We use cookies to enhance site navigation, analyze site usage, and for our marketing efforts. By accepting, you consent to our Privacy Policy You may change your settings at any time by clicking "Cookie Consent" at the bottom of every page.

Options
Essential

These technologies are required to activate the essential functions of our range of services.

Analytics

These cookies collect information about the use of the website so that its content and functionality can be improved in order to increase the attractiveness of the website. These cookies may be set by third party providers whose services our website uses. These cookies are only set and used with your express prior consent.

Marketing

These cookies are set by our advertising partners on our website and can be used to create a profile of your interests and show you relevant advertising on other websites (across websites).

Privacy Policy

I. Preamble

II. Data Controller / Data Protection Officer / Supervisory Authority

III. Definitions

IV. General Principles / Information

V. Data processing for the provision of our websites / online platforms

VI.Data processing for the purpose of newsletter / advertising / marketing / press work

VII.Possible recipients of data / persons authorised to access data

VIII.Data processing outside the EEA

IX.Obligation to provide personal data (so-called mandatory data)

X.Processing of data for the enforcement of claims / fulfilment of legal obligations

XI.Rights of the data subject

XII.Alterations of the Data Protection Declaration, Language Versions.

XIII. Cookies we use

I. Preamble

With the following Privacy Notice we, Fotografiska Berlin GmbH, (in the following: Fotografiska) like to inform you comprehensively and in detail how we protect your privacy and how personal data is processed in the context of the use of our websites and/or online platforms. If the following information is not sufficient or not comprehensible, please do not hesitate to contact us under the contact details published in Section ‎II.

II. Data Controller / Date Protection Officer / Supervisory Authority

Data Controller

Fotografiska Berlin GmbH

Chausseestrasse 131B

10115 Berlin

Germany

Tel: +49 30 400698208

E-Mail: info.berlin@fotografiska.com

https://berlin.fotografiska.com/

Data Protection Officer

There is currently no obligation to appoint a data protection officer.

Supervisory Authority

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstrasse 219

10969 Berlin

Germany

Tel:+49 30 13889-0

Fax:+49 30 2155050

E-Mail: mailbox@datenschutz-berlin.de

www.datenschutz-berlin.de

III. Definitions

The definitions and terms used within this Privacy Notice are governed by the Regulation (EU) 679/2016 on the protection of natural persons with regard to processing of personal data, free movement of such data and the repealing of Directive 95/46/EC (hereinafter "General Data Protection Regulation" or "GDPR") as well as by the Federal Data Protection Act (“BDSG”).

IV. General Principles / Information

1. General handling of personal data

We collect and process personal data of our customers or users for the purpose of providing our web or online services (including mobile apps) if this is necessary for the provision of the aforementioned services and/or offers, or if the collection and/or processing of personal data for other purposes is permitted by another legal basis.

2. Legal basis

For any processing of personal data based on the data subject's consent, Art. 6 (1) lit. a GDPR is the legal basis for the processing.

In cases where data is processed for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR is the legal basis; this also applies to processing necessary for the implementation of pre-contractual measures.

If personal data is processed to comply with a legal obligation to which we are subject, Art. 6 (1) lit. c GDPR is the legal basis. If processing of personal data is necessary in order to protect vital interests of the data subject or any other natural person, Art. 6 (1) lit. d GDPR is the legal basis.

If processing takes place to protect a legitimate interest of our company or a third party, provided that the data subject's interests or fundamental rights and freedoms do not outweigh this interest, Art. 6 (1) lit. f GDPR is the legal basis of the processing.

If processing of personal data takes place in the context of a so-called change of purpose, i.e. data is processed for other purposes than for the purposes for which it has been collected in the first place, Art. 6 (4) GDPR is the legal basis.

In cases where special categories of personal data within the meaning of Art. 9 GDPR are processed, the express consent of the data subject pursuant to Art. 9 (2) lit. a GDPR in conjunction with Art. 6 (1) lit. a GDPR and/or a permission pursuant to Art. 9 (2) lit. b-j GDPR is the legal basis for the processing.

3. Enforcement of claims / legal compliance

We reserve the right to process personal data for enforcing claims within the scope of our legitimate interests pursuant to Art. 6 (1) lit. f GDPR; this includes, in particular, a transfer of data to a General Credit Protection Agency (e.g. “Schufa”), authorities and/or courts. In addition, personal data might be processed and/or transferred in the fulfilling of legal or regulatory obligations (e.g. disclosure to authorities etc.); in this case, Art. 6 (1) lit. c GDPR is the legal basis.

4. Obtaining consent / right to revoke

Consent declarations in the meaning of Art. 6 (1) lit. a GDPR will be obtained in writing, in text form or electronically. If a consent shall be obtained electronically, it will be granted by ticking a opt-in-check box; the granting of the consent will be documented electronically. In the case of electronic consent, the so-called double opt-in procedure may be used to identify the user, as far as legally required.

Right to revoke: Please note that consent once given may be - in whole or in part - revoked at any time with effect for the future. The lawfulness of the processing that has taken place until such revocation shall remain unaffected. If you wish to revoke your consent, please use the contact details provided in Section II (data controller).

5. Possible recipients of personal data

We use contracted service providers for individual functions of our website and our offered services. We have carefully selected our service providers in advance. Those service providers will provide their services on our behalf and in accordance with our instructions. They may receive or may have access to personal data when providing their services and shall constitute third parties or recipients within the meaning of GDPR.

