When using our online content, personal data is collected and stored in databases, protocol files or other systems. We consistently abide by data protection regulations when processing the data collected.
2 Name and address of the controller responsible for data processing
Processing of personal data is the responsibility of:
Museum für Naturkunde Berlin
Managing Director Herr Junker
Data protection officer of the Museum für Naturkunde:
3 Use and disclosure of personal data
The data collected by us are exclusively used for the purposes mentioned. Data is disclosed only in the cases listed (e.g. registration for a congress, named partners in collaborative projects, data administration in a consortium). There will be no unauthorised data disclosure to third parties. External service providers who process data on our behalf are not considered to be third parties as defined in the data protection regulations; they are bound by contract to abide by the data protection reguations and are subject to our control.
Data will only be passed on to state authorities within the framework of mandatory legal provisions or in cases of attacks on our systems for the purpose of criminal prosecution.
Data that are no longer needed will be deleted.
The data will not be used for automated decision-making (profiling).
4 Consent to further data use
The use of some of our services may require the storage and use of data beyond what has been described under point 5. Ir that is the case we will inform you and ask for your consent in advance.
5 The following data will be processed when using our online services:
5.1 Keeping a log of visits to websites and accessing data and web services
When the MfN’s internet services are accessed, data relevant for data protection and data security is stored in a log file. Depending on the access protocol, the log file contains the following details:
- IP address of the computer requesting data
- Host name of the IP address
- Name of the requested website, file or action
- Date and time of the request
- Volume of data transmitted
- Access status of the web server (file transmitted, file not found, command not executed, etc.)
- Description of the web browser used
- URL from which access was prompted.
The stored data is used exclusively for the purpose of identification and tracking of unauthorised access attempts or access to the web server as well as for general statistical evaluations. No profiles of individual users will be generated. Evaluation is carried out by authorised employees at the Museum für Naturkunde Berlin The logged data is stored for up to three months and all non-anonymised data is subsequently deleted. The data in the log file is stored separately from all personal data provided by individuals.
A cookie helps to optimise information and services on our website to help the user. As mentioned before, cookies allow us to recognise users of our website. The purpose of this recognition is to make the use of our website easier. For example, a user of a website using cookies need not enter their access data again each time they visit the page, as this is done by the website and the cookie stored on the user's computer system. Another example of a cookie is the basket in an online shop. The online shop remembers items that a customer put in the virtual basket by using a cookie.
5.3 Web Analytics
The Museum für Naturkunde Berlin will only use a web analytic solution on the basis of your consent in accordance with GDPR Art. 6 Section 1 letter a, Art. 7. The consent is obtained by a pop-up cookie banner (see 5.2 cookies, 5th paragraph) and can be revoked by deleting the generated “cookie agreed” cookie.
The person responsible for cookie processing (controller) has integrated in this web page the Google Analytics component (with anonymisation function). Google Analytics is a service for web analytics. Web analytics is the collection, storage and evaluation of data on the behaviour of visitors of websites. A web analytics service collects, among other things, data on the website from which the individual accessed a particular (referrer) website, which sub-pages of the website have been accessed and how long the page was viewed. Web analytics are mainly used to optimise a website and for cost-benefit analysis of web advertising.
The Google Analytics component is run by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.
When carrying out web analytics using Google Analytics, the data processing controller adds the suffix "_gat._anonymizeIp”. This suffix causes Google to abridge and anonymise the IP address of the data subject if access to our web pages came from a European Union memher state or another European Economic Area signatory state.
The purpose of the Google Analytics component is to analyse traffic on our website. Google uses the data and information obtained, among other things, to evaluate the use of our website so that online reports can be compiled that show activity on our websites and further services associated with the use of our website can be generated.
