Privacy Policy - Moesgaard Museum

Table of Content

  1. Why did we create this privacy policy?
  2. Datacontroller and contact information
  3. From where do we collect personal data about you?
  4. Purpose, types of personal data, legal basis and deletion
  5. To whom do we disclose your personal data?
  6. To whom do we entrust your personal data?
  7. Do we transfer your personal data to unsafe third countries?
  8. If you visit our profiles otherwise social media pages
  9. What rights do you have?
  10. Do you have questions and do you want to exercise your rights?
  11. Links to other websites
  12. Changes to the Privacy Policy

 

Version 1: Edited 1. january 2024

1. Why did we create this privacy policy?

At Moesgaard Museum ("Moesgaard", "we", "us" or "our"), we prioritize privacy and data security. This privacy policy applies to our processing of personal data and sets out guidelines for Moesgaard's way of processing your personal data and provides you with the information that you are entitled to receive under applicable data protection legislation. You should read the privacy policy before providing your personal data to Moesgaard.

2. Data controller and contact information

The data controller of your personal data is:
Moesgaard Museum
Adress: Moesgaard Alle 20, 8270 Højbjerg
CVR no.: 39881012
Email: info@moesgaardmuseum.dk
Phone number: 87394000

3. From where do we collect personal data about you?

Moesgaard may potentially collect and process personal data about you from the following sources:

  • Directly from you.
  • Video surveillance.
  • From other visitors.
  • License plate recognition.
  • From your employer if you are an employee of one of our business partners or suppliers.

4. Purpose, types of personal data, legal basis and deletion

Moesgaards's processing of personal data will depend on your purchases, your interaction, consents given, and behavior. Therefore, you should start by reading the column "Which people are covered?" to clarify whether the processing activity, the purposes in question, types of personal data, legal bases and deletion deadlines are relevant to you:

   

Cookies, pixels and social plug-ins.


Which people are covered?
Website visitors who have provided consent via the cookie banner.

For what purposes is the personal data used?

Marketing, statistics, preferences and features.
You can read more about the purposes via the cookie banner.

What types of personal data are used?

User ID, geographical location, interests, IP address, operating system, browser type, device type, behavior on the website, MAC address, click behavior, interaction with ads, completed data upon purchase, and search history.

What is the legal basis for the processing?

The processing of personal data in relation to necessary cookies takes place on the basis of an contract to be able to use the functions of the website (Article 6(1)(b) of the GDPR).

The processing of personal data in relation to statistical and preference cookies takes place as a result of our legitimate interest in offering you the best possible products and services (Article 6(1)(f) of the GDPR).
The processing of personal data in relation to marketing cookies, including on the basis of your preferences, takes place on the basis of your prior consent (Article 6(1)(a) of the GDPR).
In addition, we always obtain a valid cookie consent in accordance with the Executive Order on Cookies before cookies are placed via your terminal equipment.

When will the personal data be deleted?

See the cookie banner where the deletion periods (expiration periods) are indicated.
You can open the cookie banner by clicking the button in the lower left corner of the site.

_____________

Video surveillance.

Which people are covered?

Visitors and suppliers.

For what purposes is the personal data used?

Create security, to prevent crime and secure evidence for use in police investigations.

What types of personal data are used?

Pictures of your whereabouts and, in some cases, criminal information in the event of theft or other crimes.

What is the legal basis for the processing?

Pursue our legitimate interest in creating security, preventing crime, and securing evidence for use in police investigations (Article 6(1)(f) of the GDPR and section 8(3) of the Danish Data Protection Act).

When will the personal data be deleted?

30 days from the moment of recording.

 

_____________

 

License plate recognition for parking and entrances.

Which people are covered?

Visitors at entry and exit.

For what purposes is the personal data used?

Payment and registration of parking.

What types of personal data are used?

License plate and payment information.

What is the legal basis for the processing?

To enter into a contract on payment of parking (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?

30 days from exit.

However, information may be stored for up to 3 years after exit if payment has not been made correctly or if information is used to establish a legal claim.

_____________

Photos and videos from rides that visitors can purchase.

Which people are covered?

Visitors who have tried a ride where it is possible to buy the photo or video.

