Welcome to the Deutsches Historisches Museum.
To ensure you are fully informed about the processing of your personal data on our websites, please take note of the following information.
1.1 Controller and data protection officer
The provider of this website and the controller under data protection law for the processing of your personal data within the meaning of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG, Bundesdatenschutzgesetz) is the Deutsches Historisches Museum Foundation, represented by its President Prof. Dr. Raphael Gross, to be reached at:
Stiftung Deutsches Historisches Museum (DHM)
Unter den Linden 2
10117 Berlin, Germany
Tel. +49 30 203040
For contact details, please refer to the respective contact addresses in the Imprint.
You can reach our data protection officer by post at the above address with the addition of `data protection officer` or by e-mail at firstname.lastname@example.org.
The term ‘users’ includes all customers and visitors to our online offer.
1.3 Basic information on data processing
We only process the personal data of our users in as far as this is necessary for the provision and optimisation of a functional website as well as our contents and services.
This DHM website is part of the DHM’s public relations work. The legal basis for the processing of personal data in the context of PR work is Art. 6 (1) sentence 1 lit. e GDPR in conjunction with section 3 of the Federal Data Protection Act. In as far as we obtain consent to process personal data, Art. 6 (1) sentence 1 lit. a of the EU’s General Data Protection Regulation (GDPR) serves as the legal basis. When processing personal data that is necessary for the performance of a contract to which you are a party (for instance, ordering publications or newsletters), Art. 6 (1) sentence 1 lit. b GDPR serves as the legal basis. The foregoing also applies to pre-contractual measures.
We take organisational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of data protection legislation are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons.
Please note that data transmission over the Internet (for instance, communication by e‑mail) can be susceptible to security vulnerabilities. It is not possible to fully protect data against access by third parties.
1.4 Protection of minors
Persons under the age of 16 should not submit any personal data to us without the consent of their legal guardian. We do not knowingly process any personal data of such persons without the consent of their parents, nor do we disclose such data to third parties.
1.5 SSL/TSL encryption
This website uses SSL/TSL encryption for security reasons and in order to protect the transmission of confidential content, such as orders or requests that you send to us as the website operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from ‘http://’ to ‘https://’ and by the lock symbol in your browser line. If SSL/TSL encryption is activated, the data you transmit to us cannot be read by third parties.
2. Data processing in conjunction with visits to this website
2.1 Creation of log files
Each time our website is accessed, our web servers temporarily record access in a log file. The following data is collected and stored until automated erasure after seven days:
- information about the browser type and version used,
- user operating system,
- user IP address,
- website accessed,
- date and time of access,
- website from which access was made (referrer URL).
This data is not merged with other data sources.
This data is processed to ensure a smooth connection and comfortable use of our website, to evaluate system security and stability as well as for further administrative purposes.
The website is provided as part of our PR work. The legal basis for processing the data results from the Art. 6 (1) sentence 1 lit. e GDPR in conjunction with section 3 of the Federal Data Protection Act.
The company 3PC has access to some of this data for revision and programming tasks. The DHM has carefully selected this service provider and concluded a contract for commissioned data processing with them. 3PC is bound by the instructions of the DHM.
2.2 Hosting and operating the Ticket Shop
The DHM Ticket Shop is hosted by Giant Monkey GmbH on a Hetzner server. Hetzner stores the data for the following periods:
- The IP addresses are stored anonymously. To do this, the last three digits are removed, i.e., 220.127.116.11 becomes 123.123.123.xxx. IPv6 addresses are also anonymised. The anonymised IP addresses are stored for 60 days. Details of the directory protection user used are anonymised after one day.
- Error logs, which record faulty page views, are deleted after seven days. In addition to the error messages, these contain the accessing IP address and, depending on the error, the website accessed.
Giant Monkey GmbH also has access to this data for revision and programming tasks in go~mus.
Error messages are logged anonymously by Giant Monkey GmbH and automatically deleted after 180 days.
The DHM has carefully selected service providers Hetzner and Giant Monkey GmbH and has signed a contract with them for commissioned data processing. Hetzner and Giant Monkey GmbH are bound by the instructions of the DHM.
This website uses a cookie to remember the setting when dark mode support is turned on or off. This cookie is needed for the setting to work and is only used when a user clicks the Dark Mode button. The ‘language’ cookie stores the last language version you used.
