Data Privacy Policy

Use of our website is generally possible without providing personal data. Insofar as personal data (such as name, address, or email addresses) is collected on our pages, this is always done, wherever possible, on a voluntary basis. This data will not be shared with third parties without your explicit consent.

Please note that data transmission over the internet (e.g. communication by email) can have security vulnerabilities. A complete protection of data from access by third parties is not possible.

We expressly object to the use of contact data published within the scope of the legal notice obligation by third parties for the purpose of sending unsolicited advertising and information materials. The operators of these pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam emails.

Data Privacy Declaration

We are very pleased about your interest in our museum. The protection of personal data is of particular importance to the management of the Franz Marc Museum. The processing of personal data is carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the applicable national data protection laws.

With this privacy notice, the Franz Marc Museum aims to inform the public about the nature, scope, and purpose of the personal data we collect, use, and process. Furthermore, this privacy policy informs data subjects about their rights.

The following information is intended to provide you with an overview of how we handle your personal data and your rights under data protection law. Which specific data is processed and how it is used depends largely on the services requested or agreed upon. Please refer to the information relevant to your situation.

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR), as well as other applicable data protection laws in the member states of the European Union and other regulations related to data protection, is::

Franz Marc Museumsgesellschaft mbH
Franz Marc Park 8–10
82431 Kochel am See
Telefon: +49 (0) 8851-92488-0
E-Mail: info@franz-marc-museum.de

Supervisory Authority Responsible for Data Protection::
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27, 91522 Ansbach
www.lda.bayern.de

What sources and data do we use?

We process personal data that we receive from our customers in the context of our business relationship or the provision of our services. Relevant personal data during the inquiry process or when creating a customer record may include:

• Basic personal data (e.g. salutation, title, name, address and other contact details, date of birth, and nationality)

When entering into and using products or services from the categories listed below, additional personal data may be collected, processed, and stored in addition to the aforementioned information. These may primarily include:

• Account and payment transactions: Order data (e.g. payment instructions), data arising from the fulfillment of our contractual obligations (e.g. payment transaction data)
• Customer contact information: During the initiation of business and throughout the business relationship—particularly through personal, telephone, or written contact, whether initiated by you or by Franz Marc Museumsgesellschaft mbH—further personal data may be generated. These include, for example, information on communication channels, dates, reasons and outcomes of interactions, as well as (electronic) copies of correspondence.

For what purposes do we process your data, and on what legal basis?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

a) For the performance of contractual obligations (Art. 6(1)(b) GDPR)

Data is processed for the purpose of providing business services (e.g. processing orders) based on the contracts we enter into with our customers or upon their request. The specific purposes of the data processing depend primarily on the respective product or service. Further details can be found in the relevant contractual documents and terms and conditions.

b) Based on a balancing of interests (Art. 6(1)(f) GDPR)

Where necessary, we also process your data beyond the performance of the contract in order to safeguard our legitimate interests or those of third parties. This may include, for example:

• Ensuring IT security and IT operations of the museum,
• Prevention and investigation of criminal offences,
• Measures for building and facility security,
• Measures for building and facility security,
• Measures to ensure domestic authority,
• Business management measures and development of services and products,
• Marketing purposes (e.g. advertising, market and opinion research), or
• stablishing and defending legal claims in the context of legal disputes

c) Based on your consent (Art. 6(1)(a) GDPR)

Insofar as you have given us consent to process personal data for specific purposes (e.g. sharing data, use for marketing purposes, photography or video recording during events, newsletter distribution), the processing is lawful on the basis of your consent. You may revoke your consent at any time. This also applies to consents granted before the GDPR came into effect on May 25, 2018. Please note that any withdrawal of consent only takes effect for the future and does not affect the lawfulness of data processed before the withdrawal.

d) Based on legal obligations (Art. 6(1)(c) GDPR) or for reasons of public interest (Art. 6(1)(e) GDPR)
As a service provider, we are subject to various legal obligations, i.e. statutory requirements (e.g. commercial or tax laws).

Who receives my data?

Within the Franz Marc Museum, only those departments and individuals have access to your data who require it to fulfill our contractual and legal obligations. In addition, service providers and agents contracted by us may receive data for these purposes, provided they comply with data protection regulations. These may include companies in the following categories: payment services, IT services, logistics, printing services, telecommunications, debt collection, consulting, sales, and marketing.

With regard to the transfer of data to recipients outside the Franz Marc Museum, please note that we are obligated to maintain confidentiality regarding all customer-related information and assessments of which we become aware. We may only disclose such information if there is a legal obligation, if you have given your consent, or if we are otherwise authorized to do so. Under these conditions, recipients of personal data may include:

• Public authorities and institutions (e.g. tax authorities or law enforcement agencies) in the event of a legal or regulatory obligation,
• Credit and financial institutions or similar entities to whom we transfer personal data in the course of our business relationship with you,
• Creditors or insolvency administrators who request information within the context of enforcement proceedings,
• Third parties involved in the payment process (e.g. service providers conducting valuations),
• Service providers engaged by us under data processing agreements.

Other recipients may include those entities to whom you have given us your consent to transfer data.

Is data transferred to a third country or an international organization?

