Privacy statement

1. Introduction

With the following information, we would like to give you as a "data subject" an overview of the processing of your personal data by us and your rights under applicable data protection law. The use of our website is generally possible without any indication of personal data. However, if you want to use special services of our enterprise via our website, processing of personal data could become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain your consent.

The processing of personal data, such as the name, address, or email address, is always in line with the General Data Protection Regulation (GDPR) and in accordance with the country-specific data protection regulations applicable to "Stiftung Planetarium Berlin". By means of this privacy statement, we would like to inform you about the scope and purpose of the personal data collected, used and processed by us.

As the data controller, we have implemented numerous technical and organisational measures to ensure the most complete protection of personal data processed through this website. Nevertheless, Internet-based data transmissions can have security gaps, meaning that absolute protection cannot be guaranteed. For this reason, you are also free to send us personal data by other means, for example by telephone or by post.

2. Controller

The controller in the sense of the GDPR is:

Stiftung Planetarium Berlin, Prenzlauer Allee 80, 10405 Berlin, Germany
Phone: 030 4218450
Fax: 030 42184599
E-Mail: info@planetarium.berlin
Web: www.plantetarium.berlin

Manager of the controller: Tim Florian Horn

3. Data Protection Officer

The contact person on the subject of data protection:

Frank Sommerfeld
Actus-IT, Obere Str. 28a, 32108 Bad Salzuflen, Germany
Phone: 05222 921315
E-Mail: info@actus-IT.de

4. Definitions

The privacy statement is based on the terms used by the European legislators when issuing the General Data Protection Regulation (GDPR). Our privacy statement should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terms used in advance.

In this privacy statement, we use the following terms, among others:

Personal data

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject

The data subject is any identified or identifiable natural person whose personal data is processed by the controller (our company).

Processing

Processing is any operation or set of operations which is performed on personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.

Profiling

Profiling is any form of automated processing of personal data, which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.

Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data is not attributed to an identified or identifiable natural person.

Processor

Processor means a natural person or legal entity, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient

A recipient is a natural person or legal entity, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public bodies which may receive personal data in the context of a specific investigation mandate under European Union or Member State law shall not be considered as recipients.

Third party

Third party means any natural person or legal entity, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.

Consent

Consent is any freely given specific and informed indication of the data subject's wishes which takes the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.
 

5. Legal basis of the processing

Art. 6(1) lit. a GDPR serves as the legal basis for our company’s processing operations in which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party, as is the case, for example, with processing operations that are necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Art. 6(1) lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in the case of inquiries about our products or services.

If our company is subject to a legal obligation through which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 (1) lit. c GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were to injure themselves on our premises and as a result their name, age, health insurance details or other vital information needed to be passed to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR.

Finally, processing operations could be based on Art. 6(1) lit. f GDPR. Processing operations which are not covered by any of the above legal bases are based on this legal basis if the processing is necessary for the protection of a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing is permitted to us in particular because it has been expressly mentioned by the European legislator. In this respect, it has taken the view that a legitimate interest can be assumed if you are a customer of our company (recital 47 sentence 2 GDPR).

6. Technology

6.1 SSL/TLS encryption

This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data or contact requests that you send to us as the operator. You can recognise an encrypted connection by the fact that there is a "https://" instead of a "http://" in the address line of the browser and by the lock symbol in your browser line.

When SSL or TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

6.2 Data collection when visiting the website

During the mere informational use of our website, i.e. if you do not register or otherwise transmit information to us, we only collect the data that your browser transmits to our server (in so-called "server log files"). Our website collects a series of general data and information each time you or an automated system access a page. This general data and information is stored in the server log files. The following data can be collected:

  1. browser types and versions used,
  2. the operating system used by the accessing system,
  3. the website from which an accessing system arrives at our website (“referrer”),
  4. the sub-websites that are accessed via an access system on our website,
  5. the date and time of access to the website,
  6. an Internet Protocol address (IP address),
  7. the Internet service provider of the accessing system.

When using this general data and information, we do not draw any conclusions about your person. This information is rather required in order to

  1. deliver the contents of our website correctly,
  2. optimise the content of our website and the advertising for it,
  3. ensure the continuous operability of our IT systems and the technology of our website, and
  4. provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack.

Therefore, we evaluate this data and information statistically, and moreover, with the aim of increasing the data protection and data security of our company, and ultimately with the aim of ensuring an optimal level of protection for the personal data we process. The data of the server log files are stored separately from any personal data provided by a data subject.

The legal basis for the data processing is Art. 6(1) sentence 1 lit. f GDPR. Our legitimate interest results from the above purposes of data collection.