When visiting the DHM website for the first time with a new device or browser, a dialogue (‘cookie banner’) is displayed allowing the user to select cookie references for this device or browser. If you do not consent to the use of technically unnecessary cookies (in particular for the purposes of web analysis in accordance with section 2.3), only those cookies that are technically necessary for website use will be used.
Technically necessary cookies are processed in accordance with Art. 6 (1) lit. e GDPR in conjunction with section 3 of the Federal Data Protection Act. All other cookies are processed exclusively with your consent in accordance with Art. 6 (1) lit. a GDPR.
2.4 Use of Matomo
In order to be able to analyse and regularly improve the use of our website, we use ‘Matomo’, an open source software for statistical evaluation of visitor access on this website. The statistical information thereby generated helps us to improve our offering and to make it more interesting for you as a user. Cookies (see section 4. for more details) are stored on your computer for this evaluation.
Matomo is disabled when you visit our website. Your user behaviour will not be recorded in anonymous form until you have actively consented to this.
We are committed to protecting your data. That is why we use Matomo with the ‘AnonymizeIP’ extension, so that IP addresses are then further processed in shortened form. This means that any direct reference to a person is ruled out. The anonymised IP address transmitted by your browser via Matomo is not merged with other data collected by us. The information collected is stored exclusively on our web servers and is not disclosed to third parties.
While using our website, you can at any time change your cookie settings for data collection by Matomo software. After clicking this link, the corresponding selection fields are available again.
For more information about privacy settings in Matomo, go to: https://matomo.org/docs/privacy/.
2.4. Social media plugins with Shariff
Social media plugins are used on our pages (Facebook, Twitter, Instagram, SoundCloud). You can usually recognise the plugins by the respective social media logos.
The DHM itself does not collect any personal data by means of plug-ins or through their use. We have no influence on the content and scope of the data collected by the service provider.
2.5 YouTube and Vimeo video plugins
This content is integrated in order to improve the user experience and to make our online offerings more appealing. Within the framework of our PR work, the legal basis for processing the data results from Art. 6 (1) sentence 1 lit. e GDPR in conjunction with section 3 of the Federal Data Protection Act.
YouTube is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Vimeo is operated by Vimeo LLC, 555 West 18th Street, New York 10011, USA.
In order to improve the protection of your data when visiting our website, the YouTube videos are integrated in ‘extended data protection mode’ as far as possible.
The Vimeo plugins are also integrated into the page in such a way that they can only be activated by an additional click.
This integration ensures that no data about you as a user is transmitted to YouTube or Vimeo if you do not play the videos.
It is only when you play the videos that your IP address, the date and time and the sub-page of our website that you visited will be transmitted as a minimum to YouTube or Vimeo (possibly to the US). We have no influence on this data transmission.
This is carried out irrespective of whether YouTube and Vimeo provide a user account to which you are logged in or whether no user account exists.
We would like to point out that we have no influence on the content, scope of use or data collected by YouTube and Vimeo. Further information regarding the purpose and scope of the collection and processing of data by the provider can be found in the provider’s privacy statement where you will also find further information about your rights as well as setting options in order to protect your privacy.
3. Data processing in the context of contacting us via contact form, e-mail and letter
We offer a number of contact forms on our website which are designed to make it easier for you to contact us. The following personal data is collected in the contact forms:
first and last name, if applicable,
telephone, if applicable (optional),
address, if applicable,
company, if applicable.
The personal data collected via a contact form and the date of the enquiry are sent as an e-mail from the web server to the DHM department responsible for your enquiry. This data is only stored on the web server while subsequent processing takes place for the purpose of transmission. The transmission as e-mail is not encrypted.
Alternatively, you can contact us via the e-mail address provided or by post. In this case, the user’s personal data transmitted by e-mail and post will be stored. This data will not be disclosed to any third party.
Your information will only be processed for the purpose for which your respective enquiry is made. The legal basis for the processing of your personal data, in as far as the data is required to perform pre-contractual measures carried out at your request, is Art. 6 (1) sentence 1 lit. b GDPR. Otherwise, the data is processed on the basis of Art. 6 (1) lit. e, (2) GDPR in conjunction with section 3 of the Federal Data Protection Act. We need to process the data you have provided in order to process your enquiry. The data will be erased as soon as it is no longer needed in order to achieve the purpose for which it was collected and as long as such erasure does not conflict with any statutory retention obligations.