For what purposes is the personal data used?

For the purpose of sales and to create memories for visitors.

What types of personal data are used?

Image or video showing the visitor and payment information.

What is the legal basis for the processing?

Legitimate interest in briefly showing the photo or video to other visitors and for the purpose of sale (Article 6(1)(f) of the GDPR).

Enter into a contract on the purchase of the image or video (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?

24 hours from recording.

_____________

Creating a user profile.

Which people are covered?

Users.

For what purposes is the personal data used?

Creating a profile for the purpose of purchasing / registering annual passes / season tickets and tickets as well as to obtain benefits.

What types of personal data are used?

Username, code, name, address, date of birth, picture, discounts, email, and purchase.

What is the legal basis for the processing?

Enter into and comply with a contract (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?

1 year after the user is deleted.

 _____________

Membership/loyalty program.

Which people are covered?

Members.

For what purposes is the personal data used?

Be a member and obtain associated benefits, ensure compliance with membership conditions and administration of membership.

Collection and payment.

Marketing and statistics.

What types of personal data are used?

Name, email, phone number, interests, marketing consent, date of birth, discounts used, payment information and benefits.

What is the legal basis for the processing?

Enter into a contract on membership (Article 6(1)(b) of the GDPR.

Consent to receive marketing (Article 6(1)(a) of the GDPR).
We may also process your personal data on the basis of our legitimate interests in handling e.g. inquiries, conducting marketing, developing existing and new services and products, conducting analyses and statistics of our customer segments, products and services (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?

1 year after termination of membership.
A copy of the consent is kept 2 years after withdrawal of consent or 2 years after termination of membership.

 

_____________ 

Purchase via webshop.

Which people are covered?

People who make purchases through the webshop.

For what purposes is the personal data used?

Fulfil the purchase agreement entered into with you, including to be able to deliver the ordered goods and/or tickets, handle order confirmation, complaints, returns and send terms and conditions.

What types of personal data are used?

Name, address, email, phone, nationality, purchase history, geolocation, IP address, and payment information.

*It may be stated whether or not it is mandatory to provide the information.

What is the legal basis for the processing?

Enter into and comply with the purchase agreement (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?

2 years after last purchase.

However, bookkeeping information will be stored 6 years after purchase in accordance with the Danish Consolidated Bookkeeping Act.

_____________

Conclusion of subscription agreements for season tickets / annual passes.

Which people are covered?

Subscribers.

For what purposes is the personal data used?

Fulfill the subscription agreement entered into with you, including to be able to deliver the ordered goods and/or tickets, handle order confirmations, complaints, returns and send terms and conditions.

What types of personal data are used?

 

Name, address, email, telephone, nationality, purchase history, geolocation, IP address, number of times the card has been used and payment information.

*It will be stated whether or not it is mandatory to provide the information.

What is the legal basis for the processing?

Enter into and comply with a subscription agreement (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?

2 years after last purchase.

However, bookkeeping information will be stored 6 years after purchase in accordance with the Danish Consolidated Bookkeeping Act.

_____________

Physical purchases in the park.

Which people are covered?

Visitors making purchases in the park.

For what purposes is the personal data used?

Conclude agreement on purchase.

What types of personal data are used?

 

Name, date of birth, address, e-mail and possibly photo.

What is the legal basis for the processing?

Enter into and comply with the purchase agreement (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?

2 years after last purchase.

_____________

Newsletter.

Which people are covered?

Persons who have consented to receive newsletters.

For what purposes is the personal data used?

Send marketing as further described in the consent.

What types of personal data are used?

Email, name and phone number.

What is the legal basis for the processing?

Consent (Article 6(1)(a) of the GDPR).

When will the personal data be deleted?

2 years after withdrawal of consent.

_____________

Profiling for marketing purposes.

Which people are covered?

Persons who have consented to receive newsletters.

For what purposes is the personal data used?

Targeted advertising, including by sending personalised emails and newsletters.

What types of personal data are used?

Email, name, click behavior in relation to forwarding material, order history and preferences.

What is the legal basis for the processing?

Legitimate interests in being able to improve and develop our services (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?

As long as your consent to receive newsletters is active.