Google Analytics places a cookie on the information technology system of the data subject. What cookies are has been explained above. By placing the cookie, Google is enabled to analyse the use of our website. Any time any of the pages of this website are accessed that is run by the controller and into which a Google Analytics component was integrated, the web browser in the information technology system of the data subject will be automatically prompted by the Google Analytics component to transfer data to Google for online analytics purposes. In the context of this technical procedure, Google will obtain knowledge of personal data such as the IP address of the data subject, which is used by Google, among other things, to trace the origin of visitors and clicks and subsequently to enable commission settlements.
The cookie is used to store personal data, such as time and place of access and the frequency of visits to our website by the data subject. During each visit of our web pages, such personal data, including the IP address of the Internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass this personal data obtained through technical processes to third parties.
5.4 Social Plug-Ins
Our website uses plug-ins from social networks such as Twitter, Facebook of Flickr. Some of these are run by countries outside the EU. Further details on these services can be found on their websites. The plug-ins carry the logo of the network or service in question.
If you do not want social networks to collect data about you, you must log out of the relevant networks before visiting our website.
For registration with various services that we offer we need a few details from you. These are used exclusively for the purpose stated. In some cases this may mean targeted transmission of data, e.g. hotel reservations for events. The data is not transmitted beyond the specific, stated purpose. The data will only be stored until the final processing of the instance and observing the statutory retention period. The form you fill in is transmitted over the Internet in encrypted form only, which means that unauthorised individuals may become aware of the content. Registration is voluntary and can be revoked at any time.
For some registrations, e.g. circular letters/newsletters, an email address must be provided. It is possible that registration becomes valid only upon confirmation of the address, e.g. if you click on a link in an email that we sent to you. Further details are optional and may, for instance, be used to address you more personally. Circular letters/newsletters can be cancelled at any time. Upon cancellation, your data will be deleted from our system.
In some cases (e.g. electronic journals, wikis or blogs), the purpose of data collection is publication or permanent storage of generated content. Insofar as these contents are subject to copyright, we are under obligation to clarify issues of copyright and uphold the personal rights of an author and must therefore retain and store a minimal dataset (name and contact such as postal or email address) even after unsubscription. If those data were not publicly visible from the outset they will remain protected. They will, however, continue to be viewed by editors of the publication platform (electronic journals, wikis, and blogs).
When making a booking through our website you have the choice whether the address data will be used solely for making the booking and deleted after the statutory detention period or whether the booking is combined with registration.
If you want to communicate with us via email, please use our email address email@example.com or, if you already have a contact, <NAME>@mfn.berlin. Your email address will be used exclusively for our communications with you and not passed on to third parties, except if passing on your email address is absolutely necessary to comply with your request. In such cases, your e-mail address will only be passed on with your express consent. There is currently no encrypted email system in place. To retain confidentiality, you can also contact us by post.
The following notes are about our newsletter, its content and procedures regarding registration, distribution and statistical evaluation. They also explain your right to appeal. By subscribing to our newsletter, you agree to receive it and to the procedures described.
5.8.1 Content of the newsletter
We send out newsletters, emails and other electronic notifications containing advertising material (called newsletter hereafter) only upon express consent of the recipient or a legally valid permission. If registration for the newsletter involves a concrete description of its content, then this description is the basis on which the user agrees to receive the newsletter. In addition, the newsletter contains information about the public events schedule of the Museum für Naturkunde, publications from scientific research and public relations at the Museum für Naturkunde, as well as quizzes, raffles and links to content on our website, and, occasionally, on websites of partner organisations.
5.8.2 Double-opt-in and registration recording
Registration for our newsletter follows a double opt-in procedure. This means that upon registration, you will receive an email requesting confirmation of your subscription. The confirmation is required to ensure that no one else can subscribe using your email address.
A record of subscriptions to the newsletter is kept to fulfil the legal requirements for recording the subscription process. The record contains the time of subscription and confirmation as well as the relevant IP address. Any changes of data registered with MailChimp will also be recorded.
