Data Privacy Information

This data privacy information serves to inform you about our handling of your personal data. To make the processing of your data as transparent as possible, we would like to provide you with the following overview of processing operations. In order to guarantee fair processing, this data privacy information contains general information about our handling of your data as well as information concerning your rights according to the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

We will inform you in detail about
I. General information
II. Data processing on our website
III. Further data processing

The Stiftung Hamburger Gedenkstätten und Lernorte zur Erinnerung an die Opfer der NS-Verbrechen is the controller of the data processing (hereinafter referred to as ‘we’ or ‘us’).


I. General information

1. Contact
If you have any questions or feedback concerning this information or wish to contact us to exercise your rights, please send your enquiry to

Stiftung Hamburger Gedenkstätten und Lernorte zur Erinnerung an die Opfer der NS-Verbrechen
Jean-Dolidier-Weg 75, 21039 Hamburg
phone +49 40 428131500
Fax +49 40 428131501

2. Legal basis
The legal term ‘personal data’ refers to all information relating to an identified or identifiable natural person.
We process personal data in compliance with the data protection regulations, in particular the GDPR and the BDSG. We solely process data with legal permission. We process personal data

  • solely with your consent (Art. 6 section 1 letter a) GDPR),
  • to perform a contract to which you are a party or to take steps at your request prior to entering into a contract (Art. 6 section 1 letter b) GDPR),
  • to comply with a legal obligation (Art. 6 section 1 letter c) GDPR) or
  • where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 section 1 letter f) GDPR).

3. Period of storage
Unless otherwise stated in the following, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations. In particular, such statutory retention requirements may result from regulations under commercial or tax law.

4. Recipients of data
For certain processing activities, we rely on service providers. These processing activities include, for example, hosting, maintenance and support of IT systems as well as accounting. A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors process data not for their own purposes but solely for the controller and are contractually obliged to implement appropriate technical and organizational measures ensuring data protection.
Apart from that, we may transfer your data to postal and delivery services, our bank, consultants/auditors or the fiscal authority if necessary.
Should your data be transferred to further recipients, you can find this information under the description of the respective processing activity.

5. Processing in the exercise of your rights pursuant to Art. 15 to 22 GDPR
If you exercise your rights pursuant to Art. 15 to 22 GDPR, we process the personal data transferred in order for us to grant you your rights and to acquire proof thereof. Data stored for the purpose of granting you your right of access and for the preparation thereof will only be processed for this purpose and for the purpose of data protection control. Any further processing is restricted in accordance with Art. 18 GDPR. These processing operations are based on Art. 6 section 1 letter c) GDPR in conjunction with Art. 15 to 22 GDPR and section 34 para. 2 BDSG.

6. Your rights
As the data subject, you are entitled to assert your rights against us. In particular, you have the following rights:

  • Pursuant to Art. 15 GDPR and section 34 BDSG, you have the right of access to information confirming whether and, if so, to what extent we are processing personal data concerning you.
  • Pursuant to Art. 16 GDPR, you have the right to rectification of your data.
  • Pursuant to Art. 17 GDPR and section 35 BDSG, you have the right to erasure of your personal data.
  • Pursuant to Art. 18 GDPR, you have the right to require us to restrict the processing of your personal data.
  • Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transfer such data to another controller.
  • Where you have granted us specific consent to a processing activity, you can withdraw such consent at any time pursuant to Art. 7 section 3 GDPR. Any such withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to its withdrawal.
  • If you are of the view that the processing of your personal data infringes GDPR provisions, you have the right to lodge a complaint with a supervisory authority pursuant to Art.77 GDPR.

7. Right to object
Pursuant to Art. 21 section 1 GDPR, you have the right to object to processing activities based on Art. 6 section 1 letter e) or letter f) GDPR on grounds relating to your particular situation. If we process your personal data for the purpose of direct marketing, you may object to such processing pursuant to Art. 21 section 2 and section 3 GDPR.

8. Data protection officer
You can contact our data protection officer via the following address:


II. Data processing on our website

During use of our website, we collect information that you provide yourself. We also automatically collect certain information about your use of the site during your visit to the site. In data protection law, the IP address is also considered personal data. An IP address is assigned to each device connected to the internet by the internet provider so that it can send and receive data.

1. Processing of server log files
When using our website for informative purposes only, general information that your browser transfers to our server is initially stored automatically (not via registration). This includes by default: browser type/-version, operating system used, page called, the previously visited page (referrer URL), IP address, date and time of server request and HTTP status code. The processing is carried out in pursuit of our legitimate interests and is based on Art. 6 section 1 letter f) GDPR. This processing serves the technical administration and security of the website. The data stored is anonymized immediately upon collection unless there is a justified suspicion of illegal use based on concrete indications and further examination and processing of the information is necessary for this reason. We are unable to identify you as a data subject based on the information collected. Art. 15 to 22 GDPR therefore do not apply pursuant to Art. 11 section 2 GDPR, unless you provide additional information to enable your identification in order to exercise the rights set out in these articles.

2. Data Transfer to third countries
Visiting our website may involve the transfer of certain personal data to third countries, i.e. countries where the DSGVO is not applicable law. Such a transfer shall be authorised if the European Commission has decided that an adequate level of data protection is ensured in such third country. In the absence of such an adequacy decision by the European Commission, personal data will only be transferred to a third country if appropriate safeguards are in place in accordance with Art. 46 DSGVO or if one of the conditions of Art. 49 DSGVO is met. Unless otherwise stated below, we use as appropriate safeguards the EU standard contractual clauses for the transfer of personal data to processors in third countries:

3. Cookies
We use cookies and similar technologies on our website. Cookies are small text files that are stored by your browser when you visit a website. This makes the browser identifiable so it can be recognised by our web server. We use so-called ‘session cookies’, which are deleted when the browser session is ended. Other cookies (‘persistent cookies’) are automatically deleted after a specific period, which may vary depending on the cookie.
Cookies which are necessary for the electronic communication or to maintain functionality of our website are saved on the basis of Art. 6 section 1 letter f) GDPR. We have a legitimate interest in saving cookies to display our website flawlessly.
Cookies are stored on the computer of the user. Therefore, you as the user have full control over the use of cookies. You can delete cookies in the security settings of your browser at any time. You can object to the use of cookies entirely or for certain cases in your browser settings.

4. Google Maps
We have integrated "Google Maps", a service of Google Ireland Limited (Ireland/EU) for displaying maps into our website. We use a two-click solution for the integration. When using the two-click solution, no connection is established to the third-party provider, but a placeholder is loaded from our own server. This is a preview image of the integrated maps. A contact to the "third-party server" is only established after a further click on the respective placeholder. The IP address is therefore only transmitted when you confirm this by clicking on it. The data processing takes place with your consent and is based on Art. 6 section 1 letter a) GDPR.
In the case of Google services, the transmission of data to Google Inc. in the USA cannot be ruled out. Please also note the information in the section "Data transfer to third countries". Further information on data protection at Google can be found in Google's privacy policy at


III. Further data processing

1. Contact via email
If you send us a message via our contact email address, we will process the transferred data in order to process the request. We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.