Data Protection Declaration

The protection of your personal data is particularly important to us. We process your personal data exclusively in accordance with the legal provisions (DSGVO, DSG, TKG 2021).

In order to make our website available, sell our goods, and provide our services, we process information related to you — so-called personal data, hereinafter referred to as “data.” The term “processing” refers to any handling of these data, including the collation, storage, use, or deletion of personal data.

In the context of this Data Protection Declaration, we are pleased to inform you about the processing of your personal data and about your rights and entitlements as set out in the data protection regulations.

If you have any complaints, questions, or suggestions regarding the subject of data protection, we and our data protection officer are always at your disposal and would be happy to assist you via the contact details provided below.
 

The person responsible for processing your personal data is:

Museen der Stadt Wien
Karlsplatz 8
1040 Vienna
T: +43 (0)1 505 87 47
E: office@wienmuseum.at

The contact details of the Data Protection Officer are:

Museen der Stadt Wien
Karlsplatz 8
1040 Vienna
T: +43 (0)1 505 87 47 84035
E: datenschutz@wienmuseum.at 

2.1.    General information
In the context of our website and online services, we process data that you provide to us (e.g., when placing an order), through logs (for security reasons, our server logs who makes requests), and through cookies (small text files that are stored on your device and contain information that enables you to be recognized).
The web server for the operation of our website is technologically operated by a contracted processor, abaton EDV-Dienstleistungs GmbH, from the computer center at Raiffeisen Raaba, Hans-Resel-Gasse 17, 8020 Graz.

Cookies
Cookies are small text files that are stored on your device. We use the following technically necessary cookies for the operation and display of our website:

• omCookieConsent: This cookie saves the settings of website visitors as selected in the cookie banner. These are saved for one year.

• Fe_typo_user: This cookie saves the access data entered when a user logs in to a restricted area. These are only saved for the duration of the session.

We use technically necessary cookies due to our legitimate interest in operating the website and improving internet presence.

We use any additional cookies (for marketing purposes, social media, etc.) based on our legitimate interest and with your consent. You can find further information about cookies under the respective sections of this Data Protection Declaration.

To prevent third-party cookies from being set, you can block so-called third-party cookies in your browser. You can find instructions on how to do this for the most common browsers here:

Firefox: here
Chrome: here
Microsoft Edge: here
Safari: In Apple’s Safari, third-party cookies are blocked by default.

2.2.    Data processing for the operation and security of our website and online services (server logs)

2.2.1.    Server logs

Purpose of processing: When you access our website, the web server collates usage data (so-called server logs). The collation of these data is necessary in order to enable the technical establishment of the connection to our server and the use of the website. In addition to this, these data help us to defend against and analyze attacks.  

The following server logs are collated: The IP address of the end device, together with the date, time, request, which data are requested (name and URL), the quantity of data transferred to you, a report of whether the request was successful, recognition data of the browser and operating system that were used, and the website, from which access was made (if it was made via a link).

Legal basis of the processing: Your data is processed due to our legitimate interest in ensuring the operation of the service and the security of the system.
 

Recipients of the data:

• The web server for the operation of our website is technologically operated by a contracted processor, abaton EDV-Dienstleistungs GmbH, from the computer center at Raiffeisen Raaba, Hans-Resel-Gasse 17, 8020 Graz. If a hacker attack takes place, the data from the server logs are passed on to law enforcement authorities. These data are not passed on to any other third party.

• In addition to this, we use “amepheas” from the service provider amepheas GmbH, Heiligenstädter Lände 27c, 1190 Vienna, to operate our online shop. This company works for us as a contracted processor, meaning that it may only use your data to process specific orders and is contractually obliged to us to comply with all legal data protection regulations.

Further information:

• The server logs at abaton are saved for a maximum of one month.
• The server logs at amepheas are saved for a maximum of 90 days.

2.3.    Social media plugins

We use so-called “social media plugins” on our website. Such plugins enable content or interactive elements from social media services to be displayed. When visiting our website, which displays relevant symbols, your browser establishes a connection with the respective server of the social media operator. Data can then be transmitted to the social media operator via plugins and used by them. The direct connection between your browser and social media provider’s server always requires your consent to transmit the data.