_____________

Customer service and general communication.

Which people are covered?

People who contact customer service or otherwise communicate with us.

For what purposes is the personal data used?

Handling your inquiry and possibly your order, observing your rights, general communication as well as statistics and analysis.

What types of personal data are used?

E-mail, name, telephone number, what your inquiry relates to, date of inquiry and other information you provide.

We encourage you not to provide sensitive personal data or social security numbers (CPR) to us unless they are strictly necessary for the processing of your inquiry.

What is the legal basis for the processing?

We may process your personal data on the basis of our legitimate interests in handling your inquiry, communicating with you, and developing our products and services (Article 6(1)(f) of the GDPR).
If your inquiry concerns a (potential) conclusion of a contract, we process your data in order to be able to carry out pre-contractual measures (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?

General inquiries and cases are generally stored for 2 years, but the storage time may vary depending on the content of the cases.
Accounting material, including personal data, which we are obliged to store in accordance with the Danish Consolidated Bookkeeping Act, is stored for up to 6 years.

_____________

Season ticket / annual pass.

Which people are covered?

Season ticket holders / annual ticket holders.

For what purposes is the personal data used?

Issue and administer your season pass / annual pass as well as ensure identification when purchasing an annual pass / season pass. Access control.

What types of personal data are used?

Name, address, telephone number, date of birth, and possibly picture.

What is the legal basis for the processing?

To enter into a contract and ensure identification (Article 6(1)(b) of the GDPR). 

When will the personal data be deleted?

2 years after the ticket expires.

_____________ 

Booking of restaurants.

Which people are covered?

Restaurant visitors.

For what purposes is the personal data used?

Create and manage booking.

What types of personal data are used?

Contact information and other information you provide in connection with table reservations

What is the legal basis for the processing?

To enter into an agreement (Article 6(1)(b) of the GDPR). 

When will the personal data be deleted?

1 year after last booking.

_____________ 

Booking of banquet rooms. 

Which people are covered?

Contact person for booking.

For what purposes is the personal data used?

Create and manage booking.

What types of personal data are used?

Name, contact information and other information you provide in connection with booking.

What is the legal basis for the processing?

To enter into an agreement (Article 6(1)(b) of the GDPR). 

When will the personal data be deleted?

1 year after last booking.

_____________

Booking of overnight stays. 

Which people are covered?

Overnight guests.

For what purposes is the personal data used?

Manage the booking and enter into an agreement on accommodation.

To comply with the Passport Executive Order and the Aliens Executive Order.

What types of personal data are used?

Name and contact details, payment details, any special requests or preferences related to your stay, including special dietary considerations.

ID information at check-in. This may include information on name, date of birth, occupation, nationality, permanent residence, date of arrival and type and number of passport or other travel document.

What is the legal basis for the processing?

To enter into and comply with the agreement on booking accommodation (Article 6(1)(b) of the GDPR). 

To comply with our legal obligation to comply with the Passport and Aliens Regulations (Article 6(1)(c) of the GDPR).

When will the personal data be deleted?

3 years after last overnight stay.

_____________

Google custom and lookalike audience.

Which people are covered?

Persons who have consented to receive newsletters and/or marketing cookies.

For what purposes is the personal data used?

Create audiences for subsequent advertising for sales and marketing purposes through banners and advertisements.

What types of personal data are used?

Non-reversible hashed email  address, user ID, geographic location, interests, IP address, MAC address, click behavior, interaction with ads, filled in data upon purchase, and search history.

What is the legal basis for the processing?

Our interest in spreading awareness of our products and services, including in relation to other persons who have similar interests (Article 6(1)(f) of the GDPR).         

If you wish to object to Google, you can do so by controlling your ads on Google services via "Google Custom Match" in your Google Ads settings: https://support.google.com/google-ads/answer/6379332?hl=en.

You can also read more about how Google acts as joint data controller with us. You can read more about their processing of your personal data via this link: https://policies.google.com/privacy?hl=en.

When will the personal data be deleted?

Follows the deletion deadlines for newsletters and cookies.

_____________

Facebook custom and lookalike audience.

Which people are covered?

Persons who have consented to receive newsletters and/or marketing cookies.

