Data Privacy Statement

Universalmuseum Joanneum GmbH


The protection and security of personal data is of the highest priority for the Universalmuseum Joanneum GmbH with its subsidiaries Kunsthaus Graz GmbH, Service-Gesellschaft, Steirischer Landestiergarten GmbH and Simbawelt GmbH. For this reason, we strictly adhere to the rules of the EU-DSGVO and the Data Protection Adaptation Act of 2018.

The company data protection officer at the Universalmuseum Joanneum GmbH can be reached at

In the following section we inform you which data of yours are collected during your visit to our website or as a part of other services (making contact, newsletter, social media, advertising) and how they are used.

Data processing

Transmitted personal data (name, address, birth date, email address, telephone number) are electronically saved and processed by the Universalmuseum Joanneum GmbH for purposes chosen by you.

Depending on the reason and type of transmission of personal data, they are processed solely for said purpose. When an annual pass or membership of the Club Joanneum is ordered, the personal data is processed solely for transacting the business (ticket for the exhibition or membership card for the Club Joanneum [= Museum Joanneum]). When participating in competitions, as well as ordering monthly programmes and/or the newsletter, personal data are processed solely for these purposes.

When you visit our website, the web server automatically creates log file entries which cannot be allocated to any specific person. This data contains, for example, the browser type and version, the operating system used, the referrer URL (the previously visited page), IP address of the requesting computer, access date and time of the server and client request (file name and URL). This data is anonymised and collected solely for the purpose of statistical evaluation. The data is not passed on to third parties, whether for commercial or non-commercial uses.

We collect this data on account of our legitimate interest (see Art. 6 Para. 1 lit. f. DSGVO) and store it as ‘server log files’ on the website server. The server log files are stored for a maximum of one week and then deleted. If data must be retained as evidence, e.g. to clarify security breaches, they are exempt from deletion until such time as the incident has been finally clarified.

Usage of personal data

Personal data is only collected or processed to the extent that is contractually or legally required for the purposes of the business transaction and provided you communicate this information voluntarily, e.g. as part of a request. 


Your data is not disclosed to third parties, unless such disclosure of data is required by law.

Consent to further use

Any further use of data other than is required legally or contractually, such as for advertising material, for example (information by post, email or other electronic media for monthly programme by post and/or by email and newsletter) is prohibited, unless you have expressly given your consent to this during registration.


Provided no essential reasons exist in connection with a business transaction, you can at any time retract in writing permission previously granted for the processing and storing of your personal data, unless the processing and storage of the same is necessary due to legal requirements.

The retraction is to be directed to the following email address:  

or by post to:

Universalmuseum Joanneum GmbH


Mariahilferstraße 2-4, 8020 Graz

Duration of usage:

The duration of usage of personal data depends upon the type and purpose of the usage, as well as on the legal requirements concerning (tax-related and other) storage periods.

Provided no legal basis for processing your data exists, or no declaration of consent exists, your personal data is automatically deleted.

Information, rectification and deletion of your data

You can inquire in writing to us at any time as to whether and which personal data concerning yourself is stored with us. You will receive a corresponding response to this inquiry within the legal time limits. Should you wish your personal data to be rectified or deleted, please write your request to the following email address:

or by post to:

Universalmuseum Joanneum GmbH


Mariahilferstraße 2-4, 8020 Graz

Data security

The security of your data in our systems is very important to us. Our aim is to manage your data with the utmost care and to take all necessary technical and organisational security measures to protect your personal data from loss and misuse.

Access to our website is secured via HTTPS if your browser supports SSL. This means that communication between your terminal device and our servers is encrypted. Should you wish to contact us or our employees by email, we wish to point out that the confidentiality of the information transmitted is not guaranteed. Due to their technical design, the content of emails can be viewed by third parties unless special technical security measures are taken. To ensure adequate information and system security and to detect malware, we store log data on email traffic. When you send an email to one of our addresses, the following data is logged: Email and IP address of the recipient and the sender, number of recipients, subject, date and time of receipt by the server, file name of any attachments, size of message, risk classification for spam and delivery status. In a first step, emails are checked automatically. Only in the case of suspicion of a threat to the security of the IT systems are individual emails checked manually by responsible persons.

Note regarding Google Analytics

Our website uses Google Analytics 4 (GA4), a web analysis service of Google Inc. (‘Google’). Google Analytics uses so-called ‘cookies’ i.e. text files which are saved on your computer and which enable an analysis of your use of the website. The information about your use of this website (including your IP address) produced by the cookie is transferred to a Google server in the USA and stored there. Google will use this information in order to evaluate your use of the website, to compile reports on website activities for website operators and to provide more services connected to usage of websites and of the internet. Google may also transfer this information to third parties so long as this is legally required or to the extent that third parties process this data on behalf of Google. Under no circumstances will Google link up your IP address with other data of Google Inc.