Data may be transferred to entities located in countries outside the European Union (so-called third countries) if:

• the transfer is necessary for the performance of your requests or orders (e.g. newsletter distribution),
• it is required by law (e.g. tax reporting obligations), or
• you have given us your consent.

If we use service providers in a third country, they are obligated to comply with the European level of data protection not only through contractual agreements and written instructions, but also by concluding the EU Standard Contractual Clauses.

For details on which data may be transferred to countries outside the EU, please refer to our full privacy policy.

How long will my data be stored?

We process and store your personal data for as long as it is necessary to fulfill our contractual and legal obligations.

Once the data is no longer required for these purposes, it is routinely deleted, unless its continued — temporary — processing is necessary for the following reasons:

Compliance with commercial and tax law retention obligations, which may arise from legislation such as the German Commercial Code (HGB) or the Fiscal Code (AO). The retention and documentation periods specified there typically range from two to ten years.

Preservation of evidence in accordance with statutory limitation periods. According to §§ 195 et seq. of the German Civil Code (BGB), these limitation periods may be up to 30 years, although the standard limitation period is 3 years.

What data protection rights do I have?

1. Right to confirmation
Every data subject has the right to obtain confirmation from the controller as to whether personal data concerning them is being processed. To exercise this right, the data subject may contact a member of the controller’s staff at any time.

2. Right to access
Data subjects have the right to obtain, at any time and free of charge, information about the personal data stored about them and to receive a copy of this information. This includes:

• the purposes of the processing;
• the categories of personal data processed;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly in third countries or international organizations;
• where possible, the planned duration of storage, or the criteria used to determine that duration;
• the existence of rights to rectification, erasure, restriction of processing, or objection;
• the existence of rights to rectification, erasure, restriction of processing, or objection;
• if the personal data was not collected from the data subject, all available information on its origin;
• dif the personal data was not collected from the data subject, all available information on its origin;
• Additionally, data subjects have the right to know if their data has been transferred to a third country or international organization, and, if so, to be informed of the appropriate safeguards in place.

3. Right to rectification
Data subjects have the right to request the immediate correction of inaccurate personal data and the completion of incomplete personal data, including by means of a supplementary statement.

4. Right to erasure (“right to be forgotten”) 
Data subjects have the right to request the immediate correction of inaccurate personal data and the completion of incomplete personal data, including by means of a supplementary statement.

• the data are no longer necessary for the purposes for which they were collected;
• the data subject withdraws their consent and there is no other legal basis for processing;
• the data subject objects to processing and there are no overriding legitimate grounds;
• the data have been unlawfully processed;
• the data have been unlawfully processed;
• erasure is required by law under Union or Member State law;
• the data were collected in relation to information society services offered to children.

If personal data have been made public and the controller is obliged to erase them, the controller shall take reasonable steps to inform other controllers processing the data that the data subject has requested erasure of all links to or copies of the personal data.

5. Right to restriction of processing
Data subjects have the right to request restriction of processing where one of the following applies:

• the accuracy of the data is contested, for a period enabling verification;
• the processing is unlawful and the data subject opposes erasure;
• the controller no longer needs the data but the data subject requires them for legal claims;
• the data subject has objected to processing and the verification of legitimate grounds is pending.

6. Right to data portability
Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance, where the processing is based on consent or contract and carried out by automated means. Where technically feasible, this right includes the direct transfer of data from one controller to another.

7. Right to object
Data subjects have the right to object at any time to the processing of personal data based on legitimate interests or performance of a task in the public interest. In such cases, we will stop processing unless we can demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or if processing serves legal claims.

If personal data are processed for direct marketing purposes, data subjects may object at any time. We will no longer process data for these purposes upon objection.

This right also applies to processing for scientific, historical, or statistical purposes unless necessary for a task in the public interest.

8. Automated individual decision-making
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them, unless:

• it is necessary for entering into or performing a contract;
• it is necessary for entering into or performing a contract;
• it is authorized by Union or Member State law and provides suitable safeguards.

Where such decisions are made, appropriate measures will be taken to safeguard the data subject’s rights, including the right to obtain human intervention, express their point of view, and contest the decision.

9. Right to withdraw consent 
Data subjects have the right to withdraw consent to the processing of personal data at any time. This also applies to consents given before the GDPR came into force on May 25, 2018. The withdrawal applies only to future processing and does not affect the lawfulness of processing prior to the withdrawal.

10. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data is unlawful.

Am I obliged to provide personal data?

In the context of our business relationship, you are required to provide those personal data that are necessary for establishing, conducting, and terminating the business relationship and for fulfilling the associated contractual obligations, or that we are legally obligated to collect. Without these data, we will generally not be able to enter into, perform, or conclude a contract with you.

To what extent is automated decision-making used?

As a rule, we do not use fully automated decision-making processes as defined in Article 22 of the GDPR for establishing or carrying out our business relationships. Should we use such processes in individual cases, we will inform you separately in accordance with legal requirements and explain your rights in this regard.

Information about cookies and tracking

Detailed information about the cookies, tracking technologies, and scripts used can be found in our cookie consent tool.

Please note: This privacy policy is updated regularly and adjusted to reflect new legal requirements.

Last updated: May 2025