Data privacy

Below we inform you about the processing of personal data when using our websites themuseumslab.org and hub.themuseumslab.org (together the “TheMuseumsLab online offerings”), in accordance with the requirements of the General Data Protection Regulation (GDPR).

1. Responsible

Museum für Naturkunde Berlin

Invalidenstr. 43
10115 Berlin

Represented by:
Prof. Johannes Vogel, PhD, Director General
Tel.: +49 30 889140 – 8544
E-mail: johannes.vogel@mfn.berlin

and

Stephan Junker, Managing Director
Tel.: +49 30 889140 – 8330
E-mail: stephan.junker@mfn.berlin

2. Data Protection Office

Data Protection Officer of the Museum für Naturkunde Berlin

Tel.: +49 30 889140 – 8440
E-mail: datenschutz@mfn.berlin

3. Hosting and Infrastructure

Our website is provided by the service provider Vercel Inc. (440 N Barranca Avenue #4133, Covina, CA 91723, USA).

Data processed:

IP address
Date and time of the request
Accessed URL/route
Referrer
Browser and operating system information (user agent)
Technical request/response metadata
Error and server logs

Purpose of processing:

Secure, stable, and efficient provision of the website
Protection against attacks (DDoS protection)
Error analysis

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the secure and efficient provision of the website).

Recipients: Vercel Inc. as a processor (DPA including Standard Contractual Clauses, EU-US Data Privacy Framework certification). Information on sub-processors can be found at https://vercel.com/security.

Storage period: Logs within the scope of Observability Plus for up to 30 days.

Regions: CDN/edge worldwide, including server locations in the EU (Frankfurt).

4. Analytics and Performance Services

a) Vercel Web Analytics (cookie-free, anonymous)

Data collected: accessed URL/route, referrer, country/region (ISO code), browser/OS/device type, timestamp, visitor count via hash

Storage: sessions are discarded after 24 hours

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in anonymous reach measurement).

b) Vercel Speed Insights

Data collected: loading times, network speed, browser/OS/device type, country (ISO code), timestamp

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in optimising stability and performance).

c) Matomo (cookieless tracking)

We use the open-source analytics tool Matomo on servers under our control.

Public website (themuseumslab.org)

Data categories

Accessed pages (URL, title)
Pseudonymised IP address (shortened)
Referrer URL
Browser, operating system and device type
Date and time of access

Purpose

Usage analysis and optimisation of themuseumslab.org.

Legal basis

Art. 6 (1) (f) GDPR (legitimate interest in usage analysis and optimisation of the website).

Recipients / transfer

No transfer to third parties. Processing takes place exclusively on servers under our control.

Storage

Data are stored only as long as necessary for statistical evaluation and then deleted or anonymised.

TheMuseumsLab Hub (hub.themuseumslab.org)

For logged-in users of the Hub we additionally use a pseudonymous user ID in Matomo.

Additional data categories on the Hub

Pseudonymous user ID (internal account/profile ID; no name or e-mail address)
Information on the use of Hub functions (e.g. accessed areas, interactions) linked to this user ID

Purpose

Usage analysis and optimisation of the Hub, ensuring stability and security, evaluation of the use of Hub functions.

Legal basis

Art. 6 (1) (f) GDPR (legitimate interest in operation, optimisation and security of the Hub).

Recipients / transfer

Processing takes place exclusively on servers under our control; no transfer of Matomo data to third parties.

Storage

Data are stored only as long as necessary for the purposes described and then deleted or anonymised.

Right to object

You may object at any time, on grounds relating to your particular situation, to the processing of your data for Matomo analytics on the basis of Art. 6 (1) (f) GDPR (Art. 21 GDPR). In particular, users of the Hub can request deactivation of analytics for their account using the contact details above.

5. Newsletter

We offer the option to subscribe to our newsletter.

Service provider: CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany

Data processed:

E-mail address
Name (if provided)
IP address and time of registration (proof of double opt-in)
Statistical data on openings, clicks, technical information (browser, time)

Purpose:

Sending and managing newsletters
Proof of lawful registration
Statistical evaluation for optimisation

Legal basis: Art. 6 (1) (a) GDPR (consent).

Withdrawal: possible at any time via the unsubscribe link in the newsletter.

Recipient: CleverReach GmbH & Co. KG, Germany (data processing agreement concluded pursuant to Art. 28 GDPR).

Storage period: until unsubscription; afterwards deletion or anonymisation, unless statutory retention obligations apply.

6. Embedded Third-Party Content

a) YouTube

We embed videos from the YouTube platform (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).

Privacy-friendly integration (“two-click solution”):

By default, no YouTube content is loaded and no data is transmitted. Only once you have expressly consented to the display of YouTube content will the videos be loaded, and data (e.g. IP address, referrer, browser information) will be transmitted to YouTube/Google.

Legal basis: Art. 6 (1) (a) GDPR (consent).

Withdrawal: You may withdraw your consent at any time with effect for the future via the consent banner or the settings on our website.

Further information on data protection at YouTube can be found here: https://policies.google.com/privacy

7. Rights of Data Subjects

Under the GDPR, you have the following rights:

Access to your stored data (Art. 15 GDPR)
Rectification of inaccurate data (Art. 16 GDPR)
Erasure (“right to be forgotten”, Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection to processing (Art. 21 GDPR)
Withdrawal of consent with effect for the future (Art. 7 (3) GDPR)

To exercise your rights, please contact the controller named above or the Data Protection Officer.

8. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data is unlawful. The competent authority in particular is the Berlin Commissioner for Data Protection and Freedom of Information.

9. Security

We implement technical and organisational measures to protect your data against loss, misuse, or unauthorised access.

Our website uses TLS encryption (https), ensuring that transmitted data cannot be read by third parties.

10. Currency and Amendments to this Privacy Policy

This Privacy Policy is currently valid (as of September 2025).

We reserve the right to amend this Privacy Policy in order to adapt it to technical developments or changes in legal requirements.

11. Scope and External Links

This Privacy Policy applies to the online offerings of the Museum für Naturkunde Berlin.

Where our pages refer or link to third-party websites, we assume no responsibility or liability for the accuracy or completeness of the linked content or for the data security of the linked websites.

The linked content was checked for possible legal violations at the time of linking. However, continuous monitoring of the content of linked pages is not reasonable without specific indications of a legal infringement. Should linked content violate applicable law or contain inappropriate material, we kindly ask you to notify us.

We have no influence on the compliance of third parties with data protection regulations. Please therefore consult the respective Privacy Policies of the external providers.