5.8.3 Use of the MailChimp service provider
The newsletter is sent via „MailChimp“, a newsletter distribution platform by US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The email addresses of our newsletter recipients as well as further data that will be described in these notes will be stored on MailChimp servers in the USA. MailChimp uses this information for distributing and evaluating the newsletter on our behalf. According to information published by MailChimp, the data will be used for optimising their own services, such as technical optimisation of the distribution process or the layout of the newsletter, as well as for commercial use by determining the recipients‘ countries of residence. However, MailChimp does not use the data of our newsletter subscribers to contact them directly and does not pass them on to third parties.
We trust the reliability and the IT and data security of MailChimp. MailChimp has been certified in line with the Privacy Shield agreement between the US and EU and is thus unter obligation to comply with the EU data protection specifications. Furthermore, we entered into a Data Processing Addendum with MailChimp – an agreement by which MailChimp is obliged to protect the data of our users and process their data on our behalf according to its own data protection regulations laid out in the agreement, which means in particular, not to pass on data to third parties. MailChimp’s data regulations can be viewed here.
5.8.4 Registration data
In order to subscribe to the newsletter, it is sufficient to enter your email address. Please enter also your first name and surname.
These are only needed to personalise your newsletter. We only need your postal address if you have opted for receiving additional information from us by post. Details about your membership in the Förderverein, sponsorship of a collection specimen or seasonal ticket subscription are for internal information only to avoid double-posting.
5.8.5 Statistical data collection and analysis
Our newsletters contain what is known as a web beacon or open tracker, a tiny invisible graphic in the bottom of your HTML email. It is downloaded from Mailchimp’s server when the newsletter is opened. During the download, technical information about your browser and operating system as well as your IP address and the time of the download/opening of the newsletter are collected. These are used for technical improvement of the service, as technical data or target group data can be analysed according to their reading behaviour, their download locations (identifiable through IP addresses) or download times.
Statistical data collection also includes an analysis of when the newsletters are opened, and which links are clicked upon. For technical reasons, this information can be linked to individual newsletter users. However, neither we nor MailChimp have an interest in tracking individual users. We use the evaluation of data to recognise patterns in the reading behaviour of users and adapt contents accordingly or vary the content sent out according to the interests of individual users.
5.8.6 Online access and data management
You can unsubscribe from our newsletter, i.e. withdraw your consent, at any time. This means that you cancel your consent to receiving the newsletter via MailChimp, and to statistical analytics at the same time. Separate cancellation of the newsletter sent out by MailChimp or of statistical evaluation is not possible.
The unsubscribe link is found at the bottom of each newsletter.
5.8.8 Legal basis – General Data Protection Regulation
In line with the General Data Protection Regulation (GDPR), which came into force on May 25th 2018, we notify you that your consent to our passing on your email addresses is based on GDPR Art. 6 section 1 letter a, 7 and the Act Against Unfair Competition (UWG) § 7 section. 2 No. 3, and/or section 3. The use of the MailChimp service provider for sending out our newsletter, including data collection and analysis and subscription recording, is based on our legitimate interest, as defined in GDPR Art. 6 section 1 letter f. It is in our interest to have a user-friendly, secure newsletter distribution system that will promote our business interests as well as fulfil user expectations.
We would also like to point out that you now have the right to object to the future processing of your person-related data within the legal requirements of GDPR Art.21 at any time. This applies in particular to data processing for direct advertising.
This newsletter notification was based on a template by Rechtsanwalt Dr. Thomas Schwenke.
5.9 Applications and application procedures
Interested users can access jobs and careers to apply for a job at the Museum für Naturkunde Berlin. Within the context of the application process, additional personal data is processed. Further information on the extent and type of processing can be viewed here.
5.10 Information on Google services
On our website, we use various services probide by Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland.
Further information on individual services by Google that are used on this website are found in another data protection note.
Through the integration of Google services, Google may collect and process data (including personal data). It cannot be ruled out that Google may transmit information to a server in a third country.
