Information on the processing of customer and sponsor data

Information requirements pursuant to Art. 13 GDPR

1    General information

The foundation “Deutsche Stiftung Denkmalschutz” (“German Foundation for Monument Protection”) takes the protection of your personal data very seriously. Your privacy is important to us. We process your personal data in accordance with the applicable statutory data protection requirements for the purposes set out in the following. Personal data within the meaning of this data protection information denotes any and all information that contains a reference to your person.

In the following, you will learn how we handle these data. For ease of reading, we have divided our data protection information into chapters.
The data controller and data protection officer bearing responsibility for data processing is

Deutsche Stiftung Denkmalschutz
Schlegelstrasse 1
53113 Bonn, Germany
Tel. +49 (0) 228 9091 0
Fax. +49 (0) 228 9091 109

Should you have any questions or comments about data protection (for example, with regard to accessing and updating your personal data), you can also contact our data protection officer.

Dr. Christian Lenz
dhpg IT-Services GmbH
Bunsenstr. 10a
51647 Gummersbach
Tel.: +49 (0)2261 8195-0
E-Mail: datenschutz(at)

2    Scope of processing
2.1    Origin and categories of data

We process personal data that we have collected directly from you.
To the extent that this is necessary for the provision of further services, we process personal data lawfully received from other companies or third parties (e.g. credit agencies, address registers). In addition, we process personal data that we have lawfully taken, received or acquired from publicly accessible sources (the press, the Internet and other media sources) and which we are allowed to process. Relevant categories of personal data may include, in particular:

  • Personal data (name, date of birth, place of birth, nationality, marital status, profession/industry and comparable data)
  • Contact details (address, email address, telephone number and other comparable data)
  • Bank and credit card details
  •  Data concerning your use of the telemedia formats we offer (e.g. time of access of our websites, apps or newsletters, our pages/links clicked on or entries and comparable data).

2.2    Purposes and legal basis of the processed data

We process personal data in accordance with the provisions of the General Data Protection Regulation (“GDPR”), the German Federal Data Protection Act as amended (“BDSG-neu”) and other applicable data protection regulations (for details, please see below). Precisely which data are processed in detail and how they are used depends largely on the services applied for or agreed in each instance. Further details of, or supplements to, the purposes of data processing can be found in the respective contractual documents, forms, a declaration of consent and/or other information provided to you (e.g. in the context of use of our website or our Terms and Conditions). 

Purposes for the fulfilment of a contract or pre-contractual measures (Art. 6 [1] [b] GDPR)

Personal data are processed for the purpose of processing your donations and the execution of your orders and to carry out measures and activities in the context of a pre-contractual relationship, e.g. with interested parties. These essentially include: donation-related communication with you, the corresponding billing and associated payment transactions, the verifiability of orders and other agreements, as well as quality control measures in the form of corresponding documentation, goodwill procedures, measures for the control and optimisation of business processes and for the fulfilment of general due diligence obligations, management and control by affiliated companies; statistical evaluations for corporate management purposes, cost recording and controlling, reporting, internal and external communication, crisis management, billing and the tax-related evaluation of operational services, risk management, the assertion of legal claims and defence in the event of legal disputes; measures to safeguard IT security (including system or plausibility tests) and general security, ensuring and exercising building access rights (e.g. through access controls); guaranteeing the integrity, authenticity and availability of data, the prevention and investigation of criminal offences, and control by supervisory or control bodies (e.g. audits).

