Skip to main content

Data protection policy

Data protection officer

The institution responsible as defined by the data protection laws, in particular the EU General Data Protection Regulation (GDPR), is:


Museum Brandhorst
Bayerische Staatsgemäldesammlungen
Türkenstraße 19
80333 Munich

Ihre Betroffenenrechte

You can exercise the following rights at any time using the contact details provided:


  • information about your data stored by us and how it is processed (Art. 15 GDPR),
  • correction of incorrect personal data (Art. 16 GDPR),
  • deletion of your data stored by us (Art. 17 GDPR),
  • restriction of data processing in the event that we are not yet allowed to delete your data due to legal obligations (Art. 18 GDPR),
  • objection to the processing of your data by us (Art. 21 GDPR) and
  • data portability, provided that you have consented to the data processing or have concluded a contract with us (Art. 20 GDPR).


If you have given us consent, you may revoke it at any time with effect for the future.

You may contact a supervisory authority at any time with a complaint, e.g. the competent supervisory authority in the federal state of your residence or the authority responsible for us as the controller.

A list of supervisory authorities (for the non-public sector) with address can be found at:

Collection of general information when visiting our website

Type and purpose of processing:


When you access our website, i.e., if you do not register or otherwise transmit information, information of a general nature is automatically collected. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your internet service provider, your IP address and the like.


In particular, this information is processed for the following purposes:

  • to ensure a problem-free website connection,
  • to ensure smooth use of our website,
  • to evaluate system security and stability, and
  • for other administrative purposes.

We do not use your data to draw conclusions about your person. We evaluate information of this kind statistically, if necessary, in order to optimize our website and the technology behind it.


Legal basis:

The processing is carried out in accordance with Art. 6 para. 1 (f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website.



The recipients of the data may be technical service providers who act as order processors for the operation and maintenance of our website.


Storage period:

The data is deleted as soon as it is no longer required for the purpose for which it was collected. This is generally as soon as the respective session has ended in the case of data used to present the website.


Provision mandatory or required:

The provision of the aforementioned personal data is neither legally nor contractually required. However, without the IP address, the service and functionality of our website is not guaranteed. In addition, individual services may not be available or may be limited. For this reason, no objection is possible.


Like many other websites, we also use so-called “cookies”. Cookies are small text files that are stored on your end device (laptop, tablet, smartphone or similar) when you visit our website.

This allows us to obtain certain data such as IP address, browser used and operating system.

Cookies cannot be used to launch programs or transfer viruses to a computer. Based on the information contained in cookies, we can facilitate your navigation and enable the correct display of our web pages.

Under no circumstances will the data we collect be passed on to third parties or linked to personal data without your consent.


Of course, you can also view our website without cookies. Internet browsers are regularly set to accept cookies. In general, you can deactivate the use of cookies at any time via your browser settings. Please use the help functions of your internet browser to find out how to change these settings. Please note that some functions of our website may not work if you have disabled the use of cookies.


Storage duration and cookies used:

Insofar as you allow us to use cookies through your browser settings or consent, the following cookies may be used on our websites:

  • fonts-loaded (365 days)
  • cookies-accepted (365 days)
  • pk_id (365 days)
  • pk_ses (30 minutes)
  • Insofar as these cookies may (also) affect personal data, we inform you about this in the following sections.

You can delete individual cookies or the entire cookie inventory via your browser settings. In addition, you will receive information and instructions on how to delete these cookies or block their storage in advance. Depending on your browser provider, you will find the necessary information under the following links:


Art and purpose of processing:

Your data will be used exclusively to send you the subscribed newsletter by e-mail. Your name is required in order to be able to address you personally in the newsletter and, if necessary, to identify you if you wish to exercise your rights as a data subject.


To receive the newsletter, it is sufficient to provide your e-mail address. When registering to receive our newsletter, the data you provide will be used exclusively for this purpose. Subscribers may also be informed by e-mail about circumstances relevant to the service or registration (for example, changes to the newsletter offer or technical circumstances).


For an effective registration we need a valid e-mail address. In order to verify that a registration is actually made by the owner of an e-mail address, we use the “double opt-in” procedure. For this purpose, we log the order of the newsletter, the sending of a confirmation e-mail and the receipt of the response requested herewith. No further data is collected. The data is used exclusively for sending the newsletter and is not passed on to third parties.


Legal basis:

On the basis of your expressly given consent (Art. 6 para. 1 (a) GDPR), we will regularly send you our newsletter or comparable information by e-mail to your specified e-mail address.

You can revoke your consent to the storage of your personal data and its use for sending the newsletter at any time with effect for the future. You will find a link to this effect in every newsletter. In addition, you can also unsubscribe directly on this website at any time or inform us of your revocation using the contact option provided at the end of this data protection notice.



The recipients of the data are, where applicable, order processors.


Storage period:

The data will be processed only in this context for as long as the relevant consent is given. After that, it will be deleted.