For what purposes is the personal data used?

Create audiences for subsequent advertising for sales and marketing purposes through banners and advertisements.

What types of personal data are used?

Non-reversible hashed email  address, user ID, geographic location, interests, IP address, MAC address, click behavior, interaction with ads, filled in data upon purchase, and search history.

What is the legal basis for the processing?

Our interest in spreading awareness of our products and services, including in relation to other persons who have similar interests (Article 6(1)(f) of the GDPR). 

You can object to Facebook by changing your settings on Facebook and disabling "Facebook Custom Audiences and Lookalike Audiences", following the instructions at the following link: https://facebook.com/settings/?tab=ads#

Meta (Facebook) acts as joint data controller with us. You can read more about Facebook's processing of your personal data via this link: https://facebook.com/about/privacy.

When will the personal data be deleted?

Follows the deletion deadlines for newsletters and cookies.

_____________

Competitions.

Which people are covered?

Participants in competitions.

For what purposes is the personal data used?

Enter the contest and sending the prize if you win. Compliance with the conditions of competition.

Announce the winner on social media and the website.

What types of personal data are used?

Name and e-mail as well as any information that you have won. We will also collect your address if you win a prize that needs to be physically shipped.

What is the legal basis for the processing?

Legitimate interest in conducting the competition and possibly publishing your name and sending the prize if you have won (Article 6(1)(f) of the GDPR).

Comply with the competition conditions (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?

1 year after the end of the competition.

_____________ 

Organization of events, tours, events and events.

Which people are covered?

Participants in events, tours, events and events.

For what purposes is the personal data used?

Registration, holding and administration.

What types of personal data are used?

Contact information and information about participation in the event, event, tour or event.

What is the legal basis for the processing?

Enter into an agreement (Article 6(1)(b) of the GDPR). 

When will the personal data be deleted?

1 year after completion of the event.

_____________

Use of images and videos for marketing.

Which people are covered?

Visitors or photos you have uploaded on social media.

For what purposes is the personal data used?

Marketing.

What types of personal data are used?

Photos/videos and contact information.

Your signature and copy of contract.

Copy of consent and copy of consent from your parent or guardian if you are under 15 years old.

What is the legal basis for the processing?

We base the processing of your personal data on our legitimate interest in being able to market ourselves on, among other things, social media and the website in the case of a mood / current image where it is difficult or impossible to identify you. (Article 6(1)(f) of the GDPR). In accordance with the Danish Data Protection Agency's current guidelines, we carry out an overall assessment in order to assess whether publication of the image requires your prior consent.

If the overall assessment shows that publication requires your prior consent or conclusion of a contract, we will obtain this or conclude the contract before using the image or video of you for marketing purposes (Article 6(1)(a) (consent) of the GDPR and Article 6(1)(b) (contract) of the GDPR).

When will the personal data be deleted?

When consent is revoked or when the contract expires.

Storage of mood images depends on the specific situation but is generally not deleted from social media unless you object. See below how you can object.

_____________ 

Injuries.

Which people are covered?

Injured.

For what purposes is the personal data used?

Handle physical damage occurring in the park and defend or establish legal claims.

What types of personal data are used?

Name, address, telephone, e-mail and description of the damage.

Description of the damage may contain sensitive personal data in the form of health information.

What is the legal basis for the processing?

Legitimate interest in handling the damage, including in relation to damages, legal claims and insurance (Article 6(1)(f) of the GDPR).

Establish and defend legal claims where it is strictly necessary to process health data (Article 9(2)(f) of the GDPR).

When will the personal data be deleted?

3 years from completion of claims handling.

_____________

Legal claims, compliance with guidelines/statutes and quarantines.

Which people are covered?

Persons involved in incidents in violation of legislation or internal guidelines/bylaws.

For what purposes is the personal data used?

Defend, exercise and establish legal claims and, in certain cases, exclude persons from future visits or report the matter to the police.

What types of personal data are used?

Description of the incident, which may involve general information, criminal information and, in special cases, sensitive information such as race or health.

What is the legal basis for the processing?

Legitimate interest in establishing, defending, and asserting legal claims, as well as to exclude persons from future visits if the person has acted contrary to guidelines or legislation.