Purposes within the scope of our legitimate interest or that of third parties (Art. 6 [1] [f] GDPR)

Beyond the actual performance of the contract or preliminary contractual measures, we may process your data if to do is necessary to protect our legitimate interests or those of third parties, in particular, for the purposes of

  • advertising or market/opinion research, insofar as you have not objected to the use of your data;
  • the testing and optimisation of needs assessment procedures;
  • the further development of services and products and of existing systems and processes;
  • the enhancement of our data by means including the use of, or research into, publicly available data;
  • statistical evaluations or market analysis; benchmarking;
  • the assertion of legal claims and defence in the event of legal disputes which are not directly attributable to the contractual relationship;
  • the limited storage of the data if deletion is not possible (or possible only with disproportionate effort due to the special nature of the storage required);
  • the development of scoring systems or automated decision-making processes;
  • the prevention and investigation of criminal offences, insofar as this does not take place exclusively for the fulfilment of statutory requirements;
  • building and facility security (e.g. in the form of access controls), insofar as this extends beyond the general duties of care;
  • internal and external investigations as well as security checks; the possible monitoring by another person or
  •  recording of telephone conversations for quality control and training purposes;
  • obtaining and maintaining certifications issued under private law or of an official nature;
  • safeguarding and exercising house rules through appropriate measures (such as video surveillance) and securing evidence in the event of criminal offences and efforts to prevent them.

Purposes in the context of your consent (Art. 6 [1a] GDPR)

Subject to your consent, your personal data may also be processed for specific purposes (e.g. use of your email address for marketing purposes). As a rule, you may revoke this consent at any time. This applies also to the revocation of declarations of consent given to us prior to the entry into force of the General Data Protection Regulation (GDPR), i.e. prior to 25 May 2018. You will be informed separately in the relevant text explaining consent of the purposes and consequences of revoking or not granting your consent. As a general rule, revocation of consent is only effective for the future. Any processing that takes place before revocation will not affected by it and will remain lawful.

Purposes for the fulfilment of statutory requirements (Art. 6 [1] [c] GDPR) or in the public interest (Art. 6 [1] [e] GDPR)

Just like any entity involved in business, we are subject to a wide range of statutory obligations. These primarily concern statutory requirements (e.g. commercial and tax laws) but may also relate to regulatory or other official requirements. The purposes of processing may include the fulfilment of control and reporting obligations under tax law, the archiving of data for data protection and data security purposes and for the purposes of audits by tax and other authorities. In addition, the disclosure of personal data may become necessary in the context of official/court proceedings for the purpose of collecting evidence, criminal prosecution or the enforcement of civil claims.

The scope of your obligations to furnish us with data

You are obliged to provide only those data that are necessary for the establishment and execution of a business relationship, for a pre-contractual relationship with us, or which we are otherwise legally obliged to collect. Without these data, we will generally not be able to conclude or execute the contract. The same may also be true of data required later in the course of the business relationship. If we should request additional data from you, you will be notified separately that the provision of that information is voluntary.

2.3    Consequences of a failure to provide data

In the context of a business relationship, you must provide the personal data which are deemed necessary for the establishment, execution and termination of the legal transaction and for the fulfilment of the associated contractual obligations or which we are otherwise legally obliged to collect. Without these data, we will not be able to carry out the legal transaction with you.

2.4    Data recipients within the EU

Within our foundation, the internal departments or organisational units which receive your data are those which require them to fulfil our contractual and legal obligations or in the context of the processing and upholding of our legitimate interests.
Your data will only be passed on to external entities

  • in connection with the execution of the contract;
  • for the purpose of fulfilling statutory requirements which oblige us to disclose, report or pass on data; or if the passing on of the data is in the public interest (cf. Section 2.4);
  • insofar as external service companies process data on our behalf as contract data processors or function transferees (e.g. data centres, support/maintenance of EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data validation or plausibility checks, data destruction, purchasing/procurement, customer administration, lettershops, marketing, media technology, research, risk controlling, accounting, telephony, website management, auditing services, financial institutions, printing companies or companies providing data disposal, courier or logistics services);
  • on the basis of our legitimate interest or that of the third party in the context of the aforementioned purposes (e.g. to authorities, credit agencies, debt collection companies, lawyers, courts, appraisers, subsidiaries, committees and supervisory bodies);
  • you have given us consent to transfer the data to third parties.

We will not pass on your data to third parties for any other reasons. If we commission service providers to process your data, they will be obliged to apply the same security standards to your data as we do ourselves. In other instances, the recipients may use the data only for the purposes for which they were transferred to them.

