Duties of information pursuant to Art. 12, 13 et seq. GDPR

Data Privacy Statement by VG Bild-Kunst

Data form the very basis enabling us to provide an excellent service and to perform the tasks assigned to us by our members in the best possible manner. We attach great importance to cultivating a trusting relationship with our members, which is why VG Bild-Kunst takes the protection of personal data so seriously. It goes without saying that we observe and respect the statutory provisions on data protection and data privacy.

In order to be able to further develop and optimise our Internet services on the website, all visits to the site are logged. The protocols contain details of the IP address in current use, the date and time, type of browser, operating system and the sites viewed. As a general rule, the information provided is not personally identifiable, nor is this intended.

1. Name and address of the controller

Your contact as controller within the meaning of the European General Data Protection Regulation (GDPR), other national data protection laws of the Member States and other data protection regulations is:

VG Bild-Kunst
Association with legal capacity by state charter
Weberstr. 61
53113 Bonn
Germany
Phone: +49 (0)228 915340
Fax: +49 (0)228 9153439

(referred to hereinafter as “we”, “us” or “our”)

2.Name and address of the data protection officer

We take the protection of your personal data very seriously. To give expression to this importance, we have commissioned a consulting firm that specialises in data protection and data security to handle these central issues for us. Our data protection officer also comes from this very experienced group of experts. Our data protection officer is:

MAGELLAN Rechtsanwälte, Galileiplatz 1, 81679 Munich
email: datenschutz@bildkunst.de

3.About data processing in general

a. Scope of the processing of personal data
In principle, we only process your personal data to the extent that is required in order to perform our services. Your personal data are generally only processed on the basis of your consent. The exception is in those cases where practical reasons make it impossible for us to obtain your prior consent, or the law gives us permission to process your personal data.

b. Legal basis for the processing of personal data
Where we obtain consent from you for the processing of personal data, our legal basis for doing so is point (a) of Art. 6 (1) GDPR.

For the processing of personal data that is necessary in order to perform a contract between you and us, our legal basis for doing so is point (b) of Art. 6 (1) GDPR. This also applies for processing operations that are necessary in order to take steps prior to entering into a contract.

Where the processing of personal data is necessary in order to comply with a legal obligation to which we are subject, our legal basis for doing so is point (c) of Art. 6 (1) GDPR.

For the case that vital interests of yours or another natural person make it necessary to process personal data, our legal basis for doing so is point (d) of Art. 6 (1) GDPR.

Where processing is necessary for the purposes of a legitimate interest pursued by us or a third party, and if your interests, basic rights or basic freedoms do not override the former interest, our legal basis for the processing is point (f) of Art. 6 (1) GDPR.

c. Erasure of data and duration of storage
Your personal data will be erased or blocked as soon as the purpose of storage no longer applies. They may be stored for longer if this has been provided for by European or national legislators in Union regulations, laws or other provisions to which we are subject. The data will also be erased or blocked when a time limit for storage specified by one of the above standards expires, unless it is necessary to continue storing the data in order to enter into or perform a contract.

4.Provision of the website and creation of log files

a. Legal basis for data processing
The legal basis for the processing of your personal data for the purposes of providing the website and creating log files is point (f) of Art. 6 (1) GDPR.

b. Purpose of data processing
We have to store your personal data temporarily in order to enable the website to be delivered to your computer. This requires your personal data to be stored for the duration of the session.

Your personal data are stored in log files in order to ensure the functionality of the website. We also use your personal data to optimise the website and to ensure the security of our IT systems. Your personal data will not be analysed for marketing purposes in this regard.

These purposes also constitute a legitimate interest of ours in the processing of personal data in accordance with point (f) of Art. 6 (1) GDPR.

c. Duration of storage
Your personal data will be erased as soon as they are no longer necessary in order to achieve the purpose for which they were collected. Where your personal data are collected for the purpose of providing the website, this is the case as soon as the respective session ends.

Where your personal data are stored in log files, these will be deleted after not more than seven days. It is possible for them to be stored for longer, in which case your personal data will be erased or anonymised so that the accessing client can no longer be ascertained.

d. Right to object and right of removal
The recording of your personal data for the provision of the website and their storage in log files are absolutely essential for the operation of the website. Consequently, you do not have any right to object.

5. Use of cookies

a. Legal basis for data processing
The legal basis for the processing of your personal data for the purposes of using technically necessary cookies is point (f) of Art. 6 (1) GDPR.

b. Purpose of data processing
Technically necessary cookies are used in order to make it easier for you to use our website. Some of the functions of our website cannot be offered without the use of cookies. For them to work, it is essential that your internet browser is recognised again after a change of page. The user data collected by technically necessary cookies are not used in order to create user profiles.