If service providers are acting as processor within the meaning of Art. 28 GDPR, we ensure that our service providers have taken adequate security measures, that suitable technical and organizational measures are in place and that any processing complies with the requirements of the GDPR and guarantees the safeguarding of the data subject's rights.

If personal data is transferred to third parties and/or recipients outside of a data processing in the meaning of Art. 28 GDPR, we ensure that this transfer complies with the requirements of GDPR and will be conducted only if a corresponding legal basis exists and allows the respective processing.

Booking and booking inquiries

If booking enquiries or bookings are made via our website by the users / data subjects themselves, this is done using the service / form of the service provider Tripleseat Software, LLC (this use by the user / data subject is voluntary).

Any data transfer in relation to the booking does not take place within the framework of an instruction-dependent data processing in the meaning of Art. 28 GDPR and/or a joint controllership in the meaning of Art. 26 GDPR. This means that Tripleseat acts as an independent data controller and is therefore responsible for its own data processing in accordance with the data protection laws applicable to it (cf. Art. 4 No. 7 GDPR, so-named controller-to-controller relationship).

In order to provide our services (including our web and/or online platforms), we may use third-party service providers (subcontractors), who will, when providing their services, operate on our behalf and in accordance with our instructions. These service providers may receive or may have access to personal data when providing their services and shall constitute third parties or recipients within the meaning of GDPR.

In such cases, we ensure that our service providers have taken adequate security measures, that suitable technical and organizational measures are in place and that any processing complies with the requirements of the GDPR and guarantees the safeguarding of the data subject's rights (see Art. 28 GDPR).

If personal data is transferred to third parties and/or recipients outside of a data processing in the meaning of Art. 28 GDPR, we ensure that this transfer complies with the requirements of GDPR and will be conducted only if a corresponding legal basis exists (e.g. Art. 6 (4) GDPR; see also Section ‎IV.‎2).

6. Processing of personal data in so-called third countries

The processing of your personal data will generally take place within the EU or the European Economic Area ("EEA").

Only in few exceptional cases (e.g. in connection with the calling-in of service providers for rendering web analysis services) may information be transferred to and/or processed to/in so-called "third countries". "Third countries" are countries outside of the European Union and/or the Agreement on the European Economic Area, which do not automatically safeguard an adequate level of data protection as required by the EU.

If the transferred information includes personal data, we ensure, prior to such transfer, that an adequate level of data protection is safeguarded in the respective third country or at the respective recipient in the third country. This may be ensured by a so-called "adequacy decision" of the European Commission, by using the so-called "EU Standard Contractual Clauses" or other measures subject to Art. 44 GDPR (e.g. Art. 49 GDPR).

7. Data deletion and storage periods in “Third countries”

Personal data of data subjects will be deleted as soon as they are no longer required for the respective purpose of processing. Instead of deletion, data may, if necessary, be stored with restrictions on processing if provided for by European or national legislators in EU ordinances, laws or other regulations to which our company is subject, in particular e.g.

  • in order to meet statutory storage obligations (e.g. the General Fiscal Law (“Abgabenordnung - AO”) or the German Commercial Code (“Handelsgesetzbuch – HGB”), currently 6 to 10 years) and/or
  • if a legitimate interest in the storage of data exists (e.g. for the purpose of legal defense within the scope of the statute of limitations (Art. 195 ff. German Civil Code ("BGB"), currently 3 up to 30 years).

In this case, Art. 6 (1) lit. c respectively lit. f GDPR are the legal basis. Data shall be deleted at the latest when the storage period specified by the principles stated below expires, unless further storing of the data is necessary for the conclusion of a contract or for other purposes (e.g. legitimate interests according to Art. 6 (1) lit. f GDPR).

8. Rights of the data subject

The GDPR grants certain rights to the data subjects, i.e. persons affected by the data processing (so-called data subjects rights, in particular Art. 12 to 22 GDPR). The individual rights of the data subjects are specified in Section ‎XI. If you wish to exercise one or more of these rights, you may contact us at any time. For that purpose, please use the contact details provided above in Section ‎II.

V. Data processing for the provision of our websites / online platforms

In the context of the provision of our websites and/or online platforms, we process personal data as follows:

1. Data processing for the provision of our website/collection of log files

When a user visits our website, our system automatically processes data and information from the accessing device/computer system in an automated manner. The following data is processed (hereinafter "Log Data"):

  • information on the type of browser and the version used
  • the user's operating system
  • the user's Internet service provider
  • the user's IP address
  • date and time of access,
  • websites from which the user's system accesses our website,
  • websites accessed by the user's system via our website
  • the user's movements on our website (e.g. click rates, duration of use); the so-called log data do not allow a personal reference to the user

1.1 Purpose and legal basis

The collection and processing of Log Data (in particular the IP address) take place for the purpose of making available to the user the content on our website, i.e. for the purpose of communication between the user and our web- or online platform. The IP address is temporarily stored for the duration of the respective communication process. This is necessary for addressing the communication between the user and our web and/or online platform and/or for using our web and/or online platform. Art. 6 (1) lit. b GDPR and/or Section 9 TTDSG - for the duration of your website visit – are the legal basis for such data processing.

