Privacy notice
In accordance with the provisions of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG), this declaration is intended to explain to you what personal data (now "data") the Natural History Museum Vienna, Scientific Institution under Public Law, Burgring 7, 1010 Vienna, as the controller ("we"), collects from you or about you, how the data is used and the rights you have in this regard.
The protection of your data is important to us, thus we comply with the legal requirements and process personal data only in accordance with the legal provisions.
We have taken appropriate technical and organisational measures to ensure that all legal requirements under applicable data protection law are observed both by us and by our service providers whom we require in in some areas to process your data (processors).
The permanent technical development of the Internet as well as possible changes in the legal framework may make it necessary to adapt our privacy notice from time to time. We therefore reserve the right to adapt this notice accordingly. All changes apply from the time of publication on our website.
1. Website / Use of this Internet presence
technical partners
In order to operate our website, we use technical partners who support us in the creation and operation of the website. In some cases these partners need access to data in order to carry out their activities; however, they will not process the data unless necessary. Our current partner is Jart GmbH Graf Starhemberggasse 4/31, 1040 Wien.automatic data storage
To enable correct operation of the website it is technically necessary to process certain information. These data are processed to optimize the website, to correct errors, and to protect the website against attacks; therefore, processing is based on the legitimate interest of the controller in accordance with Art. 6 para. 1 lit. f GDPR.The data collected is:
- your browser and browser version
- your operating system
- the referring URL
- the host name and IP address of your device
- date and time of your visit
- the quantity of data sent (upload/download volume).
TLS encryption with https
In order to secure online transmission of data in accordance with the principles of privacy by design and privacy by default, we use TLS (Transport Layer Security), an encryption protocol that strengthens the protection of data. This protection is recognizable by the lock symbol at the left of the Internet address and the use of the https scheme (instead of http).cookies
Our website uses so-called cookies. These are small text files that are stored on your end device through the browser. They do not cause any damage, no personal data such as your name or address is stored and we cannot identify you on the basis of this information.There are different types of cookies: first-party cookies are created by our website, third-party cookies are created by other websites (e.g. Google Analytics).
Cookies are also classified according to their category, e.g. essential cookies to ensure basic website functions or targeted cookies to improve the user experience.
We use cookies to make our website more user-friendly. Cookies enable us to recognize your browser on your next visit, but we cannot identify you.
When you visit our website, we generally ask for your consent in accordance with Art. 6 para. 1 lit. a GDPR to set non-necessary cookies. Please note that the functionality of our website may be impaired if you do not give your consent for the non-necessary cookies. The necessary cookies will be set by us on the basis of the legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR, whereby the legitimate interest is to secure and optimise the web presence. We set the following necessary cookies:
JSESSIONID (session) / Used to distinguish visitors
jart_cookie_consent (180 days) / saves settings for cookies
cookieconsent_status (180 days) / saves settings for cookies
You can change your cookie settings, give or revoke your consent at any time by clicking the "Cookies" button in the footer of our website.
You will find detailed information on the above-mentioned third-party cookies in section regarding the respective service immediately afterwards.
Integrated services
Regarding the integrated services (YouTube, Vimeo, Google Maps and Analytics), your data will be transmitted on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR, which you provide through the click in our cookie banner. We would like to point out that the US are a non-secure third country in terms of data protection law and that you do not have the same rights with regard to your data as in Europe. The US are not subject to an adequacy finding by the European Commission and there are no suitable guarantees with regard to data transfer. By accepting the setting of cookies, you accept in accordance with Art. 49 para. 1 lit. a GDPR that this transmission will nevertheless be carried out. With your consent, the data will be processed by the respective service provider as controller and will not fall within the control or influence of the NHM Vienna.YouTube
The integration of videos on our website is done through YouTube, a service from YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, US.YouTube processes data when you access the YouTube videos on our website. If you have a YouTube account, the data generated in this way can be associated with your personal account. For more information about YouTube's data processing, please visit https://www.google.com/intl/de/policies/privacy/.