This purpose also constitutes a legitimate interest of ours in the processing of your personal data in accordance with point (f) of Art. 6 (1) GDPR.

c. Duration of storage
Your personal data will be erased as soon as they are no longer necessary in order to achieve the purpose for which they were collected; this is particularly the case if cookies are disabled.

d.    Right to object and right of removal
Cookies will be stored on your computer and transmitted from it to our website. You therefore have full control over the use of cookies. You can disable or restrict the transmission of cookies by making the corresponding settings in your internet browser. Cookies that are already stored can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, you may no longer be able to make full use of all the functions of the website.

6. Newsletter

a. Legal basis for data processing
The legal basis for the processing of your personal data for the purposes of sending the newsletter is point (a) of Art. 6 (1) GDPR, where consent has been given, or the statutory permission under section 7 (3) of the German Unfair Competition Act (UWG) following the sale of goods or services.

b. Purpose of data processing
Your personal data will be collected in order for us to send you the newsletter. The purpose of the processing of your personal data for the purposes of sending the newsletter is to promote the sale of goods or services.

c. Duration of storage
Your personal data will be erased as soon as they are no longer necessary in order to achieve the purpose for which they were collected. Your personal data will accordingly be stored for as long as the subscription to the newsletter is active.

d. Right to object and right of removal
You can cancel your subscription to the newsletter at any time. Every newsletter contains a link that enables you to do so. Cancellation of the subscription likewise enables consent to be withdrawn.

7. Registration

a. Legal basis for data processing
The legal basis for the processing of your personal data for the purposes of registration is point (b) of Art. 6 (1) GDPR.

b. Purpose of data processing
Your registration makes it easier for you and us to enter into usage agreements and grant permission for use. The processing of your personal data for the purposes of registration is therefore necessary in order to perform a contract between you and us or to take steps prior to entering into a contract.

c. Duration of storage
Your data will be erased as soon as they are no longer necessary in order to achieve the purpose for which they were collected. For the data collected during the registration process in order to perform a contract or to take steps prior to entering into a contract, this is the case when your personal data are no longer necessary for the performance of the contract. It may be necessary to store personal data of the other party to the contract even after it has been concluded in order to comply with contractual or legal obligations.

d. Right to object and right of removal
You can cancel your registration at any time. You can have the personal data stored about you modified at any time. If your personal data are necessary in order to perform a contract or to take steps prior to entering into a contract, it will only be possible to erase your personal data early if contractual or legal obligations do not prohibit erasure.

8. Contact form and making contact by email

a. Legal basis for data processing
The legal basis for the processing of your personal data for the purposes of making contact using the contact form or by email is point (f) of Art. 6 (1) GDPR. The aim of making contact using the contact form or by email is to enter into a contract, so point (b) of Art. 6 (1) GDPR is an additional legal basis for processing.

b. Purpose of data processing
If you contact us using the contact form or by email, we process your personal data solely in order to deal with this contact.

c. Duration of storage
Your personal data will be erased as soon as they are no longer necessary in order to achieve the purpose for which they were collected. For the personal data sent using the contact form or by email, this is the case when the conversation with you has ended. The conversation has ended if it can be assumed from the circumstances that the relevant issue has been finally clarified between you and us.

d. Right to object and right of removal
You can at any time object to the processing of your personal data for the purposes of making contact using the contact form or by email. This will then have effect for the future. In such a case the conversation between you and us can no longer be continued and all personal data saved in the course of the contact will be erased.

9. Web tracking and web analysis by Matomo (formerly PIWIK)

a. Legal basis for data processing
The legal basis for the processing of your personal data is point (f) of Art. 6 (1) GDPR.

b. Purpose of data processing
Processing your personal data enables us to analyse your surfing behaviour. By analysing the data obtained, we can compile information on how the individual components of our website are used. This helps us constantly improve our website and its user-friendliness. These purposes also constitute a legitimate interest of ours in the processing of your personal data in accordance with point (f) of Art. 6 (1) GDPR.

c. Duration of storage
Your personal data will be erased as soon as it is no longer needed for our purposes stated above. For us this is the case after 7 days.

d. Right to object and right of removal
Cookies will be stored on your computer and transmitted from it to our website. You therefore have full control over the use of cookies. You can disable or restrict the transmission of cookies by making the corresponding settings in your internet browser. Cookies that are already stored can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, you may no longer be able to make full use of all the functions of the website.

More information about the privacy settings of the Matomo software can be found at https://matomo.org/docs/privacy/.