According to Google’s Privacy Shield Certification (read at privacyshield.gov and search for Google), Google is committed to complying with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework regarding the collection, use and storage of personal data from EU Member States and Switzerland. Google, including Google LLC and its wholly owned subsidiaries in the United States, has declared by certification that it complies with the Privacy Shield Principles. Further information on this can be found here under Google.
We have no influence on what data Google will actually collect and process. However, Google says that in principle, the following information (including personal data) may be processed:
- Log data (in particular the IP address)
- Location-related information
- Unique application numbers
- Cookies and similar technologies
If you are logged into your Google account, Google can add processed information, dependant on your account setting and treat those as personal data, cf in particular these explanations by Google.
Google includes the following statements:
“We may combine personal information from one service with information and personal information from other Google services. We thereby simplify sharing of contents with friends and acquaintances. Depending on your account settings, your activities on other websites and in apps may be connected to your personal data in order to improve Google services or pop-up advertising supported by Google.” (source at Google)
To prevent the addition of these data, you can log out of your Google account or change the relevant settings in your Google account.
5.10.1 Using YouTube
We use YouTube videos and YouTube plug-ins on our website. YouTube is a service of YouTube LLC („YouTube“), 901 Cherry Ave., San Bruno, CA 94066, USA and is provided by this company. Youtube LLC is a subsidiary of Google Ireland Limited (“Google“), Gordon House, Barrow Street, Dublin 4, Ireland.
YouTube videos are integrated by embedding the service on our website using iframe tags. Introducing the iframe may allow Youtube or Google to collect and process data (including personal data). It cannot be ruled out that Youtube or Google may transmit information to a server in a third country.
Through the integration of YouTube, we are able to present various videos on our website that can be viewed directly on the website.
The legal basis for the processing of personal data described above is GDPR Art. 6 section 1 letter f). Our legitimate interest that is relevant here lies in the great benefit that YouTube offers. By embedding external videos we lighten the burden on our servers and can use our resources for other purposes. This may add to the stability of our servers. Beyond that, YouTube and Google have a legitimate interest in the collected (personal) data to improve their own services.
Making personal data available is neither a legal nor a contractual obligation and not required for concluding a contract. Furthermore, you are under no obligation to make your personal data available. However, not making the data available might mean that you cannot use our website or use its full functionality.
5.10.2 Using Google Maps
On our website, we occasionally use maps by the Google Maps service offered by Google. Google Maps is a service provided by Google Ireland Limited (“Google“), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Maps are integrated by embedding the service on our website using iframe tags. Introducing the iframe may allow Google to collect and process data (including personal data). It cannot be ruled out that Google may transmit information to a server in a third country.
5.11 Using Webfonts by Monotype
To achieve a uniform font layout, Web Fonts licencsed by Monotype GmbH (fonts.com or fast.fonts.net). When accessing a page, your browser loads the required Web Fonts to reproduce texts in the correct font.
The Web Fonts are retrieved by the web server of the Museum für Naturkunde Berlin. Due to the license agreement with Monotype GmbH, however, each time the website is accessed, a counting pixel of the provider is collected.
For this purpose, the counting pixel establishes a connection between your browser and the servers of fonts.com. Thus, fonts.com is alerted to the fact that your IP address accessed our website. The use of Web Fonts is based on our legitimate interest, as defined in GDPR Art. 6 Section 1 letter f.
6. Links to other service providers
7. Data security
Your personal data is stored on protected computers. In order to protect the data collected by us from loss, manipulation or access by unauthorised individuals, the Museum für Naturkunde Berlin has put technical and organisational state-of-the-art technology measures in place. Access to data is subject to an authorisation procedure so that only the individuals in charge of data processing have access to it. All employees who collect, process or use personal data are bound by data secrecy according to §8 of the Berlin Privacy Act.
Within the context of various activities, personal data of individuals concerned is processed within the scope of contract processing in accordance with GDPR Art. 28.