2.4.    Data processing for marketing purposes

2.4.1.    Web analysis with Matomo

We use the function of the web analysis service Matomo to analyze user behavior and optimize our website and internet presence. When you access our website, the web server collates usage data, i.e., server logs. These data are analyzed in order to evaluate the number of visitors to the website and their user behavior. This allows user statistics to be created, which enables the website to be optimally adapted in the interest of our visitors.

Matomo records the following server logs for the purposes of web analysis:

• IP address of the end device, from which our website is accessed;
• Recognition data of the browser and operating system that are used; 
• Date, time, and duration of access;
• Name of the retrieved data or information;
• Quantity of transferred data;
• A report of whether the request was successful;
• Internet addresses of the websites through which our website is accessed;
• Internet addresses of the websites that are accessed via our website.

You can find further information about Matomo in Matomo’s privacy policy.

Legal basis: The processing of server logs to create user statistics is based on our legitimate interest in improving our offers and our internet presence.

Recipients of the data: No data are passed on to third parties. We evaluate the collected data ourselves.

Storage period: We store your data for a maximum of six months.

Further information: You are free to object to an analysis of your user behavior. To do so, simply click on the checkbox shown on top of the page and remove the corresponding “tick.” Please note that this deselection will better protect your privacy but will deprive the website operator of the opportunity to learn from your user behavior and ultimately improve usability.

Your data is currently being collated by Matomo. By deselecting this checkbox, this data collection will be stopped.

2.5 Data processing by Captcha Tool

Captcha Tools calculate the probability that entries in web forms are actually made by a human and are intended to prevent bot entries. Our website uses a tool from Captacha GmbH, 1190 Vienna, with which we have concluded an order processing contract in accordance with data protection standards. Personal data is processed, namely the IP address (shortened), computer model, browser version and referrer website (i.e. the page from which the visitor comes), writing of a cookie or local storage value; mouse movements and time intervals of keyboard strokes. You can find more detailed information here. The purpose of this processing is to provide challenge-response authentication. The legal basis for this data processing is based on Article 6(1)(f) GDPR, namely the legitimate interests of our company in preventing automated and fraudulent entries. The data is deleted as soon as it is no longer required for the stated processing purpose. Processed data is stored for a maximum of six months. 

Purpose and legal basis of the processing

• If we have received your contact details in connection with a sale or service, we also process these data in order to be able to send you (advertising) information about similar products and services by post, e-mail (including newsletters), and/or SMS based on our legitimate interest.

• If you have subscribed to our newsletter, you will receive regular information from us by e-mail about our range of services and any updates regarding the museum. If you no longer wish to be contacted by us, simply let us know under newsletter@wienmuseum.at or use the unsubscribe link in the newsletter.

Legal basis of the processing: Your data are processed with your consent.

Recipients of the data: The following service provider receives your data in order to create and send the newsletter on our behalf:

“mailworx,” an e-mail marketing platform from the service provider Network & Internet GmbH, Hanriederstraße 25, 4150 Rohrbach-Berg. This company works for us as a contracted processor, meaning that it may only use your data to process specific orders and is contractually obliged to us to comply with all legal data protection regulations.

Further information: We process your data based on our legitimate interest until the end of the third year after last having been in contact with you or until you object to the processing of your data — whichever one occurs first. If your data is processed with your consent, we will continue to process your data until you revoke or unsubscribe from the newsletter.

4.1.    Data processing in the context of making contact

Purpose of the processing: If you contact us (e.g., by e-mail, contact form, or telephone), we will only process the data you provided during this exchange only to the extent that is needed to process or execute the request.

Legal basis of the processing: Your data are processed in order to carry out pre-contractual measures, to fulfill a contractual relationship, or based on our legitimate interest in organizing the response to your request.

Recipients of the data: These data are only transmitted provided that this transmission is essential for responding to the request.

Further information: We process your data for as long as is necessary to process the request and for a maximum of one month.

4.2.    General data processing in the context of our shop

Purpose of the processing: If you place an order with us, we will process your data for the purposes of executing the order, answering questions that you ask us in connection with your order, and formally carrying out the part of business we are responsible for in the context of our business relationship.