10. Legal defence and enforcement of rights

a. Legal basis for data processing
The legal basis for the processing of your personal data for the purposes of legal defence and the enforcement of rights is point (f) of Art. 6 (1) GDPR.

b. Purpose of data processing
The purpose of processing your personal data for legal defence and the enforcement of rights is to avert any unjustified utilisation and to legally enforce claims and rights. This purpose also constitutes a legitimate interest of ours in the processing of personal data in accordance with point (f) of Art. 6 (1) GDPR.

c. Duration of storage
Your personal data will be erased as soon as they are no longer necessary in order to achieve the purpose for which they were collected.

d. Right to object and right of removal
The processing of your personal data for the purposes of legal defence and the enforcement of rights is absolutely essential for the legal defence and enforcement of rights. Consequently, you do not have any right to object

11. Categories of recipient

Within our company personal data are given to those departments and offices that need them in order to fulfil the purposes set out above. We also sometimes make use of different service providers and send your personal data to other trusted recipients. These could include

  • banks;
  • scanning services;
  • print shops;
  • letter shops;
  • IT service providers;
  • lawyers and courts;
  • collecting societies with which reciprocal contracts exist.

12. Rights of data subjects

If we process your personal data, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis us:

a. Right of access
You can at any time demand that we confirm whether we process personal data concerning you.

If we do, you can require us to provide you with the following information:

(1) the purposes for which the personal data are processed;
(2) the categories of personal data that are processed;
(3) the recipients or categories of recipient to whom the personal data concerning you were or will be disclosed;
(4) the planned period for which the personal data concerning you will be stored or, if it is not possible to provide specific information on this, the criteria used to determine that period;
(5) the existence of a right to have the personal data concerning you rectified or erased, a right to restrict the processing by us and a right to object to this processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) all available information about the origin of the data, if the personal data are not collected from you;
(8) the existence of automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

You also have the right to demand information on whether the personal data concerning you are transferred to a third country or an international organisation. In this regard you can demand to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in relation to the transfer.

b. Right to rectification
You have a right to rectification and/or completion by us if the processed personal data concerning you are inaccurate or incomplete. We must carry out the rectification without undue delay.

c. Right to restriction of processing
Under the conditions set out below, you can demand that the processing of the personal data concerning you be restricted:

(1) you contest the accuracy of the personal data concerning you, for a period enabling us to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
(4) you have objected to processing pursuant to Art. 21 (1) GDPR, pending verification whether our legitimate grounds override your grounds.

If the processing of the personal data concerning you were restricted, these data may – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing was restricted in accordance with the above requirements, we will inform you before the restriction is lifted.

d. Right to erasure

I. Duty of erasure
You can demand that we erase personal data concerning you without undue delay, and we will be obliged to remove such personal data without undue delay where one of the following applies:

(1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw consent on which the processing is based according to point (a) of Art. 6 (1) or point (a) of Art. 9 (2) GDPR, and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR;
(4) the personal data concerning you have been unlawfully processed.
(5) the personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject; or
(6) the personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

II. Information to third parties
If we have made the personal data concerning you public and are obliged pursuant to Art. 17 (1) GDPR to erase them, then we, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

III. Exceptions
The right to erasure does not exist to the extent that the processing is necessary:

(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9 (2) as well as Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far as the right referred to in paragraph (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.

e. Right to notification
If you have exercised your right to have us rectify or erase the personal data concerning you or restrict their processing, we are obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to have us inform you about these recipients.

f. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us where:

(1) the processing is based on consent pursuant to point (a) of Art. 6 (1) or point (a) of Art. 9 (2) GDPR or on a contract pursuant to point (b) of Art. 6 (1) GDPR; and
(2) the processing is carried out by automated means.

In exercising this right to data portability, you also have the right to have the personal data transmitted directly from us to another controller, where technically feasible. This must be without prejudice to the freedoms and rights of other persons.

The right to data portability does not apply to the processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

g. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on points (e) or (f) of Art. 6 (1) GDPR, including profiling based on those provisions.

We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

h. Right to withdraw consent under data protection regulations
You have the right at any time to withdraw consent given under data protection regulations. Withdrawal of consent will be without prejudice to the lawfulness of the processing performed on the basis of consent until withdrawal.

i. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning yourself or similarly significantly affects you. This does not apply if the decision:

(1) is necessary for entering into, or performance of, a contract between you and us;
(2) is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests; or
(3) is based on your explicit consent.

Nevertheless, these decisions may not be based on special categories of personal data referred to in Art. 9 (1) GDPR unless point (a) or point (g) of Art. 9 (2) GDPR applies and suitable measures to safeguard your rights and freedoms and your legitimate interests are in place.

In the cases referred to in (1) and (3) above, we will implement suitable measures to safeguard your rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of us, to express your point of view and to contest the decision.

j. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority competent for us is:

Deutsches Patent- und Markenamt [German Patent and Trade Mark Office]
Zweibrückenstr. 12
80331 Munich
Phone: +49 (0)89 21950

The supervisory authority with which you have lodged the complaint will inform you on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Please do not hesitate to contact our Data Protection Officer at any time if you have any queries.


13. prevent Tracking