Optional data is processed on the basis your consent according to Art. 6 (1) lit. a GDPR. You can revoke your consent at any time. The lawfulness of the processing based on your consent remains unaffected until we receive your revocation.
4. Use of social networks
4.1 Facebook and Instagram
As part of its PR work, the DHM maintains online presences on the social networks Facebook and Instagram to inform users about the DHM. These are online presences within the Facebook platform offered by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (hereinafter ‘Facebook’).
4.1.1 Data processed by the DHM
We post current information, pictures and videos on our Facebook and Instagram page. You can actively contact us on the pages, for instance, through comments, visitor posts and messages. The comments and posts you publish on the pages are publicly visible and show who posted them. The messages you send directly to us are not publicly visible.
We need to process your personal data to answer your questions or to deal with your requests. Data is processed on the basis of Art. 6 (1) lit. e GDPR in conjunction with section 3 of the Federal Data Protection Act.
4.1.2 Use of Insight data
So-called Page Insights are used on our pages which enable us to retrieve certain statistical, anonymised data (e.g. ‘Likes’ , page activity, number of page views, reach). This Insight data is generated and provided by Facebook through cookies. We cannot turn off this Insight function. No users can be identified with the Insight data transferred to us by Facebook. We use this data exclusively to improve our offer on our pages as part of our PR work. The legal basis is Art. 6 (1) lit. e GDPR in conjunction with section 3 of the Federal Data Protection Act.
We are jointly responsible with Facebook for the processing of Insight data within the meaning of the GDPR. For this purpose, Facebook has concluded a supplementary agreement with page controllers in accordance with Art. 26 GDPR to clarify responsibilities. You can find this agreement at: https://www.facebook.com/legal/terms/page_controller_addendum.
This agreement states that Facebook is primarily responsible for data processing and that the DHM has no access to the individual user data but can only retrieve anonymised statistics.
You can assert your data protection rights both against us and against Facebook. However, we ask users to contact Facebook directly in order to exercise their data subject rights with regard to the processing of their data by Facebook.
4.1.3 Data processed by Facebook
In the cookies referred to under 4.1.2 above, Facebook collects personal data of visitors and processes this data for its own purposes, such as for advertising and market research purposes, and to create user profiles. If visitors to the pages have a Facebook user account and are logged into this account during the page visit, the information provided by the cookies is also stored across different devices. Facebook passes on user data to third countries, such as the US, without us being able to influence this. The associated possible risks for user data cannot be excluded by us as the operator of the pages.
For more information about how Facebook uses data, got to: https://www.facebook.com/policy.php.
4.2 DHM X account
The DHM is active on the short message service X. It uses the technical platform and services of X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA for this purpose. The data controller for individuals living outside the United States is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland.
Please note that you are responsible for your use of the X short message service offered here and its functions. This applies in particular to the use of interactive functions (for instance, sharing, rating).
The DHM has no influence on the type and scope of the data processed by X, the way such data is processed and used, or the transfer of such data to third parties. In this respect, it also has no effective means of control.
We do not collect any data ourselves via the DHM X account. The IP addresses of visitors to the website are also not transmitted to X Corp. via the integration of the DHM’s posts on its homepage. However, the data you enter on X, especially your username and the content published under your account, will be processed by us in as far as we repost or reply to your posts, or we write posts that refer to your account. The data you freely publish and disseminate on X is therefore included by the DHM in its offer and made accessible to its followers.
The legal basis for data processing for the purpose of PR work is Art. 6 (1) lit. e GDPR in conjunction with section 3 of the Federal Data Protection Act.
4.3 YouTube, Vimeo, SoundCloud and Spotify profile of the DHM
The DHM makes video and audio content available via the technical platforms and offerings of YouTube, Vimeo, SoundCloud and Spotify.
YouTube is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (www.youtube.com).
Vimeo is operated by Vimeo LLC, 555 West 18th Street, New York 10011, USA (www.vimeo.com).
SoundCloud is a service of SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany (www.soundcloud.com)..
Spotify is a service of Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden (www.spotify.com).
The DHM has no influence on data collection and the further use of the data by the respective platform providers. The DHM is not responsible for the data processing by these service providers.
Further information on the purposes and scope of data collection by the respective service providers as well as your rights and setting options for protecting your privacy can be found in their privacy policies.