Any processing and storage of the IP address in log files beyond the communication process take place for the purpose of ensuring the functionality of our web and online platforms, optimizing these platforms and ensuring the security of our IT systems. Art. 6 (1) lit. f GDPR (protection of legitimate interests) and/or Section 169 TKG are the legal basis for any storage of the IP address for these purposes beyond the communication process.

1.2 Data deletion and storage period

We will delete data as soon as they are no longer necessary for attaining the purpose for which we processed it. In case of data collection for providing the website, the data will be deleted when the respective session - the website visit - has ended. Any further storage of Log Data, including the IP address, for the purpose of system security shall take place for a period of no more than seven days after the user's access to the website has ended. Following the expiration of the aforementioned seven-day storage period, further processing and/or storage of Log Data will be possible and permissible if the users' IP addresses are deleted or masked to such an extent that it is no longer possible to allocate the Log Data to an IP address. This applies except for further processing of data in the cases listed below (e.g. cookies etc.)

1.3 Possibility of objection and removal

The processing of Log Data for the provision of the website, including the storage of Log Data in log files within the aforementioned limits, is essential for the operation of our website. Therefore, the user has no possibility to object to it. This shall not apply to the processing of Log Data for analysis purposes, c.f. Section V.‎3 (depending upon the respective analysis tool used and the type of data analysis (personal / anonymous / pseudonymous)).

2. Use of cookies

Our website uses cookies. Cookies are text files stored in or by the Internet browser on the user's computer system. Cookies do not contain programs and cannot place any malcode on your computer. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the system to identify the browser when the user visits the website again. Depending on the respective type of cookie and the possibility of allocating a cookie to an IP address, it is, however, possible that the user will be personally identifiable. We do not carry out such allocation, and/or anonymize the IP address immediately in order to exclude such allocation (see Section V.3 for further details).

For cookies which make a personal identification possible, we obtain your consent for such utilisation via a so-called cookie banner (see section V.2.3 below). Further information concerning cookies can be found in the cookie notices accessible via our cookie banner or the tab, “Cookie Settings.”

We differentiate between two types of cookies: (i) technically necessary or essential cookies and (ii) cookies which require the consent of the users:

(i) We use technically necessary or essential cookies to make our web and/or online offerings more user-friendly. The following data are stored in our technically necessary cookies and transferred to our systems:

  • adoption of language settings
  • memorising of search terms
  • data on the end device / PC and its settings
  • articles in an online shopping cart
  • log-in data

(ii) “Cookies which require consent,” including so-called “functional cookies”, contain all cookies for whose installation or utilisation prior granting of consent by the user is required. Such cookies can include comfort, performance, statistical/analytic and/or advertising or marketing cookies:

  • Functional or comfort cookies enable us to improve the comfort and user-friendliness of our websites and to provide a range of different functions. E.g.: Comfort cookies can be used to store search results, language, layout and/or display settings.
  • Performance cookies collect data on how you use our websites. For example, performance cookies help us to identify especially popular parts of our websites. This enables us to adjust the content of our websites to your needs and thus to improve our offers for you.
  • We utilisestatistical or analytic cookies to analyse user interaction with our web and/or online offers for the purpose of advertisement, market research or optimisation of our offerings. Further information can be found on our cookie banners.
  • We utilise cookies for marketing purposes in order to send you relevant advertisement and promotional information, e.g., based on the websites you have visited. Advertisement cookies are, as a rule, not from our web servers, but from third-party providers. This includes for example the integration of the ‘like’ button. When it is clicked on, Facebook leaves its ‘own’ cookie on the relevant browser. The cookies of third-party providers can never be sought and/or analysed by us. The third-party providers, who set the respective Cookies based on your consent, are solely responsible for the use of such cookies; we have no possibility or influence to/on its usage and/or the processing of data based on such cookies. You can prevent the placing of third party providers' cookies by taking the measures described in Section V.‎2.3.If you do not allow these cookies, you will experience less personalised advertisement.

2.1 Purpose and legal basis

The purpose of using technically necessary or Essential Cookies is to simplify website usage. They are essential for certain website features, which require the recognition of the browser even after a website change. We use Essential Cookies for the following purposes:

  • adopting language settings,
  • search terms used,
  • data on the end device / PC and its settings
  • articles in an online shopping cart
  • log-in information.

The user data collected by Essential Cookies is not used for creating profiles. The legal basis for the use of Essential Cookies is § 25 (2) TTDSG and its respective data processing is Art. 6 (1) lit. b GDPR, as far as there is the possibility to establish a personal link to the user and the use is necessary for the purpose of providing our web and/or online services in the interest of a contract fulfilment. Otherwise, Art. 6 (1) lit. f GDPR is the legal basis since the use is also made to safeguard legitimate interests for the purpose of providing web and/or online services.

Cookies which require consent are used to improve the quality of our website, its content and/or its usability. Because of such cookies, we learn more about the usage of the website, which enables us to optimize our websites continually (see above). With Performance and/or statistical/analytic Cookieswe collect data on how our website is used. This enables us to improve the content and the user-friendliness of our website, e.g. through personalization. Cookies for Marketing Purposes are used to send you relevant advertisement and other similar promotional information. The above-mentioned cookies can be placed either by ourselves or third-party providers whose services we use on our websites. The third-party service providers are exclusively responsible for these cookies, we do not have any influence on their use; the use including the purposes and legal bases of the data processing are stated in the third-party’s data privacy terms. For further information please refer to our Cookie notice.