Article 6(1)(f) of the GDPR (general personal data:

Section 8(3) of the Danish Data Protection Act (criminal information).

Article 9(2)(f) of the GDPR (if sensitive information such as race or health is included). 

When will the personal data be deleted?

At the end of the case or 3 years after notification.

The list of expelled persons is kept for as long as the quarantine is in force.

_____________

Broadcast service announcements. 

Which people are covered?

People who have purchased products from us or participated in events, events or similar.

For what purposes is the personal data used?

To inform about your purchase or visit.

What types of personal data are used?

Email or phone number.

What is the legal basis for the processing?

Legitimate interest in informing about a variety of circumstances, including in case of pandemics, practical conditions, cancellations, changes and other significant matters related to the purchase or visit (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?

3 years after last purchase or participation.

_____________

Send satisfaction surveys and market research and generally improve our products and services.

Which people are covered?

People who have purchased products from us, visitors or people who have participated in events or the like.

For what purposes is the personal data used?

Improve our products and services and marketing. In addition, to generally ensure customer satisfaction.

What types of personal data are used?

Contact information, language, nationality and purchase information and satisfaction.

What is the legal basis for the processing?

We base the processing of your personal data on our legitimate interest in being able to keep statistics and analysis in order to develop and improve our products and services and to contact you if your response indicates that you have had a bad experience with us. Participation in the survey is voluntary (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?

3 years after last purchase, visit or participation.

_____________

Issue gift cards.

Which people are covered?

Gift card recipients.

For what purposes is the personal data used?

Register, issue, and manage the gift card.

What types of personal data are used?

Contact information, payment information and content of gift cards.

What is the legal basis for the processing?

Enter into and comply with an agreement on gift cards (Article 6(1)(b) of the GDPR).

Ensure compliance with the Danish Payment Act in relation to electronic gift cards (Article 6(1)(c) of the GDPR).

When will the personal data be deleted?

1 year after gift card expiration.

Accounting material, including personal data, which we are obliged to store in accordance with the Danish Consolidated Bookkeeping Act, is stored for up to 6 years.

_____________

Comply with the Danish Consolidated Bookkeeping Act.

Which people are covered?

Payers.

For what purposes is the personal data used?

Ensure documentation of the purchase in accordance with The Danish Consolidated Bookkeeping Act.

What types of personal data are used?

Transaction Information.

What is the legal basis for the processing?

Legal obligation cf. the Danish Consolidated Bookkeeping Act (Article 6(1)(c) of the GDPR).

When will the personal data be deleted?

Accounting material, including personal data, which we are obliged to store in accordance with the Danish Consolidated Bookkeeping Act, is stored for up to 6 years.

_____________

Sponsorships and contributions.  

Which people are covered?

Sponsor/contributors.

For what purposes is the personal data used?

Manage the sponsorship and issue invoices.

What types of personal data are used?

Name, address, e-mail, telephone, size of sponsorship, company name, position, signature and in some cases CPR number.

What is the legal basis for the processing?

Legal obligation cf. the Danish Consolidated Bookkeeping Act and the Danish Tax Act (Article 6(1)(c) of the GDPR).

Legal obligation, cf. section 11(2)(1) of the Danish Data Protection Act, whose social security number (CPR-number) is required in relation to reporting to the tax authorities.


Enter into an agreement on sponsorship / contribution (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?

6 years from completion of the sponsorship.

_____________ 

Completion of "in case of emergency" declarations for selected activities.

Which people are covered?

People trying special rides and relatives of these.

For what purposes is the personal data used?

Contact relatives in case of emergency.

What types of personal data are used?

Name, address, email and telephone number.

What is the legal basis for the processing?

Legitimate interest in handling emergencies, including damages, etc. (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?

After completing the experience.

_____________ 

Registration of behavior in the park. 

Which people are covered?

People who have bracelets through which behavior can be recorded.

For what purposes is the personal data used?

Marketing, statistics and provide a good experience.

What types of personal data are used?

Contact information, visit to the park and behavior.

What is the legal basis for the processing?

Legitimate interest in marketing, compiling statistics and ensuring the best possible experience in the park (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?

1 year after last visit.