Legal basis of the processing: We process your data in order to fulfill a contract or on the basis of a legal requirement in the context of a business relationship (or in order to execute this).

Recipients of the data: If it is necessary to transmit data relevant to a certain individual case in order to fulfill the contract or on the basis of a legal requirement, these will be passed on to the following categories of recipients:

• Banks
• Legal representatives
• Accountants, auditors, and tax advisors
• Courts
• Responsible statutory authorities
• Debt collectors
• Third-party lenders
• Contractual and business partners
• Insurance companies
• Statistik Österreich (Statistics Austria)
• Transport companies
• Suppliers
• Computer centers as contracted processors

In addition to this, we use “amepheas” from the service provider amepheas GmbH, Heiligenstädter Lände 27c, 1190 Vienna, to operate our online shop. This company works for us as a contracted processor, meaning that it may only use your data to process specific orders and is contractually obliged to us to comply with all legal data protection regulations.

Further information: We only process your data for as long as is necessary to fulfill the contract or due to legal requirements (e.g., obligation to retain information for tax or company law purposes). We generally retain data for seven years.

The following cookies are stored by amepheas on your device:

4.3.    General data processing in the context of membership

Purpose of processing: If you would like to be or already are a member of the museum, we process your data in order to register or manage your membership and to formally deal with the business transactions that we are responsible for in the context of a business relationship. This also includes the processing of your data in order to provide you with member benefits (e.g., exclusive guided tours, exhibition visits, etc.), to organize events and guided tours, and to administer members.

Data necessary for membership: Fields specially marked (*) in the application form are necessary for a membership (for completion of the contract). Without providing this information, you cannot join the “Wien Museum – Förderverein” (Wien Museum’s booster club) as a member. All other fields with additional information are optional.

Legal basis of the processing: Your data are processed in order to carry out pre-contractual measures, to fulfill a contractual relationship, or due to legal requirements in the context of a business relationship (or in order to execute this).

Recipients of the data: Data are not transmitted to third parties unless you have specifically given consent.

Further information: As long as you remain a member, we process your data in order to fulfill our obligations and protect your interests (e.g., for exclusive guided tours). If you leave the “Wien Museum – Förderverein” (Wien Museum’s booster club), your data are deleted as soon as the retention periods required by laws and statutes have expired. This period varies depending on the different data categories. Evidence that must be kept for a certain period, such as the seven years required by tax law, is only deleted after this period has expired.

4.4.    General data processing in the context of the annual ticket

Purpose of processing: If you purchase an annual ticket from us, we process your data in order to register your application, complete the contract, and to formally deal with the business transactions that we are responsible for in the context of a business relationship. This also includes the processing of your data in order to provide you with related benefits (e.g., unlimited access to special exhibitions, discounts, etc.), to organize events, and to administer annual ticket holders.

Data necessary for membership: Fields specially marked (*) in the application form are necessary for completing the contract. Without this information, you cannot receive an annual ticket. All other fields with additional information are optional.

Legal basis of the processing: Your data are processed in order to carry out pre-contractual measures, to fulfill a contractual relationship, or due to legal requirements in the context of a business relationship (or in order to execute this).

Recipients of the data: Data are not transmitted to third parties unless you have specifically given consent. 

Further information: As long as your annual ticket remains valid, we process your data in order to fulfill our obligations and protect your interests (e.g., for discounts). When your annual ticket expires, your data are deleted as soon as the retention periods required by laws and statutes have expired. This period varies depending on the different data categories. Evidence that must be kept for a certain period, such as the seven years required by tax law, is only deleted after this period has expired.

4.5.    Data processing for the organization of events

Purpose of processing: If you register with us for an event, we process your data (first name, surname, e-mail address, telephone number, number of participants) in order to complete the registration, to organize and carry out the event, to answer any questions that you may ask in connection with your registration, and to formally deal with the business transactions that we are responsible for in the context of a business relationship.

Legal basis of the processing: Your data are processed in order to fulfill a contract or on the basis of a legal requirement in the context of a business relationship (or in order to execute this).

