DE

Privacy Policy

1. General

Information 1.1 What Is Personal Data
? Personal data refers to information that reveals or could reveal a person’s identity. We adhere to the principle of data minimization. We refrain from collecting personal data as much as possible.

1.2 Handling of Personal Data
Personal data is used exclusively for the establishment, content, execution, or fulfillment of the contractual relationship (Art. 6(1)(b) GDPR).

Furthermore, personal data is processed only to the extent that we have obtained your consent (Art. 6(1)(a) GDPR) or where the data in question is necessary for our legitimate interests and provided that a balancing test determines that no overriding interests, fundamental rights, or fundamental freedoms on your part (Art. 6(1)(f) GDPR).

We may use processors to process your personal data, but we will generally not disclose the personal data to third parties beyond that.

To process payments, the payment data required for this purpose will be disclosed to the credit institution commissioned with the payment and, if applicable, to the commissioned and selected payment service provider.
 
1.3 Duration of Storage
We store your personal data after the purpose for which the data was collected has been fulfilled only for as long as is required by law (in particular tax law).


2. Your Rights

2.1 Right of Access
You may request information from us regarding whether we process your personal data, and if so, you have the right to access this personal data and to receive the additional information specified in Article 15 of the GDPR.

2.2 Right to Rectification
You have the right to have inaccurate personal data concerning you rectified and may request the completion of incomplete personal data in accordance with Article 16 of the GDPR.

2.3 Right to erasure
You have the right to request that we erase your personal data without undue delay. We are obligated to erase it without undue delay, particularly if one of the following grounds applies:

 

  • Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You withdraw your consent on which the processing of your data was based, and there is no other legal basis for the processing.
  • Your data has been processed unlawfully.

 

The right to erasure does not apply if your personal data is necessary for the establishment, exercise, or defense of our legal claims.

2.4 Right to Restriction of Processing
You have the right to request that we restrict the processing of your personal data if

  • you contest the accuracy of the data and we are therefore verifying its accuracy,
  • the processing is unlawful and you oppose erasure but instead request restriction of use
  • we no longer need the data, but you need it to assert, exercise, or defend legal claims,
  • you have objected to the processing of your data, and it has not yet been determined whether our legitimate grounds override your grounds.

2.5 Right to Data Portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, and you have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent or a contract and is carried out by us using automated means.

2.6 Right to Withdraw Consent
To the extent that the processing of your personal data is based on consent, you have the right to withdraw this consent at any time.

2.7 General Information and Right to File a Complaint
The exercise of your rights as described above is generally free of charge for you. You have the right to file a complaint directly with the supervisory authority responsible for us, the State Data Protection Commissioner.

3. Use of an AI-powered assistant

We use an AI-powered chat assistant on this website. It is designed to automatically answer your questions regarding general information about the Stadtgalerie Witten (e.g., opening hours, shops, services, directions, events).

3.1 Provider and Data Processing
The AI service is technically provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The “Gemini 2.5 Flash” model is used, which is accessed via Google’s Gemini API. A data processing relationship with Google exists in accordance with Art. 28 GDPR based on the “Google Cloud Data Processing Addendum” (CDPA, as of November 8, 2023, available at https://cloud.google.com/terms/data-processing-addendum). The cloud project used is configured as a paid service.

3.2 Processed Data
When using the chat assistant, the following data is processed:

  • the content of your inputs (prompts) as well as the AI responses
  • a technical session ID
  • Your IP address and user agent identifier (browser identification)
  • technical usage data (AI model used, token consumption, timestamps)

Please do not enter any personal or confidential information in the chat. The assistant does not actively request such information and is not intended to handle individual, personal matters.

3.3 Retention
Period The content of your inquiries and the corresponding AI responses are stored in our system for a maximum of 90 days, along with your IP address, session ID, and user agent. After this period expires, these personal fields are automatically anonymized (by overwriting them with NULL values). Only anonymous, aggregated usage and statistical data (model, token, timestamp) remain for a maximum of 24 months for the analysis of usage trends and cost control. After that, these data records are also completely deleted.

3.4 Transfer to the U
.S. Your requests are processed on Google servers in the U.S. The transfer is based on EU Standard Contractual Clauses (SCCs) in the version of Implementing Decision (EU) 2021/914 of the European Commission, which form part of the aforementioned CDPA (Appendix 3, Section 4.1 “Restricted Transfers”) and constitute “appropriate safeguards” within the meaning of Article 46(2)(c) of the GDPR.

3.5 No Training of AI Models
Since we use the service as a paid service, the content processed in the context of our requests (prompts and responses) is not used by Google for training or improving the AI models. This assurance is derived from the “Gemini API Additional Terms of Service” (https://ai.google.dev/gemini-api/terms).

3.6 Legal
Basis The legal basis for the use of the chat assistant is Article 6(1)(f) of the GDPR. Our legitimate interest lies in providing you with a modern, accessible information service and improving our services. Upon consideration, it appears that no overriding interests on your part stand in the way, as no personal data is used for profiling and you use the assistant voluntarily.


4. Contacting

Us If you have any questions regarding data protection, please feel free to contact us using the contact options below. Data controller within the meaning of the GDPR:

Phoenix Verwaltungsgesellschaft GmbH & Co. KG
Annaberger Str. 28
53175 Bonn

+49 (0) 23 02 / 2 05 93 55
+ 49 (0) 23 02 / 2 77 00 87

The Data Protection Officer is Lion Bielefeldt

Tel.: +49 (0) 22 8 / 81 28 73 -0