In GA4, data is stored for a maximum of 14 months. The limited storage period thus eliminates the possibility of a comparison being made with historical data.

You can prevent the installations of cookies by setting your browser software accordingly; however, we draw your attention to the fact that in this case you may not be able to use all functions of this website to their full extent. By using this website, you give your consent to the processing of the data gathered about you by Google in the manner outlined above and for the purpose previously described.


On several of our pages we use so-called ‘session cookies’, in order to facilitate your use of our websites. This concerns small text files which are deposited on your hard disk for the duration of your visit to our website, and which, depending on the setting on your browser programme, are deleted again once the browser is closed. These cookies do not retrieve any information about you stored on your hard disk, and do not adversely affect your personal computer or your files. Most browsers are set in such a way that they automatically accept cookies. You can, however, deactivate the saving of cookies, or set your browser in such a way that it notifies you of the sending of cookies.

You can deactivate cookies that do not require your consent at any time via the Cookie Content Manager on our website. However, we wish to point out that this may affect the display of external content on our website.

Social media plugins

Social media plugins from,, and are used on our website. You can recognise this by the corresponding logo of the provider. A connection is automatically established with the respective server of the provider as soon as you visit a page on which such a logo appears.

The provider thus learns which specific page you are visiting. The website operator has no influence over which data is transmitted to the provider concerned. This data transmission takes place independently of an active click on the plugin.

If you should be logged in to Facebook, Twitter, Instagram or at the same time, the plugin can establish a concrete connection with your account.

As soon as you post a comment on the website or give a ‘like’ via this plugin, it transmits the information to the provider and links it to your account. You can prevent this by logging out of your account with the provider before using the plugin.

Concerning social media plugins, the privacy policy of the respective provider applies.

Social media channels

We maintain online presence within social networks and platforms in order to communicate with the customers, interested parties, partners and users active there and to be able to inform them about our services.

The processing of the users’ personal data is based on our legitimate interests in effectively informing users and communicating with them in accordance with Art. 6 (1) lit. f. DSGVO. DSGVO. If users are asked by the respective providers of the platforms for consent to the mandatory data processing, the legal basis of the processing is Art. 6 Para. 1 lit. a., Art. 7 DSGVO.

We wish to point out that, as the creators of the online presence, we do not make any decisions regarding the processing of user data and all other information resulting from Art. 13 of the DSGVO, including the legal basis, the identity of the responsible party and the storage period of cookies on user end devices. These are determined by the providers independently.

We wish also to point out that user data may be processed outside the European Union. This may result in risks for users, because it could make it more difficult to enforce the rights of such users, for example.

Furthermore, user data as a rule is processed for market research and advertising purposes. For example, usage profiles can be created from the usage behaviour and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are as a rule stored on the users’ computers, in which the usage behaviour and users’ interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices employed by the users (especially if the users are members of the respective platforms and logged in to them).

For a detailed description of the respective processing and the opt-out possibilities, please refer to the providers’ information linked below.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively through the providers. Only the providers have access to users’ data and can take appropriate measures and provide information directly. However, it is noted that data subjects – notwithstanding the above recommendation – can assert their data protection rights against any individual data controller, i.e. against any party.

Facebook, -pages, -groups, (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

Data privacy statement:

Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)

Data privacy statement:

Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
Data privacy statement:  

Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)
Data privacy statement:,.

TripAdvisor (TripAdvisor Inc., 400 1st Avenue, Needham, MA 02494 USA)
Data privacy statement:


You have the option of registering for our newsletter directly on our website. To do this, we collect your email address, name, form of address and newsletter preferences.

You will receive all further information directly when you order the newsletter. As soon as you have registered for the newsletter, we will send you a confirmation email with a link to confirm your registration. You will only receive the newsletter after confirmation. If no confirmation is received, your data will be deleted.

Your consent can of course be revoked at any time, either directly via the Unsubscribe link in each newsletter or by sending an email to datenschutz@museum

Participation in a prize draw

As part of a competition, personal data (in particular name, date of birth, address, email address, telephone number) is collected in order to check compliance with the conditions of participation (e.g. compliance with the minimum age) and to enable contact to be made and possibly the dispatch of a prize after the winners have been drawn.

The legal basis is your consent, as in accordance with Art. 6 Para. 1 lit. a DSGVO, to the processing of your data within the scope of participation in the prize draw. You can revoke your consent at any time without reasons given.