Recipients of the data: If it is necessary to transmit your data for reasons determined by the event in question, due to a legal requirement, or for our legitimate interest, these data will be passed on to the following categories of recipients:

• Contractual partners
• Insurance companies

Further information: We only process your data for as long as is necessary to fulfill the contract or due to legal requirements (e.g., obligation to retain information for tax or company law purposes). We generally retain data for seven years.

Please note that we may take photographs or make video recordings during the event in order to document it and for the purpose of media coverage (e.g., in journals, magazines, and publications or on websites and social media platforms).

These recorded images are processed on the basis of our legitimate interest. Our legitimate interest lies in documenting and presenting our activities. When publishing recorded images, care will be taken not to infringe the legitimate interest of the people depicted.

4.6.    Data processing in the context of an application process

Purpose of processing: If you apply for a position with us, we will process your data in order to evaluate your suitability, abilities, and professional performance vis-à-vis the position to which you are applying. If you wish to be included in our pool of applicants, we will also process your data so that we can contact you at a later date.

Legal basis of the processing: Your data are processed in order to carry out pre-contractual measures or on the basis of our legitimate interest in carrying out an efficient application process. The processing of your data within the context of the pool of applicants is done with your consent.

Recipients of the data: The following service provider receives your data so that we can optimize our application process:

“onlyfy,” a recruiting tool from the service provider New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. This company shares joint responsibility with us and may only process your data in accordance with the concluded agreement for joint responsibility.

Further information: We only process your data for as long as is necessary to carry out the application process or to defend any legal claims. If no employment relationship is secured between us, your data will be deleted seven months after the rejection of your application. If you wish to be included in our pool of applicants, we will save your data for 12 months or until you withdraw your consent to store this data — whichever one occurs first.

4.7.    Data processing in the context of the Artothek

Purpose of the processing: If you borrow a work of art from us via the “Artothek” loan service, we will process your data in order to execute this application and contract and to formally deal with the business transactions that we are responsible for in the context of a business relationship. To this end, a digital customer card will be created for you, for which we will process master data and contact information. During the borrowing period, you may receive reminder and/or warning e-mails.

Legal basis of the processing: Your data are processed in order to fulfill a contract or on the basis of a legal requirement in the context of a business relationship (or in order to execute this).

Recipients of the data: Data are not transmitted to third parties unless you have specifically given consent.

Further information: We only process your data for as long as is necessary to fulfill the contract or due to legal requirements (e.g., obligation to retain information for tax or company law purposes). We generally retain data for seven years.

4.8.    Data processing in the context of bookkeeping and accounting 

We process data from business relationships with clients or suppliers as part of our financial bookkeeping and accounting. This includes data related to budgeting and cost accounting.

Legal basis: Your data are processed to fulfill a legal obligation.

Recipients of the data: If the transmission of your data related to a specific situation is necessary on the basis of a legal requirement, these will be passed on to the following categories of recipients:

• Renters of spaces for events
• Banks
• Legal representatives
• Accountants, auditors, and tax advisors
• Courts
• Responsible statutory authorities
• Contractual and business partners
• Insurance companies

Further information: We only process your data for as long as is necessary to fulfill the contract or on the basis of legal requirements (e.g., obligation to retain information for tax or company law purposes). We generally retain data for seven years.

4.9 Video Capture

We monitor critical areas at the museum using video technology. People about to enter such areas are told about the capture beforehand. The information is provided in the form of a sign along with a reference to the website with more detailed information. Video capture is carried out on the basis of the fulfillment of legal obligations, both in regard to the protection of the collection and the prevention and, if necessary, documentation or clarification of dangers, in particular security dangers at the various locations of the Museums of the City of Vienna for objects, persons, and/or buildings (Art. 6 para. 1 lit. c GDPR in conjunction with § 4 para. 2 of the Vienna Museums Act). Due to their public nature, the museum’s sites are exposed to an inherent risk situation.

The video recordings of persons present in this area are made with a date and time stamp. In the course of viewing the video recordings, first and last names, circumstances of the recordings (such as the role of the persons concerned as perpetrators, victims, witnesses), and suspected criminal offenses of filmed persons may be obtained. If necessary, data may be transmitted to the authorities, courts, or public prosecutors' offices to secure evidence in criminal law cases, for purposes or public safety, and to secure evidence in civil law cases.