7. Cookies

7.1 General information about cookies

We use cookies on our website. These are small files that are automatically created by your browser and stored on your IT system (laptop, tablet, smartphone or similar) when you visit our website. Cookies do not cause any damage to your end device and do not contain viruses, Trojans or other malware.

In the cookie, information is stored that arises in each case in connection with the specific end device used. However, this does not mean that we obtain direct knowledge of your identity.

The use of cookies serves on the one hand to make the use of our website more pleasant for you. We use “session cookies” to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our site.

In addition, in order to optimise user-friendliness, we also use temporary cookies that are stored on your end device for a certain period of time. When you visit our site again to use our services, it is automatically recognised that you have been with us before and which entries and settings you have made so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimising our website for you. These cookies enable us to automatically recognise that you have already been to our website when you visit it again. These cookies are automatically deleted after a certain period of time.

The data processed by cookies is used for the above purposes to protect our legitimate interests and those of third parties in accordance with Art. 6(1) sentence 1 lit. f GDPR.

Most browsers accept cookies automatically. However, you can change your browser settings so that no cookies are stored on your computer or that a message always appears before a new cookie is created. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website.

8. Contents of our website

8.1 Registering as a user

You have the possibility to register on our website by providing personal data.

The personal data that is transmitted to us in the process results from the respective input mask that is used for the registration. The personal data you enter is collected and stored exclusively for internal use by us and for our own purposes. We may arrange for it to be passed on to one or more order processors, e.g. a parcel service provider, who will also use the personal data exclusively for an internal use attributable to us.

When you register on our website, the IP address assigned by your Internet Service Provider (ISP), the date and time of registration are also stored. The storage of this data takes place against the background that only in this way can the misuse of our services be prevented and this data may enable the investigation of crimes committed. In this respect, the storage of this data is necessary for our protection. In principle, this data is not passed on to third parties, unless there is a legal obligation to pass it on or the passing on serves the purpose of criminal prosecution.

Your registration with the voluntary provision of personal data also helps us to offer you contents or services which, due to the nature of the matter, can only be offered to registered users. Registered users are free to change the personal data provided during registration at any time or to have it completely deleted from our database.

On request, we will provide you with information about which personal data is stored about you at any time. In addition, we will correct or delete personal data at your request, insofar as this does not conflict with any statutory retention obligations. A data protection officer named in this privacy statement and all other employees are available to the data subject as contact persons in this context.

The processing of your data is in the interest of a comfortable and easy use of our website. This constitutes a legitimate interest within the meaning of Art. 6(1) lit. f GDPR.

8.2 Data processing when opening a customer account and for contract processing

According to Art. 6(1) lit. b GDPR, personal data is collected and processed if you provide it to us for the performance of a contract or when opening a customer account. Which data is collected can be seen from the respective input masks. A deletion of your customer account is possible at any time and can be done by sending a message to the address of the data controller mentioned above. We store and use the data you provide for the purpose of processing the contract. After complete processing of the contract or deletion of your customer account, your data will be blocked in accordance with tax and commercial law retention periods and deleted after the expiry of these periods, unless you have expressly consented to the further use of your data or a legally permissible further use of the data by us is reserved, about which we inform you accordingly below.

8.3 Conclusion of contract for online shop, dealers and shipment of goods

We transmit personal data to third parties only if this is necessary in the context of the contract, such as to the companies entrusted with the delivery of the goods or the credit institution entrusted with the payment processing. A further transmission of the data does not take place except if you have expressly agreed to the transmission. Your data will not be passed on to third parties, e.g. for advertising purposes, without your express consent.

The basis for data processing is Art. 6(1) lit. b GDPR, which permits the processing of data for the fulfilment of a contract or for pre-contractual measures.

8.4 Application management / job exchange

We collect and process the personal data of applicants for the purpose of processing the application. The processing may also take place electronically. This is particularly the case if an applicant submits the relevant application documents to us electronically, for example by email or via a web form on the website. If we conclude an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If we do not conclude an employment contract with the applicant, the application documents will automatically be deleted six months after notification of the rejection decision, provided that the deletion is not contrary to any other legitimate interests on our part. Another legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the German General Equal Treatment Act (AGG).

In this respect, data processing is carried out exclusively on the basis of our legitimate interest under Art. 6(1) lit. f GDPR.

8.5 Contacting us / Contact form

When contacting us (e.g. via contact form or email), personal data is collected. Which data is collected in the case of a contact form can be seen from the respective contact form. This data is stored and used exclusively for the purpose of answering your inquiry or contacting you and the associated technical administration. The legal basis for the processing of the data is our legitimate interest in answering your inquiry under Art. 6(1) lit. f GDPR. If your contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6(1) lit. b GDPR. Your data will be deleted after final processing of your inquiry, this is the case if it can be inferred from the circumstances that the matter concerned has been conclusively clarified and provided that there are no legal storage obligations to the contrary

9. Tools / Miscellaneous

9.1 Google Maps

On our website we use Google Maps (API) from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Maps is a web service for displaying interactive (land) maps to visually display geographical information. By using this service, our location is shown to you to make it easier for you to get to us.