_____________ 

Booking of educational offers.  

Which people are covered?

Participants in training.

For what purposes is the personal data used?

Register and conduct training.

What types of personal data are used?

Name, address, email and telephone number.

What is the legal basis for the processing?

Enter into an agreement on teaching (Article 6(1)(b) of the GDPR).

Legitimate interest in registering and verifying participants (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?

6 months after completion of training.

_____________ 

Conflict management.  

Which people are covered?

Visitors.

For what purposes is the personal data used?

Initiate cases about other visitors' behavior.

What types of personal data are used?

Contact information and description of incidents.

What is the legal basis for the processing?

Legitimate interest in handling conflicts and ensuring proper behaviour in accordance with guidelines (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?

6 months after case closed.

_____________ 

Handling complaints.

Which people are covered?

People who complain about our products, visits, or services.

For what purposes is the personal data used?

Handle the complaint in accordance with applicable legislation, guidelines and terms and conditions.

What types of personal data are used?

Description of complaint, time of purchase, visit or experience and contact information.

What is the legal basis for the processing?

To assess whether the agreement has been complied with (Article 6(1)(b) of the GDPR).

To assess the complaint in relation to the Danish Sale of Goods Act and the Consumer Contracts Act (Article 6(1)(c) of the GDPR).

When will the personal data be deleted?

2 years from the closure of the complaint.

_____________ 

Cooperation with companies. 

Which people are covered?

Suppliers and partners.

For what purposes is the personal data used?

General planning, fulfillment and administration of collaborations, including contracts.
Administration such as processing payments, evaluating credit ratings, accounting, auditing, as well as providing support.
Product and service development.
Statistics and analysis.
Conflict management.

What types of personal data are used?

Name, email address, telephone number and corresponding contact details

Individual information, such as preferred languages

Organisational information such as company name and address, job title, area of employment, primary place and country of work.

Contractual information such as orders, invoices, contracts and other agreements between your company that may include, for example, your contact information.

Financial information, such as payment terms, bank details and credit ratings (in the case of a sole proprietorship).

What is the legal basis for the processing?

In certain cases, the processing of your personal data is necessary for the performance of a contract (Article 6(1)(b) of the GDPR).

We may process your personal data on the basis of our legitimate interests in, for example, managing day-to-day operations in accordance with lawful and fair business practices, including planning, executing and administering the cooperation or our legitimate interest in, for example, carrying out credit ratings, statistics, analyses, marketing activities (where consent is not required), providing support, improvement and development of our products and services. The processing may also be necessary for our legitimate interest in preventing fraud or establishing, defending or asserting legal claims (Article 6(1)(f) of the GDPR).

The processing of your personal data will in some cases be necessary for compliance with legal obligations, such as our obligation to prevent illegal activities (Article 6(1)(c) of the GDPR).

When will the personal data be deleted?

2 years after last contact.

_____________ 

5. To whom do we disclose your personal data? 

In some special cases, we disclose your personal data to independent data controllers. In the following table, we have listed the categories of these third parties, what personal data may be disclosed about you to the third parties and the legal basis for the disclosure.
We note that your personal data may also be disclosed with your prior consent, including to third parties via the cookie consent.

 

Categories of recipients

Lawyers, insurance companies, authorities, police and courts.

Types of personal data

Relevant information in relation to a specific dispute, including in some cases video recordings and damage incidents.

Legal basis 

Article 6(1)(f) of the GDPR (legitimate interest).

Article 6(1)(c) of the GDPR (legal obligation to report descriptions of damage to security authorities).

_____________

Categories of recipients

Suppliers of gifts in connection with competitions

Types of personal data

Address.

Legal basis 

Article 6(1)(f) of the GDPR (legitimate interest).

_____________

Categories of recipients

Tax in connection with sponsorships

Types of personal data

Contact information and social security number.

Legal basis 

Article 6(1)(c) of the GDPR (legal obligation) cf. tax legislation.

Section 11(2)(1) of the Danish Data Protection Act, whose CPR number is required in relation to reporting to the tax authorities.

 

_____________

Categories of recipients

Event agencies

Types of personal data

Contact

Legal basis 

Article 6(1)(f) of the GDPR (legitimate interest).