In the context of newsletter competitions, you will be informed that the newsletter registration also leads to an automatic participation in the prize draw. This is done out of our legitimate interest in accordance with Art. 6 Para. 1 lit. f DSGVO in increasing newsletter subscriptions, addressing potential customers in the future and marketing products and services. Should you not wish to do so, you can object to participation in the prize draw at any time and you will not be included in the draw.

Personal data will be stored for as long as is necessary for the purposes for which they are processed, as long as there are legal requirements to retain them or as long as they appear necessary for the assertion, exercise or defence of legal claims.

You can send your cancellation or objection to

Contact inquiry

If you make contact with us via one of the options on offer (e.g. by contact form, telephone, email or social media), your data (name, contact data, reference and inquiry) are processed for the purpose of handling and answering your inquiry. The processing is carried out for the fulfilment of (pre-)contractual measures or based on our legitimate interest in processing and answering the inquiries of customers, interested parties and partners. Your data will be stored for the time taken to handle said inquiry and beyond that for a maximum of three years. This data will not be passed on to third parties without your consent.

Applicants’ platform

For the purpose of processing the enquiry and handling the application procedure as well as filling vacancies within our company, we process the personal data provided by you such as name, title, address, telephone number, date of birth, education, work experience, salary expectations and those data and images contained in the covering letter, CV, certificates or other documents sent. This is done on the basis of (pre-)contractual measures in accordance with Art 6 Para 1 lit b DSGVO.

We wish to point out that you may be contacted by employees by telephone and/or email in order to ensure that the application process runs smoothly. You affirm that all information provided is true and correct. False statements, even after possible employment, may lead to dismissal.
Your data will in principle only be forwarded to the internal departments and specialist departments of our company responsible for the specific application procedure. Your personal application data will not be passed on to third parties.

If the Universalmuseum Joanneum GmbH concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment in compliance with the statutory provisions.

If no employment contract is concluded with an applicant, the application documents will be automatically deleted six months plus a one-month statutory objection period after the applicant has been notified of and received the decision to turn down said application.

Apps and WLAN

For our digital admission tickets (Annual Pass, Museum Joanneum, KIOER) the separate data protection declarations attached to the apps apply.

When ordering our school ticket ‘Echt Klasse!’, you agree to the attached data protection statement.

At some locations, we provide you with free WIFI via our contracted service provider Citycom Telekommunikation GmbH. The terms and conditions, terms of use and data protection declaration of Citycom Telekommunikation GmbH that are stated when a person registers for the WLAN apply to the use of the same.

Cash register system and access

The personal data you provide for the purpose of purchasing a printed annual pass or Museum Joanneum ticket will be stored in our cash register system Amepheas (AMEPHEAS GmbH, Heiligenstädter Lände 27c (South Entrance), 1190 Vienna, The data is periodically transferred to our central CRM. In this way, access at locations with automated access (gates) is regulated, too.

For online payment when purchasing our products, you will be forwarded to the online payment service provider Unzer (Unzer GmbH, Schöneberger Str. 21 a, 10963 Berlin, contracted by us.

In addition, personal data may be passed on to us when products are purchased via third parties (e.g. booking platforms, travel agencies). This data is required for the fulfilment of the contract. Information on data protection can be found in the respective privacy policy of the provider.

The legal basis for the processing is Art. 6 Para. 1 lit. b DSGVO. Without the provision of the data, we are unable to fulfil the contract.

Personal data is stored for as long as it is necessary for the purposes for which it is processed, and also for as long as there are statutory obligations in terms of preserving records or these appear necessary for the assertion, exercise or defence of legal claims.

Notification of data of third parties

You ensure that you inform third parties whose data you disclose to the Universalmuseum Joanneum GmbH about the processing of their personal data by the Universalmuseum Joanneum GmbH and also that you obtain any necessary consent. For example, when purchasing an annual pass or Museum Joanneum ticket as a gift, for example via our print@home-Angebot.


The following data is processed from donors and potential donors: name, date of birth, address, contact details, donation history and communication history.

The purpose of the data processing is to contact donors both current and potential and to manage donations made. If your donation is to be taken into account in the automated employee tax assessment, the name and dates of birth must be provided for transmission to the Austrian tax office. If this information is not provided, the donations cannot be included as special expenses for tax purposes.

The legal basis for this data processing is a legitimate interest within the meaning of Art 6 Para 1 lit f DSGVO for the acquisition of donations by gaining new donors as well as winning them back; the fulfilment of a contract within the meaning of Art 6 Para 1 lit b DSGVO; and the fulfilment of a legal obligation within the meaning of Art 6 Para 1 lit b DSGVO (Bundesabgabenordnung, Museumsordnung). Your data will be stored for the duration of the legal period for the preservation of records.