Already when calling up the sub-pages in which the map of Google Maps is integrated, information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there. This happens irrespective of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not want the assignment to your profile at Google, you must log out before activating the button. Google stores your data (also for users who are not logged in) as usage profiles and evaluates them. Such an evaluation is carried out in particular according to Art. 6(1) lit. f DSGVO on the basis of Google's legitimate interests in the insertion of personalised advertising, market research and/or the design of the website in line with requirements. You have the right to object to the creation of these user profiles; you must contact Google to exercise this right.

Google LLC, based in the USA, is certified for the US-European data protection agreement "Privacy Shield", which guarantees compliance with the level of data protection applicable in the EU.

If you do not agree with the future transmission of your data to Google in the context of the use of Google Maps, you also have the option of completely deactivating the Google Maps web service by switching off the JavaScript application in your browser. Google Maps and thus the map display on this website can then not be used. You can view Google's terms of use at http://www.google.de/intl/de/policies/terms/regional.html, the additional terms of use for Google Maps can be found at https://www.google.com/intl/de_US/help/terms_maps.html.

Detailed information on data protection in connection with the use of Google Maps can be found on the Google website ("Google Privacy Policy"): http://www.google.de/intl/de/policies/privacy/.

10. Payment service providers

10.1 PayPal

We have integrated components from PayPal on this website. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which represent virtual private or business accounts. In addition, PayPal offers the possibility to process virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address, which is why there is no traditional account number. PayPal makes it possible to initiate online payments to third parties or to receive payments. PayPal also performs escrow functions and offers buyer protection services.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If you select "PayPal" as a payment option during the ordering process in our online shop, your data will automatically be transmitted to PayPal. By selecting this payment option, you agree to the transmission of the personal data required for payment processing.

The personal data transmitted to PayPal is usually first name, last name, address, email address, IP address, telephone number, mobile phone number or other data required for the payment processing. Personal data related to the respective order is also necessary for the processing of the purchase contract.

The transmission of data is for the purpose of payment processing and fraud prevention. We transmit personal data to PayPal in particular if there is a legitimate interest in the transmission. The personal data exchanged between PayPal and us may be transmitted by PayPal to credit agencies. The purpose of this transmission is the identity check and credit assessment.

PayPal may share personal information with affiliates and service Providers or subcontractors as necessary to fulfil contractual obligations or process the information on our behalf.

You have the option to revoke your consent to the processing of personal data at any time. A revocation does not affect personal data that must be processed, used or transmitted for (contractual) payment processing.

The use of PayPal is in the interest of proper and smooth payment processing. This represents a legitimate interest within the meaning of Art. 6(1) lit. f GDPR.

You can find PayPal's applicable privacy policy at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

11. Our activities on social networks

So that we can also communicate with you on social networks and inform you about our services, we are represented there with our own pages.

We are not the original provider (controller) of these pages, but only use them within the scope of the possibilities offered by the respective providers.

We therefore point out as a precaution that your data may also be processed outside the European Union or the European Economic Area. The use may therefore be associated with data protection risks for you, as the protection of your rights, e.g. to information, deletion, objection, etc., may be more difficult and the processing on the social networks often takes place directly for advertising purposes or for the analysis of user behaviour by the providers, without this being able to be influenced by us. If usage profiles are created by the providers, cookies are often used or the usage behaviour is directly assigned to your own member profile on the social networks (provided you are logged in here).

The described processing of personal data is carried out in accordance with Art. 6(1) lit. f GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in order to be able to communicate with you in a timely manner or to inform you about our services. Insofar as you as a user must give your consent to data processing with the respective providers, the legal basis refers to Art. 6(1) lit. a GDPR in conjunction with. Art. 7 GDPR.

As we do not have access to the providers' databases, we would like to point out that it is best to exercise your rights (e.g. to information, correction, deletion, etc.) directly with the respective provider. Further information on the processing of your data in the social networks and the possibility to exercise your right of objection or revocation (opt-out), we have listed below at the respective provider of the social networks used by us:

11.1 Facebook

Controller for data processing in Europe:

Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Data protection (Data Policy): https://www.facebook.com/about/privacy

Opt-out and advertising preferences: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

Facebook has joined the EU-US Privacy Shield Agreement: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active https://de-de.facebook.com/about/privacy/

11.2 Google+ / YouTube

Controller for data processing:

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Privacy policy: https://policies.google.com/privacy

Opt-out and advertising preferences: https://adssettings.google.com/authenticated

Google has joined the EU-US Privacy Shield Agreement: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