_____________

Categories of recipients

Payment acquirers

Types of personal data

Payment and card information.

Legal basis 

Article 6(1)(b) (contract) of the GDPR.

_____________ 

6. To whom do we entrust your personal data?

Suppliers (third parties) may have access to your personal data on the basis of a contractual relationship with Moesgaard when providing relevant services to Moesgaard, such as the providers of video surveillance solutions, hosting providers, conducting satisfaction surveys, sending newsletters, placing cookies and for marketing in general. Such suppliers (data processors) will only process personal data on the basis of a data processing agreement and in accordance with our instructions.

7. Do we transfer your personal data to unsafe third countries?

If your personal data is transferred to data processors or data controllers established in countries outside the EU/EEA that do not have an adequate level of protection, such transfer will only take place when a transfer is based on the EU Commission's standard contractual clauses. Transfer of personal data to the USA may also take place based on the EU-US Data Privacy Framework. If you have any questions about the basis for transfers to countries outside the EU/EEA, please contact us at info@moesgaardmuseum.dk. 

 

8. If you visit our profiles otherwise social media pages

This section contains the policy for Moesgaard's processing of personal data collected through Moesgaard's profiles or social media pages.

Moesgaard have profiles or pages on the following social media:

• Facebook (Meta Platforms Ireland Ltd.)
• Facebook's privacy policy is available here
• Meta and Moesgaard are joint data controllers of Facebook pixels, which you can accept via cookies as further described above. Meta's privacy policy and the information in this section also apply to Facebook pixels, with the exception of the information relating solely to our profile on Facebook.
• YouTube (Google Ireland Ltd.)
• Google's privacy policy is available here
• LinkedIn (LinkedIn Ireland Unlimited Company)
• LinkedIn's privacy policy is available here
• X (X Corp (X))
• X’ privacy policy is available here
• Instagram (Meta Platforms Ireland Ltd.)
• Instagram's privacy policy is available here
• TikTok (TikTok Technology Limited and TikTok Information Technologies UK Limited)
• TikTok's privacy policy is available here
• Pinterest (Pinterest Europe Ltd.)
• Pinterest's privacy policy is available here
For LinkedIn, Facebook, TikTok, Instagram and Pinterest, Moesgaard together with the social media providers are joint data controllers for the processing of personal data collected in connection with your interactions with the profiles, including the profiles' postings.
Moesgaard and the providers of LinkedIn, Facebook, TikTok, Instagram and Pinterest have entered into an agreement on the distribution of the data protection tasks. According to these agreements, Moesgaard and the social media providers are each responsible for the tasks associated with the processing they each undertake. However, it has been agreed between Moesgaard and the provider of Facebook and Instagram that the provider is responsible for enabling you to exercise your rights as described in the 'Your rights' section below in connection with the use of Facebook and Instagram, and that it is Moesgaard that is responsible for providing you with the information described below. In addition, it is agreed between Moesgaard and LinkedIn that LinkedIn is responsible for responding to requests from you regarding the rights described in the 'Your Rights' section below.
Moesgaard also uses the provider of YouTube as a data processor in connection with these entities' use of YouTube and in this connection also shares certain information about your interactions, interests, etc. with YouTube. This sharing takes place on the basis of our and Google's legitimate interest in optimizing marketing and the service, including our videos on YouTube (Article 6(1)(f) of the GDPR).
Collection of personal data
When you visit or interact with our social media profiles, Moesgaard and the social media provider in question may collect, process and store the following types of personal data about you:
- Information available on your profile, including your name, gender, marital status, workplace, interests, photo and city
- Whether you "like" or have used other reactions to our profile
- Comments you leave on our posts
- That you have visited our profile
- Your IP address

Purposes of processing
Moesgaard processes your personal data for the following purposes:
- Improving our products and services, including our social media profiles and pages
- Statistics and analysis
- To communicate with you if you comment on a post, leave a review or send us a message
- Marketing in general

The social media providers process, among other things, your personal data for the following purposes:
- Improving their ad system
- To provide Moesgaard with statistics that social media providers compile on the basis of, among other things, your visit to our profiles and pages
- Advertising and personalization of activities on the Site

Basis for processing
The processing of your personal data is based on the following basis:
- Legitimate interests: Moesgaard the processing of your personal data is based on our legitimate interests in being able to communicate with and market ourselves to you on our social media profiles, as well as our legitimate interest in improving our products and services (Article 6(1)(f) of the GDPR)

Storage period
Your personal data will be stored for 2 years. However, the information may be stored longer in anonymised form.