Photo, sound and film recordings as part of our events

We wish to point out that photos and any sound and film recordings made during the event may be used by the Universalmuseum Joanneum GmbH for an unlimited time and place for the purpose of documenting, informing and reporting on the event and may also be published for these purposes in print publications, on the website, in newsletters and social media.

In addition, your data will be passed on to internal departments (IT, marketing, visitor service) and contracted processors who must receive it for production, processing and publication purposes, as well as to third parties (especially the media) for the purpose of information and reporting. The data will not be passed on to recipients who pursue their own interests with this data. In the case of social media channels, however, the respective social media service may receive the right to use the published data.
Processing, publication and disclosure is based on our legitimate interest in the sense of Art 6 Para 1 lit f DSGVO as well as §§ 12, 13 DSG to present our activities and to carry out public relations work and thus to increase our name recognition in public. You have the right to object to the processing. The objection can be directed to the responsible persons or photographers on site or to

When producing and using photos, we take care to protect the rights and freedoms of the persons concerned. In particular, we provide information in advance through a reference in invitations and directly on site.

We take care to ensure that no legitimate interests of persons depicted are violated. If the rights and freedoms of a person depicted are violated for reasons that especially require consideration, we will take appropriate measures to refrain from further processing. A deletion in print media that have already been issued cannot take place. Deletion on the website or in social media channels will take place to the extent it is technically possible.


In the course of managing the event, we process, in addition to your master and contact data, your acceptance or cancellation of an event, the event participation, the invitation and participation history as well as information voluntarily provided for participation (e.g. food preferences, allergies/intolerances, physical limitations). The legal basis for the data processing is Art 6 Para 1 lit f (your consent) and Art 6 Para 1 lit f (legitimate interests of the responsible party) DSGVO. Our legitimate interests lie in the timely and appropriate organisation, holding and follow-up of the event, the fulfilment of corresponding participant requests and the alignment of marketing strategies. These strategies set out to gain customers, the goal being to enter into a (pre-)contractual relationship. Special categories of personal data (e.g. allergies, physical limitations) are processed solely on the basis of your voluntary consent.

Failure to give consent means that special participant requests may not be considered. You can revoke your consent at any time using the contact details provided. Your data will be stored for a maximum of three years after the last contact. Your data may be transferred to contracted processors for the provision of services (e.g. catering, event management, registration of participants, security). Staff assigned to process the contract are obliged to comply with data protection regulations and to delete your data after the contractual service has been fulfilled.

Whistleblowers’ system

The Universalmuseum Joanneum GmbH and its subsidiaries (Kunsthaus Graz GmbH, Service-Gesellschaft, Steirischer Landestiergarten GmbH and Simbawelt GmbH) commit to fostering a culture of transparency, integrity and accountability.

With the help of this whistleblower system based on the whistly software (whistly digital GmbH, Torstr 195, 10115 Berlin,, you have the chance to report compliance violations, breaches of the law and infringements of internal guidelines. You can submit your information either by stating your name and contact details, or anonymously. Either way, your reports will be treated confidentially.

All reports are received by an external office and are thoroughly investigated.

All data harvested by the whistly software (reports, documents and correspondence) are stored on an external server, to which only the reporting office has access.

As a whistleblower, you will receive feedback by email on the internal investigation or the initiation of any follow-up measures, or information on the rejection of the report, latest after three months from receipt of the report.

Externally contracted service providers

The following service providers process data on the basis of our contract, in accordance with a contract data processing agreement:

Website and App annual pass, school ticket ‘Echt Klasse!’
MF Mediate Systems GmbH, Dreihackengasse 20, 8020 Graz

App Museum Joanneum
FRAISS IT GmbH, Herrengasse 9, A-8010 Graz

Axtesys GmbH, Albrechtgasse 9, 8010 Graz

Citycom Citycom Telekommunikation GmbH, Gadollaplatz 1, 8010 Graz

Cash register system
AMEPHEAS GmbH, Heiligenstädter Lände 27c (Eingang Süd [southern entrance]), 1190 Vienna

Online payment service provider
Unzer GmbH, Schöneberger Str. 21 a, 10963 Berlin

Informants’ system
whistly digital GmbH, Torstr 195, 10115 Berlin

Changes to these data privacy regulations

We shall update these guidelines from time to time for the protection of your personal data. We recommend you look at these guidelines occasionally in order to stay up to date concerning ways in which we protect your data and constantly improve the contents of our website. Should we carry out important changes in the gathering, usage and passing on of the personal data that you have made available to us, we will of course personally draw your attention to this, and/or clearly and visibly notify you of the same on the website. By using our website, you consent to the conditions of these guidelines concerning the protection of personal data.