Cookies which require consent will only be placed if the user has given his/her consent for the use of such cookies (Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TTDSG) including a consent to a data processing outside the EEA pursuant to Art. 49 (1) lit. a GDPR. Further information about cookies can be found in our cookie notices, accessible via our cookie banners or cookie policy tab.

2.2 Data deletion and storage period

Cookies are stored on the respective device of the user (smart device / PC) and will be transmitted from there to our websites. We differentiate between so-called permanent cookies and session cookies. Session cookies are stored during the duration of a browser session and will be deleted when the browser is closed. Permanent cookies will not be deleted when the respective browser session ends but are stored on the user's device for a longer period.

2.3 Possibility of objection and removal

When visiting our websites, users are, by means of an info banner, informed about the use of cookies and simultaneously referred to this Data Protection Information. The user's consent to the processing of his/her personal data will be obtained via the banner, including the consent to a data processing outside the EEA in accordance with Art. 49 (1) lit. a GDPR.

As user, you have full control over the usage and storage of cookies. By changing the settings in your Internet browser, you can generally deactivate or restrict the transfer of cookies. You can delete already stored cookies at any time. This can also take place in an automated manner. If you deactivate cookies for our website, it is possible that not all functions of the website can be used to their full extent. For further information on the use of cookies please refer to meine-cookies.org/ or youronlinechoices.com.

You may object to the use of cookies which require a consent at any time with effect for the future (except for Essential Cookies); you may exercise your opt-out right via the info banner or via the aforementioned browsers' setting options.

3. Web analysis/use of analysis tools

In order to optimize our websites and adapt to the changing habits and technical requirements of our users, we use tools for so-called web analysis, which use cookies (see above). We measure e.g. which elements the users visit, whether the information searched for is easy to find, etc. This information is only interpretable and meaningful at all, if a relatively large group of users is analysed. For this purpose, the data collected is aggregated, i.e. combined into relatively large units.

Such analyses enables us to adapt the design of our websites or optimise content in cases where, for example, we discover that a significant number of visitors uses new technologies or fails to find, or has difficulty finding, an existing piece of information.

On our web and online platforms, we carry out the following analyses and use the following web analysis tools:

3.1 Analysis of Log Data

The use of Log Data for analysis purposes takes place exclusively on an anonymous basis; there is neither a link between Log Data and personal data of the user, nor between Log Data and an IP address or a cookie. Therefore, such analysis of Log Data is not subject to the provisions of the GDPR under data protection law.

3.2 Matomo

As far as we use the web analysis tool "Matomo" (formerly PIWIK) to analyze website usage, the following applies: With Matomo, the usage information generated by the cookie is trans-ferred to our server in Europe and stored for usage analysis purposes. The information generated by the cookie about your use of our website is not passed on to third parties.

If you do not wish the use of cookies and/or an analysis by Matomo, you have the follow-ing options: You can prevent the collection by Matomo by setting an opt-out cookie with your objection to the use of web analysis tools via the banner or via the aforementioned setting options of your browser, which pre-vents the future collection of your data by Matomo when you visit this website (however, you may not be able to use all functions of this website to their full extent in this case). If you have logged in to our website or app with your customer data, this objection will be permanently saved.

Please note: If you delete your cookies, the opt-out cookie will also be deleted and may have to be reactivated by you.

3.3 Google Ads

We use the Google Ads Conversion service to draw attention to our attractive offers with the help of advertising material (so-called Google Ads) on external websites. We can determine how successful the individual advertising measures are in relation to the advertising campaign data. We are interested in showing you advertising that is of interest to you, making our website more interesting for you and achieving a fair calculation of advertising costs.

These advertising materials are delivered by Google via so-called "ad servers". For this purpose, we use ad server cookies, through which certain parameters for measuring success, such as the display of ads or clicks by users, can be measured. If you access our website via a Google ad, Google Ads will store a cookie on your device. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that a user no longer wishes to be addressed) are usually stored as analysis values for this cookie.

These cookies enable Google to recognize your internet browser. If a user visits certain pages of the website of Ads customers and the cookie stored on their computer has not yet expired, Google and the customers can recognize that a user has clicked on the ad and has been redirected to this page. Each Ads customer receives a different cookie. Cookies can therefore not be tracked via the websites of Ads customers. We ourselves do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. Based on these evaluations, we can recognize which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising material; in particular, we cannot identify the users on the basis of this information.

Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our level of knowledge: Through the integration of Ads Conversion, Google receives the information that you have accessed the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that Google will find out your IP address and store it.

3.4 HubSpot

If necessary, we also use the services of the software producer HubSpot on our websites. HubSpot is a software company based in the USA with a branch office in Ireland (HubSpot European Headquarters, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland).

HubSpot is a service platform. The service we use for our website is an integrated software solution we use to administer customer data and to carry out various aspects of our online marketing. These include, amongst other things, analysis of landing pages and reporting. Therefore, so-called “web beacons” are used and cookies stored on your end device.

For this purpose, the following personal data can be collected, e.g.:

  1. IP address,
  2. geographic location,
  3. browser type,
  4. visit duration,

pages visited.

The collected data, as well as the content of our website, are stored on the servers of our software partner, HubSpot Ireland. We utilise HubSpot to analyse how our website is used. This enables us to continuously optimise the website and make it more user-friendly. Furthermore, we use the data to determine which of our company’s services customers and newsletter subscribers find interesting and to contact customers and newsletter subscribers for advertising purposes. In addition, such analysis helps us to optimise our web offerings for you.