YouTube sets the following cookies (if you have permitted them):
APISID (2 years)
CONSENT (20 years 1 month)
HSID (2 years)
LOGIN_INFO (2 years)
PREF (8 months)
SAPISID (2 years)
SIDCC (3 months)
SID (2 years)
SSID (2 years)
VISITOR_INFO1_LIVE (8 months)
YSC (session)
Vimeo
The integration of videos on our website is done through Vimeo, a service from Vimeo Inc. 555 West 18th Street, 10011 New York US.Vimeo processes data when you view Vimeo videos on our website. If you have a Vimeo account, the data generated in this way can be associated with your personal account. For more information about how Vimeo processes data, please visit https://vimeo.com/privacy. Vimeo sets the following cookies (if you have permitted them):
player (1 year)
vuid (2 years)
Google Maps
To show you our location, we use Google Maps. For this purpose, Google Maps sets the following cookies (if you have permitted this):CONSENT (20 years 1 month)
HSID (2 years)
NID (1 year)
SAPISID (2 years)
SEARCH_SAMESITE (1 year)
SIDCC (1 year 3 months)
SID (2 years)
SNID (1 year)
SSID (2 years)
Google reCAPTCHA
Google reCAPTCHA collects personal data to ensure that the actions on our website are actually performed by human beings. Therefore, data required by Google for the reCAPTCHA service need to be sent to Google. The reCAPTCHA algorithm checks whether cookies from other Google services are already placed on your browser and sets an additional cookie in your browser.Currently the following cookies are used by reCAPTCHA:
IDE | (1 year) |
1P_JAR | (1 month) |
ANID | (9 months) |
CONSENT | (19 years) |
HSID | (2 years) |
NID | (6 months) |
SAPISID | (2 years) |
Search_SAMESITE | (1 year) |
SID | (2 years) |
DV | (10 minutes) |
SIDCC | (1 year 3 months) |
SNID | (1 year) |
SSID | (2 years) |
Sketchfab
The integration of 3D models on our website is done through Sketchfab, a service from Sketchfab, Inc, 1123 Broadwa, Suite 501, New York, NY 10010, USA, with their European establishment Sketchfab, 99 Rue de La Verrerie, 75004 Paris, France. Sketchfab processes data when you acces to the Sketchfab 3D models on our website. If you have a Sketchfab account, the data generated in this way can be associated with your personal account. For more information about Sketchfab’s data processing, please visit https://sketchfab.com/privacy.Sketchfab sets the following cookies (if you have permitted them):
Internal cookies required to run the Website in the beste possible manner
sb_sessionid | Uniquely identifies the session of the visitors. Allows keeping the session of the user active when logged-in. |
oauth_step | Stores the current step of the OAuth login process the user is in. |
oauth_connected_service | Indicates if the user logged in with a social services (Google, Facebook, Twitter) during the OAuth process. |
skfb_referrer_override | Holds the actual value of the request's referrer, because it can be set incorrectly when using Google, Facebook, or Twitter login. |
sf_show_viewer_hint | Indicates whether to show the overlaid help when the viewer starts. |
sb_theatre_mode | Indicates whether the user has chosen the "Theatre" layout for model pages. |
sf_show_vr_hint | Indicates whether to show the help when entering the VR mode. |
sb_banner_closed | Indicates whether the promotional banner should be displayed. |
sf_volume | Holds the value that the viewer should play the volume at, for models with sound. |
sf_org_models_display | The models in an organization can either be displayed in a grid or a table. This cookie stores the user preference on how to display the models in an organization. |
sb_allows_age_restricted | Indicates the user's preference for displaying restricted models. |
sf_last_news_notification | Indicates which is the latest blog post update a user saw in their newsfeed. |
sb_csrftoken | Protects against Cross-Site Request Forgery security attacks. |
sf_email_confirmed | Indicates whether the user still needs to confirm their email address. |
sb_buy_plan_on_onboarding | Indicates whether the user chose to subscribe to a paid plan as part of their onboarding. |
sf_getting_started_closed | Indicates if the "getting started" block should be closed |
sf_upsell_coupon | Indicates if the user is eligible for a store discount coupon |
sf_gdpr_consend_provided_at | Indicates whether and when the user gave their consent for GDPR |