- Google Ireland Limited (“Google“): 5.3 Web Analytics, 5.10.1 YouTube, 5.10.2 Google Maps
- Rocket Science Group, LLC (“Mailchimp”): 5.8 Newsletter
8 Rights of data subjects
a) Right to confirmation
Every data subject has the right granted by the European legislator of Directives and Regulations to receive confirmation from the controller whether their personal data has beem processed. If a data subject wants to exercise their right to confirmation, they can contact a controller employee at any time.
b) Right to information
Every person whose data is being processed has the right granted by the European legislator of Directives and Regulations to receive free information on personal data relating to the data subject and a copy of this information. In addition, the European legislator of Directives and Regulations has granted the data subject access to the following information:
- the purpose of data processing
- the categories of personal data being processed
- the recipients or categories of recipients to whom access to personal data is given or will be given, in particular regarding recipients in third countries or international organisations
- if possible, the planned duration of storage for personal data, or, if that is not possible, the criteria according to which the storage period is established.
- the existence of a right to correction or deletion of personal data of the data subject or to restriction of processing by the controller or the right to objection against data processing.
- the existence of a right to complain to a control body
- if personal data is not collected from the data subject: All available information about the origin of the data
- the existence of automated decision making, including profiling, in accordance with Article 22 (1) and (4) of the DPA and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject
Furthermore, the data subject has a right to information on whether personal data has been transmitted to a third country or an international organisation. If this is the case the data subject has the right to receive information about guarantees in the context of the transmission.
c) Right to correction
Every person whose data is being processed has the right granted by the European legislator of Directives and Regulations to demand immediate correction of their personal data. Furthermore, taking into account the purpose of data processing, the data subject has the right to demand the completion of incomplete personal data - which may take the shape of a complementary declaration.
If a data subject wants to exercise their right to correction, they can contact an employee of the data processing controller at any time.
d) Right to deletion (right to be forgotten)
Every person whose data is being processed has the right granted by the European legislator of Directives and Regulations to demand immediate deletion of their personal data if one of the following reasons applies and processing is not required.
- The personal data were collected for purposes no longer required or in a way that is no longer necessary.
- The data subject revokes their consent on which the processing is based according to GDPR Art.6 Section 1 letter a or GDPR Art. 9 Section 2 letter a, and there is no other legal base for processing the data.
- The data subject objects to data processing on the grounds of GDPR Art. 21 Section 1 and their are no overruling legitimate reasons for data processing, or the data subject formally objects to data processing based on GDPR Art. 21 Section 2.
- The processing of personal data was illegitimate.
- The deletion of personal data is required to fulfil statutory obligations based on (European) Union legislation or legislation in a Member State that applies to the controller.
- The personal data were collected in relation to the offer of information society services according GDPR Art. 8 Section 1.
If one of the reasons above applies and a data subject wants to have the personal data deleted that are stored at the Museum für Naturkunde Berlin, they can contact controller at any time (see 2). The controller will then ensure that the demand for deletion is complied with without delay.
If the personal data has been made public by the Museum für Naturkunde Berlin and if the organisation is responsible as defined in GDPR Art. 17 Section 1 and is therefore under obligation to delete the personal data, the Museum für Naturkunde Berlin will take appropriate steps, including technical measures, taking into account the available technology and implementation costs, to inform other controllers that the data subject has demanded the deletion of all links to personal data or to copies and replicas of such data, as far as processing is not required.
e) Right to restricting processing
Every person whose data is being processed has the right granted by the European legislator of Directives and Regulations to demand restrictions on processing their personal data if one of the following prerequisites is met:
- The accuracy of personal data is disputed by the data subject who leaves enough time to enable the controller to check the accuracy of the personal data.
- The data processing is illegitimate, the data subject objects to the deletion of personal data and demands instead the restriction of the use of personal data.
- The controller no longer requires the personal data for processing, whereas the data subject still requires them to make, exercise and defend legal claims.