Please refer to the privacy policy of the individual social media providers for information on how long they keep your personal data.

Who do social media providers share your personal data with?
The social media providers may, among other things, share your personal data with the following categories of recipients:
• Other entities within the group of which the social media provider is part of
• External partners providing analysis and survey services
• Advertisers
• Other individuals who visit our social media profile or page (to the extent your information is publicly available)
• Researchers and other academics
You can find more information about who the social media providers share your personal data within the privacy policy of the individual providers.
The social media providers may transfer your personal data to recipients outside the EU/EEA in accordance with applicable data protection legislation. You can read more in the privacy policies of the individual providers.
You can read more about who Moesgaard shares your personal data within the sections above titled "To whom do we disclose your personal data?" and "To whom do we entrust your personal data?".

9. What rights do you have?

General rights
When Moesgaard processes personal data about you as stated above, you have several rights under applicable data protection legislation:

a. You have the right to access the personal data we process about you
b. You have the right to object to our collection and further processing of your personal data
c. You have the right to rectification and erasure of your personal data, however, with certain statutory exceptions, including the Danish Consolidated Bookkeeping Act
d. You have the right to request the restriction of the processing of your personal data
e. In certain circumstances, you can request to receive a copy of your personal data as well as to transmit the personal data you have provided to us to another data controller (data portability)
f. You can withdraw any consents you may have given at any time. We will then delete your personal data unless we can continue processing on other grounds. Our newsletter can be unsubscribed by clicking on the link at the bottom of the newsletter. Withdrawal of consent will have effect on the future processing of your personal data. Withdrawal of your consent does not affect the lawfulness of the processing we carried out based on the consent before the withdrawal.

Right to object
You always have the right to object to the collection and further processing of your personal data, including the right to object to our processing based on the balancing of interests rule pursuant to Article 6(1)(f) of the GDPR. This applies, among other things, when we process your information for marketing purposes.

Required information
Please note that the processing of your personal data as stated under section 2 above may be required by law or contractually necessary as a prerequisite for us to comply with the law and to be able to manage purchases and visits. This will be the case if we have indicated that the legal basis for the processing is Article 6(1)(b) (contract) or (c) (legal obligation) of the GDPR. Information you must provide to enter into a contract may also be indicated by an asterisk (*) via the website.

Refusal to provide this information, objection to our processing of this information or demand for deletion of this information may result in you not being able to purchase our services or enter into an agreement with us.

 

10. Do you have questions and do you want to exercise your rights?

If you have any questions about this privacy policy or if you wish to complain about the way we process your personal data, please feel free to contact us:

Moesgaard Museum
Address: Moesgård Allé 15, 8270 Højbjerg
CVR no.: 39881012
Email: info@moesgaardmuseum.dk
Phone number: +45 87 39 40 00

If your complaint is not resolved by us and you want to proceed with the case, you can complain to the Danish Data Protection Agency:

The Danish Data Protection Agency
Carl Jacobsens Vej 35
DK-2500 Valby
Phone: 33 19 32 00
Email: dt@datatilsynet.dk

11. Links to other websites

Our website may contain links to other websites. We are not responsible for the content of other websites (third party websites) or for the procedures such third parties have for collecting and processing personal data. When you visit a third-party website, you should read the website owner's privacy policy and other relevant policies.

12. Changes to the Privacy Policy

This privacy policy does not constitute an agreement between Moesgaard and you, but instead forms the basis of our duty of disclosure under data protection legislation. We reserve the right to make changes to this Privacy Policy from time to time in accordance with applicable data protection laws. In case of changes, the date and version number at the top of the privacy policy will be changed. The privacy policy in force at any time will always be available via this link. In case of material changes to the Privacy Policy, you will receive an email or other notification with reference to the updated Privacy Policy.