sf_first_purchase | Indicates if the user is eligible for the "first purchase" Store discount |
Audience measurement cookies
sb_t_us
sb_t_camp
Google Analytics (_gat, _ga, _gid)
Mixpanel
has_mixpanel_last_touch
sb_shareasaleSSCID
AdRoll (__adroll_fpc)
Sendinblue
HubSpot
Spotify
The integration of podcasts on our website is done through Spotify, a service from Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden. Spotify processes data when you access to the Spotify podcasts “Im Museum” or “Alexandria” on our website. If you have a Spotify account, the data generated in this way can be associated with your personal account. For more information about Spotify data processing, please visit https://www.spotify.com/at/privacy.Strictly Necessary | These cookies are necessary to allow us to operate the Spotify Service as you have requested. For example, they let them recognise what type of subscriber you are and then provide you with services accordingly. |
Performance / Analytics | Spotify use cookies and other similar technologies to analyse how the Spotify Service is accessed, is used, or is performing. They use this information to maintain, operate, and continually improve the Spotify Service. They may also obtain information from our email newsletters or other communications they send to you, including whether you opened or forwarded a newsletter or clicked on any of them content. This information tells them about their newsletters' effectiveness and helps them ensure that they are delivering information that you find interesting. |
Functional | These cookies let them operate the Spotify Service according to your preferences. For example, when you continue to use or come back to the Spotify Service, they can provide you with their services based on information you provide to them, such as remembering your username, how you have customised their services, and reminding you of content you have enjoyed or listened to on the service previously. |
Targeted Advertising | They use these cookies and other similar technologies to serve you with advertisements that may be relevant to you and your interests, including interest-based advertising. The information may also be used to record how many times you’ve been served a particular advertisement and to ensure we do not display the same advertisement to you repeatedly, and to otherwise help them measure their effectiveness. |
Third Party | They may allow their Business Partners to use cookies or other similar technologies on or outside the Spotify Service for the same purposes identified above, including collecting information about your online activities over time and across different websites, applications, and/or devices. |
Spotify Ads | They work with website publishers, application developers, advertising networks, and service providers to deliver advertisements and other content promoting Spotify on other web sites and services. Cookies and other similar technologies may be used to serve you with advertisements that may be relevant to you and your interests on other websites, applications, and devices, and to regulate the advertisements you receive and measure their effectiveness. |
Forwarding services
For the forwarding services (Facebook, Twitter, Instagram and Google Maps as well as Google Arts & Culture) no data is processed
by us. We only offer you the possibility to call up the respective page of the NHM Vienna faster and directly by clicking
on the respective button. However, this is a simple link through which no data is processed by us. Your data will be processed
directly by the service provder.We would like to point out that the US are a non-secure third country in terms of data protection law and that you do not have the same rights with regard to your data as in Europe. The US are not subject to an adequacy finding by the European Commission and there are no suitable guarantees with regard to data transfer. By accepting the setting of cookies, you accept in accordance with Art. 49 para. 1 lit. a GDPR that this transmission will nevertheless be carried out. With your consent, the data will be processed by the respective service provider as controller and will not fall within the control or influence of the NHM Vienna.
The Instagram Privacy Policy can be found at https://help.instagram.com/519522125107875.