2.5    Retention periods

We will process and store your data for the duration of our relationship with you as a donor. This also includes the initiation (pre-contractual legal relationship) and the execution of a contract.
In addition, we are subject to a range of storage and documentation obligations which stem from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The periods specified therein for storage and documentation respectively run to the end of the calendar year up to ten years after the end of the business relationship or the pre-contractual legal relationship respectively.
Furthermore, special statutory regulations, such as those governing the preservation of evidence within the scope of statutory limitation provisions, may require a longer retention period. According to Section 195 et seq. of the German Civil Code (BGB), the typical limitation period is three years; however, limitation periods of up to 30 years may also be applicable.
Should the data no longer be required for the fulfilment of contractual or legal obligations and rights, they will be regularly deleted, unless their temporary further processing is required for the fulfilment of those purposes underpinning an overriding legitimate interest. Such an overriding legitimate interest will also exist, for example, if deletion is not possible or is possible only with disproportionate effort due to the special nature of the data storage and if the possibility of processing for other purposes is excluded by appropriate technical and organisational measures.

2.6    Your rights

Under certain circumstances, you may assert your data protection rights against us.

  • You therefore have the right pursuant to the provisions of Art. 15 GDPR (in certain cases also with restrictions pursuant to Section 34 BDSG) to access the information held by us concerning your person.
  • Upon your request and pursuant to Art. 16 GDPR, we will correct the data held by us concerning your person if they are inaccurate or incorrect.
  • Should you so wish, we will delete your data in accordance with the provisions of Art. 17 GDPR, provided that other statutory regulations (e.g. statutory retention obligations or the restrictions set out under Section 35 BDSG) or an overriding interest on our part (e.g. for the defence of our rights and claims) do not preclude such an action.
  • Taking into account the requirements of Art. 18 GDPR, you may request that we restrict the processing of your data.
  • Furthermore, you may object to the processing of your data in accordance with Art. 21 GDPR, whereupon we must cease to process your data. However, this right of objection applies only in the event of very special circumstances pertaining to your personal situation whereby the rights of our foundation may possibly conflict with your right of objection.
  • You also have the right under the provisions of Art. 20 GDPR to receive your data in a structured, commonly available and machine-readable format or to have them transferred to a third party.
  • Furthermore, you have the right to revoke your consent to the processing of personal data at any time with effect for the future (cf. Section 2.3).
  • Furthermore, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). However, we recommend that any complaint is always directed to our data protection officer in the first instance.

Your applications to exercise your rights should, where possible, be addressed in writing or by email to the address stated above or directly in writing or by email to our data protection officer.

Special reference to your right of objection pursuant to Art. 21 GDPR:

You have the right to object at any time to the processing of your data on the basis of Art. 6 (1) (f) GDPR (data processing on the basis of a balancing of interests) or Art. 6 (1) (e) GDPR (data processing in the public interest) if there are grounds arising from your particular situation that support such action.

This applies also to profiling based on this provision within the meaning of Art. 4 (4) GDPR. Should you object, we will no longer process your personal data unless we can demonstrate compelling legitimate reasons to do so which override your interests, rights and freedoms or if the processing serves the purposes of asserting, exercising or defending legal claims.

We may also process your personal data for direct marketing purposes. Should you not wish to receive advertising, you have the right to object to this at any time; this applies also to profiling to the extent that it is associated with such direct advertising. We will comply with this objection with effect for the future. We will no longer process your data for direct marketing purposes if you object to their processing for such purposes.

An objection can be submitted in any form of your choice and should if possible be addressed to
Deutsche Stiftung Denkmalschutz, Schlegelstrasse 1, 53113 Bonn, Germany, tel. +49 (0) 228 9091-0,

You also have the option of contacting the abovementioned data protection officer or a data protection supervisory authority to lodge a complaint.

The competent data protection supervisory authority in our case is:

The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
Kavalleriestr. 2-4
40213 Düsseldorf
Telefon: +49 (0)211  38424-0
Fax: +49 (0)211 38424-10