11.3 Twitter

Controller for data processing in Europe:

Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland

Privacy policy: https://twitter.com/de/privacy

Information about your data: https://twitter.com/settings/your_twitter_data

Opt-out and advertising preferences: https://twitter.com/personalization

Twitter has joined the EU-US Privacy Shield Agreement: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active

12. Web analysis

12.1 Matomo

We have integrated the Matomo component on this website. Matomo is an open-source software tool for web analysis. Web analysis is the collection, compilation and evaluation of data about the behaviour of visitors to websites. Among other things, a web analysis tool collects data on the website from which a data subject accessed a website (referrer), which sub-pages of the website were accessed or how often and for how long a sub-page was viewed. Web analysis is mainly used for the optimisation of a website and for the cost-benefit analysis of online advertising.

The software is operated on the server of the controller, the data protection sensitive log files are stored exclusively on this server.

The purpose of the Matomo component is to analyse the flow of visitors to our website. We use the data and information obtained, among other things, to evaluate the use of this website and to compile online reports that show the activities on our website.

Matomo sets a cookie on your IT system. The setting of the cookie enables us to analyse the use of our website. Each time one of the individual pages of this website is called up, the internet browser on your information technology system is automatically prompted by the Matomo component to transmit data to our server for the purpose of online analysis. In the context of this technical procedure, we obtain knowledge of personal data, such as the IP address of the data subject, which we use, among other things, to trace the origin of visitors and clicks.

By means of the cookie, personal information, such as the time of access, the location from which an access originated and the frequency of visits to our website, is stored. Each time you visit our website, this personal data, including the IP address of the internet connection you are using, is transmitted to our server. This personal data is stored by us. We do not pass on this personal data to third parties.

You can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Matomo from placing a cookie on your information technology system. In addition, a cookie already set by Matomo can be deleted at any time via an Internet browser or other software programmes.

In addition, you have the option to object to and prevent the collection of data generated by Matomo and related to the use of this website. To do this, you must set an opt-out cookie. If your IT system is deleted, formatted or reinstalled at a later date, the data subject must set an opt-out cookie again. With the setting of the opt-out cookie, however, there is a possibility that you will no longer be able to use all the functions of our website.

The use of Matomo is based on Art. 6(1) sentence 1 lit. f GDPR. With the tracking measures used, we want to ensure a needs-based design and the ongoing optimisation of our website. These interests are to be regarded as legitimate interests within the meaning of the above provision.

For more information and the applicable Matomo privacy policy, please visit https://matomo.org/privacy/.

13. Your rights as a data subject

13.1 Right to information (Art. 15 GDPR)

You have the right to receive information about the personal data stored about you, as well as a copy of this data, from us at any time and free of charge.

13.2 Right of rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate personal data concerning you. In addition, the data subject has the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

13.3 Deletion of (Art. 17 GDPR)

You have the right to demand that we delete the personal data concerning you without delay, provided that one of the reasons provided for by law applies and the processing is not necessary.

13.4 Restriction of processing (Art. 18 GDPR)

You have the right to request that we restrict processing if one of the legal requirements is met.

13.5 Data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to freely transmit this data to another controller to whom the personal data has been provided, provided that the processing is based on consent under Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

In addition, when exercising your right to data portability under Article 20(1) GDPR, you have the right to obtain that the personal data be transferred directly from one controller to another controller, where technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals.

13.6 Objection (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you carried out on the basis of Article 6(1) lit. e (data processing in the public interest) or lit. f (data processing on the basis of a balance of interests) GDPR.

This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

In individual cases, we process personal data in order to carry out direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, insofar as it is associated with such direct advertising. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes.

In addition, you have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes under Article 89(1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

You are free to exercise your right to object in relation to the use of information company services by automated means using technical specifications, notwithstanding Directive 2002/58/EC.

13.7 Revocation of consent under data protection law

You have the right to revoke your consent to the processing of personal data at any time with effect for the future.

13.8 Complaint to a supervisory authority

You have the right to complain about our processing of personal data to a supervisory authority responsible for data protection.

14. Routine storage, deletion and blocking of personal data

We process and store your personal data only for the period of time necessary to achieve the purpose of storage or if this is provided for in the legal provisions to which our company is subject.

If the purpose of the storage no longer applies or if a prescribed storage period expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

15. Duration of the storage of personal data

The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data is routinely deleted, provided that it is no longer required for the fulfilment or initiation of the contract.

16. Up-to-dateness and modification of the data protection regulations

This privacy policy is currently in effect and was last updated in October 2018.

Due to the further development of our web pages and offers on them or due to changed legal or official requirements, it may become necessary to change this privacy statement. You can access and print out the current privacy statement at any time on the website under "www.planetarium.berlin".