The data is stored for the duration of the purpose. Recordings that do not contain any evidence are deleted within 72 hours. Data will only be stored for longer if it appears necessary for the assertion, exercise, or defense of legal claims.

4.10 Data Processing in the Context of Donations 

We are delighted that you are supporting our charitable, cultural, and scholarly goals with your donation! Donations can be made either by dropping money directly into a donation box at one of our locations or by using an online form (with the option of claiming tax deductibility from the Austrian tax authorities). 

The following data is processed as part of the online donation: First name, last name, e-mail address, date of birth, (residential) address, donation amount, Bank account details. 

The legal basis for data processing is Article 6(1)(b) GDPR for the purpose of processing the donation and Article 6(1)(f) GDPR and Recital 47 GDPR due to the legitimate interest of our organization in the acquisition of donations to fulfill our charitable, cultural-political and scientific goals. Our organization pursues objectives in the public interest in accordance with § 4a para. 6 EStG and §§ 34ff BAO. We process personal data voluntarily provided in input masks on the basis of your consent (Art. 6 para. 1 lit. a GDPR). This consent can be revoked in writing at any time without any formal requirements and is valid for the future (see point 5 of this Data Protection Declaration and contact under point 1). 

Recipients of the data: Data will only be transferred to third parties, such as the tax office to assert any deductibility of donations, if you have consented to this transfer or if it is necessary to fulfill the donation contract or legal obligations. We use "Fundraisingbox" forms on our website to process and handle online donations. The fundraising box is a service provided by wikando GmbH (HRB 23391) based in DE-86150 Augsburg. An order processing agreement has been concluded between wikando and our company, in which our contractual partner undertakes to comply with data protection standards. Via the fundraising box, you have the option of making donations either via the payment provider PayPal, Stripe or via EPS (via your own bank's online banking). The terms and conditions and data protection information of PAYPAL, Stripe or EPS apply. 

We process your data, if available and as far as necessary for the purposes mentioned, until your objection (legitimate interest) or revocation (consent), as well as beyond that in accordance with the statutory storage and documentation obligations arising from the Federal Fiscal Code, among others.

5.1.    Right to information about the stored data in accordance with Art. 15 DSGVO

You have the right to demand information about whether we process your personal data. If this is the case, you have the right to receive information about these personal data as well as other information related to this processing.

5.2.    Right to correct inaccurate data in accordance with Art. 16 DSGVO

If personal data that we process about you are no longer accurate or are incomplete, you can request that these be corrected and, if applicable, completed.

5.3.    Right to delete data in accordance with Art. 17 DSGVO

If the legal requirements are fulfilled, you can request the deletion of your personal data.

5.4.    Right to the restriction of data in accordance with Art. 18 DSGVO

If the legal requirements are fulfilled, you can request to restrict the processing of data that concern you.

5.5.    Right to data portability in accordance with Art. 20 DSGVO

If the legal requirements are fulfilled, you can request the transfer of your data into a structured, standard, and machine-readable format.

5.6.    Right to object to unreasonable data processing in accordance with Art. 21 DSGVO

For reasons resulting from your specific situation, you can object at any time to the processing of data that concern you and are being processed on the basis of a legitimate interest in accordance with Art. 6 Abs. 1 lit. f DSGVO.

5.7.    Right to withdraw consent

If data are being processed on the basis of a declaration of consent, you have the option to withdraw this consent at any time without affecting the legality of the data processing that was carried out before its withdrawal.

5.8.    Right to complain to the data protection authorities

If you believe that the processing of your personal data violates applicable data protection laws or that your rights to data protection are being infringed in another way, you have the option of complaining to the responsible supervisory authority (Austrian Data Protection Authority). The address is as follows:

Österreichische Datenschutzbehörde
Barichgasse 40-42 
1030 Vienna
Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at

We need the data that we ask you to provide in order to process sales, supply our services within the scope of a contractual relationship, provide information that you have requested from us, or send you our news-letter or other information.

If you do not provide the data, we cannot supply our services.

There is no automated decision-making, including profiling. If we process your data for a purpose other than for which we have collected, we will inform you of this and of the other purpose.