5. Data processing in the context of the provision of information
5.1 Newsletter dispatch
You can consent to receive our newsletter which provides information about our current offers. The advertised goods and services are named in the declaration of consent.
We use the so-called double opt-in procedure to register for our newsletter. This means that after you have registered, we will send an e-mail to the e-mail address you provided asking you to confirm that you wish to receive the newsletter. We also store the time of registration and confirmation in each case. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data.
The only mandatory information for sending the newsletter is your e-mail address. The provision of further, separately marked data is voluntary and will be used to address you personally. After receiving your confirmation, we will store your e-mail address for the purpose of sending you the newsletter. The legal basis is Art. 6 (1) sentence 1 lit. a GDPR. You can revoke your consent to receive the newsletter and unsubscribe at any time. You can cancel by clicking the link provided in each newsletter e-mail, via this website form: https://www.dhm.de/newsletter, by e-mail to email@example.com or by sending a message to the contact details provided in the Imprint.
We would like to point out that we evaluate your user behaviour when sending the newsletter. This means that the e‑mails sent contain so-called web beacons or tracking pixels, which are single-pixel image files stored on our website. The data is only collected in pseudonymised form, i.e., the IDs are not linked to your other personal data, so that direct personal reference is ruled out.
This data is received by our employees who are responsible for education and outreach as well as press and PR. We work together with commissioned data processor Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin. We have contractually obliged Sendinblue GmbH to handle your personal data in accordance with the requirements of the GDPR.
5.2 Use of the DHM blog
You can leave comments in our DHM blog regarding specific blog posts and to receive information about new blog articles.
If you leave a comment on a blog post, your comment text, the time you entered the comment and your chosen username (pseudonym possible) will be saved and published. Your e-mail address will also be stored, but only to prevent misuse and will not be published. The data processing is based on your consent (Art. 6 (1) sentence 1 lit. a GDPR). The data collected in conjunction with the comment function will not be passed on to third parties and will be used exclusively for the purpose of commenting.
You can withdraw your consent at any time. The blog comment and related information will be deleted if you send an e-mail requesting this to: firstname.lastname@example.org.
You can subscribe to the DHM blog after registering using your e‑mail address. You will receive a confirmation e‑mail to verify that you are the owner of the e‑mail address provided. You can unsubscribe from this function at any time via a link in the info mails. The data entered as part of the subscription will be deleted in this case. The legal basis for the data processing is your consent (Art. 6 (1) sentence 1 lit. a GDPR).
5.3 Press mailing list
Journalists can register on our website to receive press information from the DHM. In this press mailing list, personal data (name, e-mail address, telephone number, name of the medium/company, editorial office/department, position) is collected and stored on the basis of Art. 6 (I) lit. e GDPR in conjunction with section 3 of the Federal Data Protection Act or on the basis of your consent granted in accordance with Art. 6 (1) lit. a GDPR. The data will be used for the purpose of press and media relations, in particular for sending press releases and invitations. The data will not be transferred to third parties outside the DHM’s business area or to third countries. The data will be stored until consent is revoked. If inclusion in the press mailing list is revoked, all personal data will be removed from our database immediately. If you wish to be removed from the press mailing list, please send an e-mail informing us to: email@example.com.
5.4 Databases and OPAC
No personal data is stored with queries in the object database and in the ‘NS-Archivalien’ databases. The use of the OPAC of the library of the Deutsches Historisches Museum is subject to the provisions laid down in the library’s user rules. No personal data is stored with queries in the OPAC.
6. Data processing for orders via the DHM Ticket Shop
6.1 Data categories and purpose
Our Ticket Shop offers you the opportunity to purchase tickets for exhibitions and to sign up for public guided tours and other educational offers of the DHM. To provide this service, we use the go~mus booking management system, which is operated by Giant Monkey GmbH on servers owned by Hetzner in Germany.
When booking via the Ticket Shop, the following data is processed in addition to the data that is collected anyway when you visit the website (see No. 2.2 above):
First and last name
Preferred language (German/English)
Your selected products with their quantity and amounts
Comment field entries
Payment method selected for the order
Information on payment execution
If you would like to use the Ticket Shop more frequently, you can also create a user account.
When you register, your address and a password to be assigned by you will also be stored. However, the password itself is not permanently stored, but only its hash value.
The data may also be used for marketing purposes within reasonable limits.
