Third Parties


1. YouTube and Vimeo

Our website may contain links to videos provided by the companies (1) YouTube LLC (901 Cherry Ave., San Bruno, CA, 94066, USA) and (2) Vimeo LLC (555 West 18th Street, New York, New York, 10011, USA). The viewing of videos through these providers requires the transfer to them of user data, in particular, IP addresses. Without an IP address, their content cannot be sent to the user’s respective browser. IP addresses are thus required in order to display this content. We have no control over the extent to which the two providers (each based in the USA) collect further data from you and use it beyond their delivery of content. Information regarding their data collection and use can be found at: (1) https://www.google.de/intl/de/policies/privacy (for YouTube) and (2) https://vimeo.com/privacy (for Vimeo). If you hold a Youtube or Vimeo account and do not wish for YouTube or Vimeo to collect data concerning you through our website and connect this data to member data stored by YouTube or Vimeo, you must log out of these accounts before visiting our website. 

2. Facebook

Our main page contains a link to our web presence at https://www.facebook.com/hgb.galerie by Facebook Inc. (1 Hacker Way, Menlo Park, CA, 94025, USA). By clicking on this link, you will be redirected to the Facebook website. On this website (based in the USA), your data will be processed and used by Facebook. We have no control over the data Facebook collects from you, nor how they use it. Information regarding Facebook’s data collection and use can be found at https://www.facebook.com/privacy/explanation. If you do not wish for Facebook to connect to your Facebook account any data related to your visit to our website, you must log out of Facebook before visiting our website. For more information on the purpose and extent of Facebook’s further data processing and use as well as your respective rights and options for privacy settings, please visit Facebook’s data protection information at https://www.facebook.com/policy.php



VII. Rights of the Data Subject

If any of your personal data is processed, you are a data subject as defined by the GDPR, which entitles you to assert the following rights against the data controller:



1. Right to Information 

You have the right to ask the data controller for confirmation as to whether or not personal data concerning you is being processed. Where that is the case, you may ask the controller to provide the following information: (1) the purposes of processing your personal data; (2) the categories of personal data concerned; (3) the recipients or categories of recipient to whom the personal data concerning you has been or will be disclosed; (4) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (5) the existence of the right to request from the controller rectification or erasure of personal data concerning you, restriction of the processing of personal data by the controller or the option to object to such processing; (6) the right to lodge a complaint with a supervisory authority; (7) where the personal data is not collected from the data subject, any available information as to its source; (8) the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You have the right to be informed as to whether or not your personal data is transferred to a third country or to an international organisation. To this end, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 relating to the transfer.



2. Right to Rectification 

You have the right to obtain from the controller the rectification and/or completion of any processed personal data concerning you, provided that it is inaccurate or incomplete. The data controller must rectify this data without undue delay.



3. Right to Restriction of Processing 

You have the right to obtain from the controller restriction of the processing of data concerning you where one of the following applies: (1) the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data; (2) the processing is unlawful and you oppose the erasure of your personal data and instead request the restriction of its use; (3) the controller no longer needs the personal data for the purpose of the processing, but you require it for the establishment, exercise or defence of legal claims; (4) you have objected to processing pursuant to Art. 21(1) of the GDPR pending verification of whether the legitimate grounds of the controller override your rights as a data subject. Where processing of personal data concerning you has been restricted, with the exception of storage, such data shall only be processed with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest of the European Union or of a member state. If processing has been restricted in accordance with the above conditions, you shall be informed by the controller before the restriction of processing is lifted.



4. Right to Erasure 

a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies: (1) the personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (2) you withdraw the consent upon which the processing is based according to point (a) of Art. 6(1), or point (a) of Art. 9(2) of the GDPR, and where there is no other legal ground for the processing; (3) you object to the processing pursuant to Art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or else you object to the processing pursuant to Art. 21(2) of the GDPR; (4) the personal data concerning you has been unlawfully processed; (5) the personal data concerning you must be erased in order to comply with a legal obligation under Union or member state law to which the controller is subject; (6) the personal data concerning you has been collected in relation to the offer of Information Society services referred to in Art. 8(1) of the GDPR. 


b) Information Transferred to Third Parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17(1) of the GDPR to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to—or copies or replications of—the personal data. 


c) Exceptions
The right to erasure shall not apply to the extent that processing is necessary: (1) for exercising the right of freedom of expression and information; (2) for compliance with a legal obligation which requires processing by Union or member state law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9(2) as well as Art. 9(3) of the GDPR; (4) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Art. 89(1) of the GDPR, in so far as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (5) for the establishment, exercise or defence of legal claims.



5. Right to Notification 

If you have exercised your right to obtain from the controller the rectification, erasure or restriction of processing, the controller shall communicate this rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to ask the controller to be informed about the recipients. 



6. Right to Data Portability 

You have the right to receive in a structured, commonly used and machine-readable format the personal data concerning you and which you have provided to a controller. You also have the right to transmit this data to another controller without hindrance by the controller to which the personal data has been provided, where: (1) the processing is based on consent pursuant to point (a) of Art. 6(1) of the GDPR or point (a) of Art. 9(2) of the GDPR or on a contract pursuant to point (b) of Art. 6(1) of the GDPR; and (2) the processing is carried out by automated means. In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another where technically feasible. This may not affect the freedoms and rights of other persons. The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.



7. Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.



8. Right to Withdraw
GDPR Consent  
You have the right to withdraw your GDPR consent at any time. The withdrawal of consent shall not affect the lawfulness of processing prior to the withdrawal of consent.



9. Automated Individual
Decision-Making, Including Profiling 
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision (1) is necessary for entering into, or adhering to, a contract between you and the data controller; (2) is authorised by Union or member state law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or (3) is based on your explicit consent. These decisions shall not be based on special categories of personal data referred to in Art. 9(1) of the GDPR, unless point (a) or (g) of Art. 9(2) applies and suitable measures to safeguard the rights and freedoms and your legitimate interests are in place. In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard the rights and freedoms and your legitimate interests, at minimum the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision. 



10. Right to Lodge a Complaint with a Supervisory Authority 

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the member state of your habitual residence, workplace or place of the alleged infringement, if you consider personal data concerning you to be unlawfully processed under the GDPR. The supervisory authority to which the complaint has been submitted shall inform the appellant of the progress and the outcome of the complaint including any possible judicial remedy in accordance with Art. 78 of the GDPR.