However, we use your IP address only in the abbreviated form. This means that, within the member states of the European Union or in other states that are signatories to the Agreement on the European Economic Area, HubSpot abbreviates users’ IP addresses. Only in exceptional cases will the full IP address be transferred to a server of HubSpot in the USA and be abbreviated there.

The HubSpot cookies usually have a lifespan of 13 months. In addition, we delete the personal data collected by HubSpot as soon as the purpose for which they were collected has been fulfilled, unless statutory retention periods preclude this (see also subsection ‎IV.7).

The storage of cookies occurs on the basis of Art. 6 Sec. 1 lit. a GDPR. Consent is obtained via our cookie banner; users can revoke their consent at any time. If data generated by cookies, are transferred to servers of Google in the USA and stored there, the consent obtained via our cookie banner shall be deemed also as consent in the meaning of in Art. 49 (1) lit. a GDPR.

For further information about the functions of HubSpot please refer to: Datenschutzerklärung der HubSpot Inc.

3.5 Meta Pixel (Client Side tracking)

We also use Meta-Pixel from Facebook, a social media network of the company Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, for analysing the website usage.

They implement a code on the website, which analyses the behaviour of the users who get to this website via Facebook advertisement. This may be used for improving Facebook advertisement and Facebook collects and stores this data. We cannot view the collected data, we can only use them in the context of advertisement placement. By using Meta-Pixel codes, cookies are set.

By using Meta-Pixel, the user’s visit of our website will be reported to Facebook so that the user will see matching advertisement. If you have a Facebook account and you are logged in, your following websites visits will be allocated to your Facebook account. We do not have any influence on this process and we are not responsible for data protection. For further information on the use of Meta-Pixel for advertising campaigns, please refer to https://www.facebook.com/business/learn/facebook-ads-pixel.

You can change your settings for advertisements on Facebook via https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen, if you are logged into your account. You can manage your preferences regarding user based online advertisement via http://www.youronlinechoices.com/de/praferenzmanagement/. There, you can deactivate or activate many providers at once or change the settings for individual providers. For further information in the Facebook data protection policy, please refer to https://www.facebook.com/policy.php.

3.6 Meta Pixel (Server side tracking)

As part of our efforts to enhance the performance of our website and marketing initiatives, we have implemented server-side tracking using the Meta Conversion API. This technology enables us to measure and improve the effectiveness of our digital advertising efforts and provide a more tailored experience for our website visitors.

3.6.1 What Data Do We Collect?

Through the Meta Conversion API, we may collect the following data:

  • Event Name: A label identifying the specific action or event you performed on our website (e.g., making a purchase, signing up for a newsletter, etc.).
  • Event Time: A UNIX timestamp marking the exact time of the event.
  • Event ID: A unique identifier associated with the tracked event.
  • Event Source URL: The URL of the page on our website where the event occurred.
  • Action Source: Identifies the event as having occurred on our website.

Additionally, the following user data may be collected:

  • Client IP Address: The IP address of the device used to access our website.
  • Client User Agent: Information about the browser and device you used.
  • FBP Cookie Data: The _fbp cookie data, which helps identify Facebook users and target relevant advertising.
  • FBC Cookie Data: The _fbc cookie, which tracks user interactions with Facebook ads before landing on our website.

3.6.2 Why Do We Collect This Data?

We use the information collected through the Meta Conversion API to:

  • Evaluate and optimize the performance of our marketing campaigns.
  • Deliver personalized advertising and relevant content to users based on their interactions with our website.
  • Understand how visitors interact with our website to continuously improve the user experience.

3.6.3 Who Has Access to This Data?

The data collected through the Meta Conversion API is securely transmitted to Meta (Facebook), where it is processed in accordance with their Privacy Policy. Meta may use the data to enhance its advertising services and deliver more relevant ads to users based on their activity on our website.

3.6.4 How Long Do We Retain Your Data?

The data collected through the Meta Conversion API is retained for as long as is necessary to fulfill the purposes outlined in this section. This retention period may be adjusted based on legal or regulatory requirements, or upon your request to delete or modify the data.

3.6.5 How Can You Manage Your Data?

You have the right to control how your data is used. If you wish to manage or withdraw your consent for data collection through cookies and similar technologies, you can do so via our [Cookie Preferences Page]. Additionally, you may contact us directly for any requests regarding your data or privacy rights.

4. Marketing / Google Remarketing

We use the Remarketing Technology of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).

Through this technology, users, who already visited our website and/or online platforms and who are interested in our services, will be addressed again with targeted advertisement on the websites of the Google Partner Networks. The display of advertisement is carried out via cookies. With the help of these cookies, the user behaviour on our websites can be analysed and then be used for targeted product recommendation and interest-based advertisement. Google does not merge the data collected in the context of remarketing with your personal data. Google uses pseudonymization in the context of remarketing.

If you do not want to receive targeted advertisement, you can deactivate the use of cookies by Google for this purposes by visiting https://www.google.de/settings/ads/onweb. Alternatively, the users can deactivate the use of Third Party Cookies by visiting the deactivation website of the Network Advertising Initiative http://optout.networkadvertising.org/?c=1.

By using our services, you agree to the processing of the collected data by Google in the manner and for the purpose described herein. Please note that Google has its own Data Protection Regulations, which are independent to ours. We take no responsibility or liability for these regulations and procedures.