Google Arts & Culture
If you use the Google Arts & Culture button on our website, you will be directed to the website of Google Arts & Culture, a service of Google LLC (Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) where the data provided by you will be processed and, if you have a Google Account, can be associated with your account.The Google Arts & Culture Privacy Policy can be found at https://policies.google.com/privacy?hl=de
Google Maps
If you want to use functions of the integrated maps (e.g. route planner), you will be forwarded to Google Maps, a service of Google LLC (Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) where the data provided by you will be processed and, if you have a Google Account, can be associated with your account.The Google Maps Privacy Policy can be found at https://policies.google.com/privacy?hl=de
2. Storage of personal data when contacting us
Data you transmit electronically in order to contact us, such as name, e-mail address, address, telephone number or, if relevant, group type and age, object and discovery details and GPS coordinates or other personal details to the extent relevant for the processing of the enquiry, as well as data contained in the transmission of an e-mail, will only be used by us for the purpose stated in each case, in particular to answer your enquiry.We use your personal data only to process your communication on the basis of your enquiry (legitimate interest according to Art. 6 para. 1 lit. f GDPR whereby the legitimate interest is communication with customers). We will not pass on your personal data without your consent, except if this is necessary for the processing of your inquiry. Furthermore, in the event of illegal behavior, the data may be made available for inspection. Your data may be passed on to transporters (e.g. the Austrian Post) if this is necessary for the fulfillment of the contract with you.
In a (pre-)contractual relationship with the Natural History Museum, e.g. for individual events, the data of contact persons and contractual partners are processed. For this purpose we process name, address, e-mail address and telephone number, on the basis of Art. 6 para. 1 lit. b GDPR for the fulfillment of the contract or, after completion of the contract in accordance with Art. 6 para. 1 lit. c GDPR on the basis of the compliance with legal provisions such as storage obligations.
The data from the contractual relationship are processed until the fulfillment of the contract and beyond this until the expiry of the statutory retention period.
We would like to point out that the transmission of information via the Internet involves risks which we cannot influence or reduce. If you send us data by e-mail, we cannot guarantee secure transmission and the protection of your data. We recommend that you never send confidential data by e-mail without encryption. You are aware of this risk and we are not liable for any loss or unauthorized access outside our sphere.
3. Newsletter
You have the possibility to subscribe to newsletters on current topics, exhibitions, events, invitations to openings or advertising of the NHM Vienna via our website. For this purpose, we need your name, your e-mail address and the information that you agree to receive the newsletter. We process this data on the basis of your consent pursuant to Art. 6 Para. 1 lit. a DSGVO. Once you have registered for the newsletter, we will send you an email to confirm your registration.You can unsubscribe from the newsletter at any time via the link in each newsletter. After receiving your unsubscription, we will not send you any further information on current topics, exhibitions, events, invitations to openings or advertising of the NHM, unless you send us a new request.
The newsletter of the NHM Vienna is sent by e-mail without the involvement of a newsletter delivery service and your data is transferred to the customer database, which is located on the database server of the NHM Vienna.
4. Data storage Webshop
In order to facilitate online purchases we process the IP address of the connection owner, as well as name, address, and email address of the customer.Furthermore, we process payment method, payment status, date of purchase, and purchased goods. These data are necessary for pre-contractual arrangements and the fulfillment of the contract. Your payment details (i.e., depending on means of payment either, name and credit card number or name and bank details) are processed by the payment service provider, mPAY24 GmbH, Grüngasse 16, 1050 Vienna. Data are transmitted to the relevant payment institution for the purpose of debiting the purchase price; these data are not processed by us.
In case the purchase process is aborted, data are deleted immediately. If a contract is concluded, all data from the contractual relationship will be stored until the contract is fulfilled and beyond that time for the duration of the statutory retention periods. The legal basis for the processing is the performance of the contract and the compliance with legal requirements. Your data may be passed on to carriers (e.g., the Austrian Post) if this is necessary for the fulfillment of the contract with you.
5. Job application
In the course of your application, we typically receive your name, your contact details (e-mail, telephone number, and address), your curriculum vitae including the data contained therein and possibly training and job certificates. From receipt of your application, we process your data for the purpose of initiating a contract in accordance with Art. 6 para. 1 lit. b GDPR.In the event of employment, the data will be processed within the scope of the employment relationship and you will be informed separately in detail.
From the time of a rejection, we process your data for a period of 7 months in accordance with Art. 6 para. 1 lit. f GDPR in our legitimate interest to defend ourselves in case of proceedings.