Provision mandatory or required:

The provision of your personal data is voluntary, based solely on your consent. Without your consent, unfortunately we cannot send you our newsletter.


Contact form

Type and purpose of processing:

The data you enter will be stored for the purpose of individual communication with you. For this purpose, it is necessary to provide a valid e-mail address and your name. This is used for the classification of the request and the subsequent response to the same. The provision of further data is optional.


Legal basis:

The processing of the data entered in the contact form is based on a legitimate interest (Art. 6 para. 1 (f) GDPR).


By providing the contact form we want to enable you to contact us in an uncomplicated manner. The information you provide will be stored for the purpose of processing the request and for possible follow-up questions.


If you contact us to request a quote, the data entered in the contact form will be processed to carry out pre-contractual measures (Art. 6 para. 1 (b) GDPR).



The recipients of the data are, where applicable, order processors.


Storage period:

Data will be deleted no later than 6 months after processing the request.

If a contractual relationship arises, we are subject to the statutory retention periods under the German Commercial Code (HGB) and will delete your data after these periods have expired.

Provision mandatory or required:

The provision of your personal data is voluntary. However, we can only process your request if you provide us with your name, e-mail address and the reason for the request.

Use of Matomo

Type and purpose of processing:

This website uses Matomo (formerly Piwik), an open source software for statistical analysis of visitor access. The provider of the Matomo software is InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand.

Matomo uses so-called cookies, which are text files placed on your computer, to help the website analyze how users use the site.


The information generated by the cookie about your use of the website is stored on a server in Germany.


The IP address is anonymized immediately after processing and before it is stored. You have the option to prevent the installation of cookies by changing the settings of your browser software. We would like to point out that if you change this setting, not all functions of this website may be available.


You can decide whether a unique web analysis cookie may be stored in your browser to enable the website operator to collect and analyze various statistical data.

For more information on the privacy settings of the Matomo software, please see the following link:


Legal basis:

The processing of the data is based on the consent of the user (Art. 6 para. 1 (a) GDPR).



The recipients of the data are, where applicable, order processors.


Storage period:

The data is deleted as soon as it is no longer required for our recording purposes.

In our case, this occurs after the following period: 180 days.


Provision mandatory or required:

The provision of your personal data is voluntary, based solely on your consent. If you prevent access, this may result in functional restrictions on the website.


Revocation of consent:

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.



The tracking tool Matomo can be used to evaluate the behavior of visitors to the website and analyze their interests. For this purpose, we create a pseudonymous user profile.

Embedded YouTube videos

Type and purpose of processing:

On some of our websites, we embed YouTube videos. The operator of the corresponding plugins is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter “YouTube”). When you visit a page with the YouTube plugin, a connection to YouTube servers is established. In the process, YouTube is informed which pages you are visiting. If you are logged into your YouTube account, YouTube can assign your surfing behavior to you personally. You can prevent this by logging out of your YouTube account beforehand.


Once a YouTube video is started, the provider uses cookies that collect information about user behavior.

For more information on the purpose and scope of data collection and processing by YouTube, please refer to the provider’s privacy policy, where you will also find further information on your rights in this regard and settings options for protecting your privacy ( Google processes your data in the USA and has submitted to the EU-US Privacy Shield (


Legal basis:

The legal basis for the integration of YouTube and the associated data transfer to Google is your consent (Art. 6 para. 1 (a) GDPR).



Running YouTube automatically triggers a connection to Google.

Storage period and revocation of consent:

Anyone who has deactivated the storage of cookies for the Google Ads program will not be confronted with any such cookies when watching YouTube videos. However, YouTube also stores non-personal usage information in other cookies. If you would like to prevent this, you must block the storage of cookies in the browser.

For more information on data protection at “YouTube,” please refer to the provider’s privacy policy at:


Third country transfer:

Google processes your data in the USA and has submitted to the EU_US Privacy Shield (


Provision mandatory or required:

The provision of your personal data is voluntary, based solely on your consent. If you prevent access, this may result in functional restrictions on the website.

SSL encryption

To protect the security of your data during transmission, we use state-of-the-art encryption methods (e.g. SSL) via HTTPS.

Processors used

The following organizations, companies or persons have been commissioned by the operator of this website to process your data:

Mailchimp® The Rocket Science Group, LLC
675 Ponce de Leon Ave NE , Suite 5000 , Atlanta, GA 30308 USA

Changes to our data protection policy

We reserve the right to adapt this data protection policy so that it always complies with the current legal requirements or to implement changes to our services in the data protection policy, e.g. when introducing new services. The new data protection statement will then apply to your next visit.

Questions for the data protection officer

If you have any questions about data protection, please write us an e-mail or contact the person responsible for data protection in our organization directly:

The State Commissioner for Data Protection in Bavaria
Wagmüllerstraße 18
80538 Munich
+49 89 2126720