VI. Data processing for the purpose of newsletter / advertising / marketing

The use of personal data for the purpose of advertising and/or marketing measures (e.g. newsletters), for carrying out customer satisfaction surveys and for the purpose of press and public relations work (hereinafter collectively referred to as "marketing") shall only take place in the presence of a corresponding consent or another legal basis which also permits this without the presence of consent. In detail:

1. Newsletter Registration

If you would like to receive our newsletter, we require a valid e-mail address from you. In order to be able to check whether you are the owner of the specified e-mail address or whether its owner agrees to receive the newsletter, we send an automated e-mail to the specified e-mail address after the first registration step (so-called “double opt-in”). Only after confirmation of the newsletter registration via a link in the confirmation e-mail do we include the specified e-mail address in our distribution list. We do not collect any further data beyond the e-mail address and the details for confirming the registration.

Your data is processed for the purpose of sending the newsletter you have ordered. The legal basis for this processing is Art. 6 (1) lit. a GDPR or Section 7 Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb (“UWG”) (see below). You can unsubscribe from the newsletter at any time; the explanations on the right to revoke consent under section IV.4 apply in addition.

2. Use of personal data for advertising and marketing purposes / customer surveys

Your personal data will only be used for the purpose of advertising and/or marketing approaches as well as for carrying out customer satisfaction surveys if you have given your consent or if there is another legal basis which permits an advertising and/or marketing approach even without consent. As far as legally permissible, we reserve the right in this context to address customers for advertising purposes also on the basis of publicly accessible data and/or address data of third parties which they obtain from publicly accessible sources (e.g. data from directory media, the Internet, company homepages, public registers or similar). In detail:

  • The legal basis for advertising and/or marketing measures based on express consent is Art. 6 (1) lit. a GDPR; the explanations on consent under section IV.4 apply accordingly.
  • The legal basis for the use of personal data for the purpose of direct mail advertising is Art. 6 para. 1 lit. f GDPR (legitimate interests); the legitimate interest here is to address potential customers for the purpose of direct advertising for our products and services.
  • The legal basis for advertising and/or marketing measures by telephone call is Section 7 (2) No. 2 UWG; this requires express consent in the case of consumers, and at least presumed consent in the case of other market participants; for the requirement of express consent see above as well as point IV.4.
  • For advertising and/or marketing measures via e-mail for the purpose of direct advertising for our own similar goods or services, the legal basis is Section 7 (3) UWG, provided that (i) we have received your e-mail address in connection with the sale of a good or service, (ii) you have not objected to the use of your e-mail address for the purpose of direct advertising and (iii) when collecting the e-mail address and at each use, we clearly inform you that you can object to such use of your e-mail at any time (for the right to object, see section XI.6).

Personal data is stored and used for advertising purposes for an indefinite period of time, depending on the respective legal basis for the advertising measure (consent or legitimate interests), until you have objected to the use of your data for advertising purposes or you have revoked your consent.

You can revoke your consent to the processing of personal data at any time with effect for the future. You can object to processing on the basis of legitimate interests at any time; a right of objection exists in particular in the case of profiling in accordance with Art. 21 GDPR. If a revocation and/or an objection is made, the personal data will no longer be processed for the respective purposes concerned; this does not include the processing of data that is still required for the purpose of fulfilling a contract (Art. 6 (1) (b) GDPR), including statutory retention obligations, and/or if the data is still required for legitimate interests (Art. 6 (1) (b) GDPR) (e.g. in the case of an objection to advertising, the processing of data in a so-called blacklist in order to prevent future advertising approaches).

We are happy to provide you with further information on our handling of data in the area of marketing and/or the sources of our data upon request; please contact us for this purpose using the contact details provided in section II.

VII. Possible recipients of data / persons authorised to access data

Within the scope of providing our services and the associated processing of personal data, our employees have access to data according to the so-called "need-to-know" principle. In order to fulfil the aforementioned purposes, our employees have access to data according to the so-called "need-to-know principle". This means that the group of persons authorised to access the data is limited to those employees who are required to fulfil the respective processing purpose.

In order to fulfil the aforementioned purposes, data may also be processed by (technical) service providers, service providers, subcontractors, vicarious agents and/or service partners who are active on behalf of Fotografiska for the fulfilment of the aforementioned purposes, in particular within the framework of the execution of the contract. Furthermore, data may be processed and transmitted in the context of payment transactions (e.g. to banks, payment service providers). In addition, data may be transmitted to courts, lawyers, debt collection agencies and/or public authorities for the purpose of enforcing claims and/or fulfilling legal obligations, see also section X.

With regard to any recipients of data and the general organisation of access authorisations to data in our company, we also refer to the explanations in section X.

VIII. Data processing outside the EEA

Data processing outside the European Union (EU) and/or the European Economic Area (EEA) may take place, for example, in the case of the use of deliveries and services by customers outside the EEA, e.g. in the case of the acquisition of operating resources in Russia or Belarus. Such data processing outside the EEA for the purpose of executing the contract is permissible under Art. 49 GDPR, in particular under Art. 49 (1) lit. b and/or lit. c of the GDPR. Insofar as Art. 49 GDPR does not intervene and Fotografiska is responsible for the data processing on site under data protection law, Fotografiska will take the measures mentioned in section IV.6 to ensure an appropriate level of data protection. We will be happy to provide further information on this on request.