6.2 Legal basis
The aforementioned data categories are collected and processed within the scope of contract initiation and processing in accordance with Art. 6 (1) (b) GDPR.
When a purchase contract is concluded, the accounting records are stored on the basis of the legal obligation pursuant to Art. 6 (1) (c) GDPR in conjunction with section 147 (1) no. 4 of the German Fiscal Code (Abgabenordnung).
The use of data for marketing purposes is based on our legitimate interest to make our offer more attractive and to advertise it, Art. (1) (f) GDPR.
6.3 Data transmission
For the purchase transaction, the data collected is transmitted to our service provider and order processor, Giant Monkey GmbH.
The DHM has carefully selected this service provider and signed a contract with it for commissioned data processing. Giant Monkey GmbH is bound by the instructions of the DHM and is regularly inspected.
6.4 Storage period
If a purchase contract is concluded in our Ticket Shop, we are legally obliged to store the booking receipts for a period of ten years. After such period, the documents are deleted.
User accounts are deleted once the corresponding account has been terminated or when the corresponding offer on our part has been discontinued.
Otherwise, the data will be deleted once the statutory warranty and comparable obligations have expired or as soon as the data is no longer required for the above-mentioned purposes. The necessity to store data is reviewed at regular intervals.
6.5.1 Payyo TrekkSoft AG
We do not store any credit card information or bank data ourselves, but work together with payment service provider Payyo TrekkSoft AG to process payments and to whom we pass on the information you provide during the ordering process, together with information about your order, in accordance with Art. 6 (1) (b) GDPR. Your data will only be passed on for the purpose of processing your payment with the payment service provider and only to the extent necessary for this purpose. You can find more information about payment processing via Payyo here: https://payyo.ch/de/.
More information on data protection at TrekkSoft AG can be found at: https://www.trekksoft.com/de/datenschutzerklaerung.
7. Photo and video recordings
Photos and videos of visitors taken/made during museum operations and in the context of events is carried out exclusively for the purpose of the DHM’s PR work and will be used to report on the event on the DHM’S website, in its publications and press releases. You will be requested to give your consent for photographs that do not show persons of contemporary history or persons as accessories next to landscapes or other localities and are not photographs of meetings, processions or similar events. The legal bases are Art. 6 (1) lit. e GDPR in conjunction with section 3 of the Federal Data Protection Act and Art. 6 (1) lit. a GDPR. Where appropriate, photographs and/or film footage may be passed on to service providers for publication in conjunction with the production of print products. This includes, for instance, agencies and printers involved in the production.
The recordings for which consent was obtained because it was required will be deleted immediately when consent has been revoked. Otherwise, recordings are stored until the purpose no longer applies.
8. Contract awarding
Information, including personal data, is needed to carry out a contract awarding procedure. The data you provide will be collected, organised, stored, used and deleted on the basis of Art. 6 (1) lit. b GDPR. The data will only be used for the purposes of examination and decision-making within the scope of the contract awarding procedure as well as the possible conclusion of a contract. Any use beyond this and any transmission to third parties will not take place. Exceptions to this are disclosure to national or European review authorities and the supervisory authority when required by law. Personal data will be stored for as long as it is necessary to fulfil the aforementioned purposes and will be deleted after the statutory retention periods have expired.
9. Applications and application procedure
Interested users can send their applications to the Deutsches Historisches Museum via Job advertisements. Additional personal data is processed as part of the application process. Further information regarding the scope and nature of such data processing can be found here.
10. Your rights
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the right to obtain information free of charge from the controller regarding the personal data we have stored about you (Art. 15 GDPR). In addition, users have the right to rectification (Art. 16 GDPR), erasure or restriction of processing of their personal data (Art. 17 and 18 GDPR) and the right to object to processing (Art. 21 GDPR). You can exercise your right to data portability (Art. 20 GDPR) and, in the event of unlawful data processing, lodge a complaint with the competent supervisory authority:
The Federal Commissioner for Data Protection and Freedom of Information
Graurheindorfer Str. 153
53117 Bonn, Germany
Users can revoke their consent under data protection law at any time without giving reasons and without suffering any disadvantages, in principle with effect for the future (Art. 7 (3) GDPR). You can send your objection by e-mail or letter to the following address:
Stiftung Deutsches Historisches Museum (DHM)
Unter den Linden 2
10117 Berlin, Germany
Tel. +49 30 203040
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Last revised: May 2023