- The data subject has objected to data processing, pursuant to GDPR Art. 21 Section 1 and it is not yet certain if the legitimate reasons of the controller outweigh those of the data subject.
If one of the prerequisites above applies and a data subject wants to have the processing of personal data at the Museum für Naturkunde Berlin restricted, they can contact the controller at any time (see 2).
f) Right to data transfer
Every person whose data is being processed has the right granted by the European legislator of Directives and Regulations to receive their personal data, which have been made available to a controller by the data subject, in a structured, common and machine-readable format. They have also the right to pass on the data to a different controller without interference by the current controller to whom the personal data had been made available if the processing was based on consent according to GDPR Art. 6 Section 1 letter a or Art. 9 Section 2 letter a of on a contract pursuant to Art. 6 Section 1 letter b and the processing is done automatically, if the processing is not required for taking on a task in the public interest or exerting public executive power that was handed over to the controller.
Furthermore, the data subject, who exercises their right to data transfer pursuant to GDPR Art. 20 Section 1, must ensure that the personal data is sent directly from one controller to the other if that is technically feasible and the rights and freedoms of other individuals are not infringed upon.
To exercise their right to data transfer, the data subject can contact the controller at any time (see 2.).
g) Right to object
Every person whose personal data is being processed has the right granted by the European legislator of Directives and Regulations to object at any time to the processing personal data pursuant to GDPR Art. 6 Section 1 letter e or f, for reasons relating to their particular situation. This also applies to profiling based on these regulations.
In the case of an objection, the Museum für Naturkunde Berlin no longer processes personal data unless we can argue convincingly that there are compelling reasons worth protecting that outweigh the rights and freedoms of the data subject or that the processed data are needed to make, exercise and defend legal claims.
If the Museum für Naturkunde Berlin processes personal data for direct advertising, the data subject has the right to object at any time to the processing of personal data for such advertising. This applies also to profiling if associated with such direct advertising. If the data subject objects to the Museum für Naturkunde Berlin using the processed data for direct advertising, the Museum für Naturkunde Berlin will no longer process personal data for such purposes.
In addition, the data subject has the right to object to the processing of personal data for reasons arising from their particular situation if the data is processed by the Museum für Naturkunde Berlin for scientific or historic research purposes or for statistics pursuant to GDPR Art. 89 Section 1 unless the processing is required to fulfil a task in the public interest.
To exercise their right to data transfer, the data subject can directly contact the controller at any time (see 2.). Furthermore, the data subject is free to exercise their right to objection in connection with the use of services of the information society with the help of automated procedures according to technical specifications, notwithstanding Regulation 2002/58/EC.
h) Automated decisions in individual cases including profiling
Every person affected by the processing of personal data has the right granted by the European legislator of Directives and Regulations not to be subject to decisions based on entirely automated processing - including profiling if that decision has legal consequences or may infringe their life in a similar way, as long as the decision (1) is not required to finalise a contract between the data subject and the controller or (2) due to legal provisions in the Union or its Member States to which the controller is subject, this is permissible and these provisions contain adequate measures to protect the rights and freedoms as well as legitimate interests of the data subject or (3) is taken with the express consent of the data subject.
If the decision (1) is required for finalising or fulfilling a contract between the data subject and the controller or (2) is taken with the express consent of the data subject, the Museum für Naturkunde Berlin takes suitable measures to protect the rights and freedoms as well as legitimate interests of the data subject, which includes at least the right to obtain manual intervention by the controller’s party, to clarify their own position and to challenge the decision.
To exercise their right relating to automated decision, the data subject can contact the controller at any time (see 2.).
i) Right to withdraw consent under data protection law
Every person whose data is being processed has the right granted by the European legislator of Directives and Regulations to withdraw their consent to the processing of their personal data at any time.
To exercise their right relating to withdraw their consent, the data subject can contact the controller at any time (see 2.).