XI. Obligation to provide personal data (so-called mandatory data)

Data that is required for the establishment, conclusion or performance of a business relationship, including the fulfilment of associated contractual obligations and/or which we are legally obliged to collect, is mandatory data. Mandatory data are marked with an asterisk in our forms. If this data is not provided, we may not be able to provide a contract and/or service, or only to a limited extent; we reserve the right to refuse to conclude a contract if mandatory data is not provided.

X. Processing of data for the enforcement of claims / fulfilment of legal obligations

We reserve the right to use personal data for the extrajudicial and judicial enforcement of claims. The legal basis for such processing of data is Art. 6 (1) lit. b GDPR (contract fulfilment / implementation of pre-contractual measures) or Art. 6 (1) lit. f GDPR (legitimate interests). Likewise, data may be processed and/or transmitted for the purpose of fulfilling legal or statutory obligations (e.g. information from authorities, etc.); the legal basis for this is Art. 6 (1) lit. c GDPR.

XI. Rights of the data subject

According to GDPR, the user is entitled to the following rights of the data subject:

1. Right to information (Art. 15 GDPR)

You have the right to request information on whether or not we process your personal data. If our company processes your personal data, you are entitled to information on

  • the purposes for which the data is processed;
  • the categories of personal data (type of data) processed;
  • the recipients, or categories of recipients, to whom your data has been disclosed to or is yet to be disclosed; this shall particularly apply, if data has been disclosed, or is to be disclosed, to recipients in third countries outside of the application of the GDPR;
  • the planned storage period, if possible; if it is not possible to specify the storage period, the criteria for defining the storage period (e.g. statutory retention periods or the like) will in any case be communicated;
  • your right to correction and deletion of your data, including the right to have processing restricted and/or the option of opting out (see also the following subsections in this respect);
  • the existence of a right to complain to a supervisory authority;
  • the origin of the data in the case of personal data not collected directly from you.

Furthermore, you are entitled to information on whether your personal data is the subject matter of an automated decision as specified in Art. 22 GDPR and, if so, what decision-making criteria are taken as a basis for such automated decision (logic), and what effects and implications this automated decision could have for you.

If personal data is transferred to a third country outside of the scope of application of the GDPR, you are entitled to information on whether and, if so, under what guarantees an adequate level of protection, within the meaning of Art.s 45 and 46 GDPR, has been safeguarded at the data recipient in the third country.

You have the right to demand a copy of your personal data. In principle, we provide data copies in electronic form, unless specified otherwise. The first copy will be free of charge; we may request an appropriate fee for further copies. The provision of such data copies is subject to the rights and freedoms of other persons possibly affected by the transfer of the data copy.

2. Right to correction (Art. 16 GDPR)

You have the right to request that we correct your data if your data is incorrect, inapplicable and/or incomplete; this right to correction includes the right to complete your data by means of supplementary statements or notifications. Correction and/or supplementation shall take place promptly, i.e. without culpable delay.

Right to deletion (Art. 17 GDPR)

You have the right to demand that we delete your personal data if

  • your personal data is no longer needed for the purposes for which it was collected and processed;
  • the data is being processed on the basis of consent given by you, and you have revoked your consent, unless there is some other legal basis for processing the data;
  • you have objected to data processing in accordance with Art. 21 GDPR, and no overriding legitimate reasons for continued processing exits;
  • you have objected to data processing for the purpose of direct advertising in accordance with Art. 21 (2) GDPR;
  • your personal data has been processed unlawfully;
  • the data concerned is a child's data collected in connection with information society services in accordance with Art. 8 (1) GDPR.

No right to delete personal data exists if

  • the right to freely express an opinion or the right to information conflicts with the request for deletion;
  • the processing of personal data is (i) necessary for compliance with a legal obligation (e.g. statutory retention duties), (ii) for the performance of public tasks, or the protection of public interests, under European Union law and/or the law of its Member States (this includes interests in the field of public health) or (iii) for archiving and/or research purposes;
  • the personal data is necessary for asserting, exercising or defending legal claims.

Deletion shall take place promptly, i.e. without culpable delay. If we have made personal data public (e.g. on the Internet), we shall, if this is technically possible and can be reasonably expected, ensure that third-party data processors are also informed of the deletion request, including the deletion of links, copies and/or replications.

4. Right to restriction of processing (Art. 18 GDPR)

You have the right to have the processing of your personal data restricted in the following cases:

  • If you have disputed the accuracy of your personal data, you may request that we do not use your data for other purposes and that their use is restricted, whilst we check the accuracy.
  • If your data is unlawfully processed, you may request that we restrict the use of your data in accordance with Art. 18 GDPR instead of deleting it in accordance with Art. 17 (1), lit. d GDPR.
  • If you need your personal data for asserting, exercising or defending legal claims, but further processing of your personal data is not necessary, you may request that we limit processing to the aforementioned legal defense purposes.
  • If you have objected to data processing in accordance with Art. 21 (1) GDPR, and it has not yet been established whether our interests in processing outweigh your interests, you may request that we do not use your data for other purposes and that their use is restricted, until the outweighing of interests is confirmed.

We will process personal data, whose processing has been restricted at your request, only (i) with your consent, (ii) for asserting, exercising or defending legal claims, (iii) for protecting the rights of other natural persons or legal entities or (iv) for reasons of important public interest- except for storage. If a processing restriction is lifted, you will be informed thereof.

5. Right to data portability (Art. 20 GDPR)

Subject to the following provisions, you have the right to request that your personal data be surrendered in a commonly used electronic, machine-readable data format. The right to data portability includes the right to transfer the data to another data controller. On request, we shall therefore - insofar as technically possible - transfer data directly to a data controller designated, or yet to be designated, by you. The right to data portability shall apply only to data provided by you and requires that the processing takes place on the basis of consent or for the implementation of a contract and be carried out with the aid of automated procedures. The right to data portability under Art. 20 GDPR does not affect the right to data deletion under Art. 17 GDPR. The data shall be transferred only if no rights or freedoms of other persons are impaired because of the data transfer.

6. Right to object (Art. 21 GDPR)

If we process personal data for the performance of tasks that are in the public interest (Art. 6 (1) lit. e GDPR) or for the protection of legitimate interests (Art. 6 (1) lit. f GDPR), you may at any time, with effect for the future, object to the processing of your personal data. If you exercise your right to object, we shall refrain from all further processing of your data for the aforementioned purposes, unless

  • the reasons for processing are compelling and worthy of protection and outweigh your interests, rights and freedoms, or
  • the processing is necessary for asserting, exercising or defending legal claims.

You may object to the usage of your data for direct advertising at any time, with effect for the future; this shall also apply to profiling, if it relates to direct advertising. If you exercise your right to object, we shall refrain from all further processing of your data for direct advertising.

7. Prohibition of automated decisions/profiling (Art. 22 GDPR)

Decisions, that entail a legal consequence for you or materially impair you, shall not be based exclusively on automated processing of personal data, including profiling. This shall not apply if such automated decision

  • is necessary for the conclusion or performance of a contract with you;
  • is permissible under legal provisions of the European Union or its Member States, insofar as these legal provisions contain appropriate measures for protecting your rights, freedoms and legitimate interests; or
  • is made with your express consent.

In principle, decisions based exclusively on automated processing of particular categories of personal data are impermissible, unless Art. 22 (4) in conjunction with Art. 9 (2) lit. a or lit. g GDPR shall apply, and appropriate measures for protecting your rights, freedoms and legitimate interests have been taken.

8. Legal protection options/right to complain to the supervisory authority

If you have any complaints, you may at any time turn to the relevant supervisory authority of the European Union or its Member States. For our company, the supervisory authority specified in Section II is the relevant supervisory authority.

XII. Alterations of the Data Protection Declaration, Language Versions

1. We reserve the right to alter the data protection declaration in irregular intervals and will inform you about the significant changes and the impact they will have on the use of your personal data. You have access to the respective current version on our websites under the link “data protection”.

2. Please note that the language versions of this privacy policy are provided for your convenience and better understanding only. In the case of any interpretation disputes, the German version always takes precedence.

XIII. Cookies we use

cookie_consent

Provider: Fotografiska

Category: Functional

Duration: 1 year / 30 days

Purpose: Remember that consent for storing and using cookies was given.

_fbc

Provider: Meta Pixel

Category: Advertising, analytics

Duration: 3 months

Purpose: When a user clicks on an ad on Facebook, the link sometimes includes a fbclid query parameter. When the user lands on the target website, if the website has a Meta Pixel that uses first-party cookies, the Pixel automatically saves the fbclid query parameter to an _fbc cookie for that website domain.

_fbp

Provider: Meta Pixel

Category: Advertising, analytics

Duration: 3 months

Purpose: When the Meta Pixel is installed on a website, and the Pixel uses first-party cookies, the Pixel automatically saves a unique identifier to an _fbp cookie for the website domain if one does not already exist.

_glc_au

Provider: Google Ads

Category: Advertising

Duration: 90 days

Purpose: First party cookie for “Conversion Linker” functionality – it takes information in ad clicks and stores it in a first-party cookie so that conversions can be attributed outside the landing page.

IDE

Provider: Google Ads

Category: Advertising

Duration:  Berlin 13 months EEA UK / 24 months elsewhere

Purpose: Contains a randomly generated user ID. Using this ID, Google can recognize the user across different websites across domains and display personalized advertising.

test_cookie

Provider: Google Ads

Category: Functional

Duration: 15 minutes

Purpose: Set as a test to check whether the browser allows cookies to be set. Does not contain any identifying information.

ar_debug

Provider: Google Ads

Category: Functional

Duration: 1 month

Purpose: Used to debug ads.

_pk_cvar

Provider: Matomo

Category: Analytics

Duration: 30 minutes

Purpose: Short lived cookies used to temporarily store data for the visit.

_pk_id

Provider: Matomo

Category: Analytics

Duration: 13 months

Purpose: Used to store a few details about the user such as the unique visitor ID.

_pk_ref

Provider: Matomo

Category: Analytics

Duration: 6 months

Purpose: Used to store the attribution information, the referrer initially used to visit the website.

_pk_ses

Provider: Matomo

Category: Analytics

Duration: 30 minutes

Purpose: Short lived cookies used to temporarily store data for the visit.

_pk_testcookie

Provider: Matomo

Category: Functional

Duration: None

Purpose: Only used to check whether the visitor’s browser supports cookies and is created without any identifier and is directly deleted.

mtm_cookie_consent

Provider: Matomo

Category: Functional

Duration: 30 years

Purpose: Remember that consent for storing and using cookies was given.