Personal Data Policy - ARoS

1. Why did we create this privacy policy?

At ARoS Aarhus Art Museum (”ARoS”), we prioritize privacy and data security. This privacy policy applies to our processing of personal data and sets out guidelines for [insert nickname]'s way of processing your personal data and provides you with the information that you are entitled to receive under applicable data protection legislation. You should read the privacy policy before providing your personal data to ARoS.

2. Data controller and contact information

The data controller of your personal data is:

ARoS Aarhus Kunstmuseum
Adress: Aros Allé 2, 8000, Aarhus C
CVR no.: 39 79 99 28
E-mail: info@aros.dk
Phone number: + 45 8730 6600

3. From where do we collect personal data about you?

ARoS may potentially collect and process personal data about you from the following sources:

Directly from you.
Video surveillance.
From other visitors.

4. Purpose, types of personal data, legal basis and deletion

ARoS's processing of personal data will depend on your purchases, your interaction, consents given, and behavior. Therefore, you should start by reading the column "Which people are covered?" to clarify whether the processing activity, the purposes in question, types of personal data, legal bases and deletion deadlines are relevant to you:

Cookies, pixels and social plug-ins

Which people are covered?
Website visitors who have provided consent via the cookie banner.

For what purposes is the personal data used?
Marketing, statistics, preferences and features.
You can read more about the purposes via the cookie banner.

What types of personal data are used? User ID, geographical location, interests, IP address, operating system, browser type, device type, behavior on the website, MAC address, click behavior, interaction with ads, completed data upon purchase, and search history.

What is the legal basis for the processing? The processing of personal data in relation to necessary cookies takes place on the basis of an contract to be able to use the functions of the website (Article 6(1)(b) of the GDPR).

The processing of personal data in relation to statistical and preference cookies takes place as a result of our legitimate interest in offering you the best possible products and services (Article 6(1)(f) of the GDPR).

The processing of personal data in relation to marketing cookies, including on the basis of your preferences, takes place on the basis of your prior consent (Article 6(1)(a) of the GDPR).

In addition, we always obtain a valid cookie consent in accordance with the Executive Order on Cookies before cookies are placed via your terminal equipment.

When will the personal data be deleted?
See the cookie banner where the deletion periods (expiration periods) are indicated. You can open the cookie banner by clicking on this link.

Video surveillance

Which people are covered?
Visitors and suppliers.

For what purposes is the personal data used?
Create security, to prevent crime and secure evidence for use in police investigations.

What types of personal data are used?
Pictures of your whereabouts and, in some cases, criminal information in the event of theft or other crimes.

What is the legal basis for the processing?
Pursue our legitimate interest in creating security, preventing crime, and securing evidence for use in police investigations (Article 6(1)(f) of the GDPR and section 8(3) of the Danish Data Protection Act).

When will the personal data be deleted?
30 days from the moment of recording.

Creating a user profile

Which people are covered?
Users.

For what purposes is the personal data used?
Creating a profile for the purpose of purchasing / registering annual passes and entrance tickets as well as to obtain benefits.

What types of personal data are used?
Code, name, address, date of birth, picture, discounts, email, and purchase.

What is the legal basis for the processing?
Enter into and comply with a contract (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
1 year after the user is deleted.

Membership

Which people are covered?
Members

For what purposes is the personal data used?
Be a member and obtain associated benefits, ensure compliance with membership conditions and administration of membership.

Collection and payment.

Marketing and statistics.

What types of personal data are used?
Name, email, phone number, interests, marketing consent, date of birth, discounts used, payment information and benefits.

What is the legal basis for the processing?
Enter into a contract on membership (Article 6(1)(b) of the GDPR.

Consent to receive marketing (Article 6(1)(a) of the GDPR).

We may also process your personal data on the basis of our legitimate interests in handling e.g. inquiries, conducting marketing, developing existing and new services and products, conducting analyses and statistics of our customer segments, products and services (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?
1 year after termination of membership.

A copy of the consent is kept 2 years after withdrawal of consent or 2 years after termination of membership.

Purchase via webshop

Which people are covered?
People who make purchases through the webshop.

For what purposes is the personal data used?
Fulfil the purchase agreement entered into with you, including to be able to deliver the ordered goods and/or tickets, handle order confirmation, complaints, returns and send terms and conditions.

What types of personal data are used?
Name, address, email, phone, nationality, purchase history, geolocation, IP address, and payment information.

*It may be stated whether or not it is mandatory to provide the information.

What is the legal basis for the processing?
Enter into and comply with the purchase agreement (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
2 years after last purchase.

However, bookkeeping information will be stored 6 years after purchase in accordance with the Danish Consolidated Bookkeeping Act.

Physical purchases at ARoS

Which people are covered?
Visitors making purchases at ARoS Information, ARoS Shop Cafe & Orangeri.

For what purposes is the personal data used?
Conclude agreement on purchase.

What types of personal data are used?
Name, date of birth, address, e-mail and possibly photo.

What is the legal basis for the processing?
Enter into and comply with the purchase agreement (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
2 years after last purchase.

Newsletter

Which people are covered?
Persons who have consented to receive newsletters.

For what purposes is the personal data used?
Send marketing as further described in the consent.

What types of personal data are used?
Email, name and phone number.

What is the legal basis for the processing?
Consent (Article 6(1)(a) of the GDPR).

When will the personal data be deleted?
2 years after withdrawal of consent.

Profiling for marketing purposes

Which people are covered?
Persons who have consented to receive newsletters.

For what purposes is the personal data used?
Targeted advertising, including by sending personalised emails and newsletters.

What types of personal data are used?
Email, name, click behavior in relation to forwarding material, order history and preferences.

What is the legal basis for the processing?
Legitimate interests in being able to improve and develop our services (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?
As long as your consent to receive newsletters is active.

Customer service and general communication

Which people are covered?
People who contact customer service or otherwise communicate with us.

For what purposes is the personal data used?
Handling your inquiry and possibly your order, observing your rights, general communication as well as statistics and analysis.

What types of personal data are used?
E-mail, name, telephone number, what your inquiry relates to, date of inquiry and other information you provide.

We encourage you not to provide sensitive personal data or social security numbers (CPR) to us unless they are strictly necessary for the processing of your inquiry

What is the legal basis for the processing?
We may process your personal data on the basis of our legitimate interests in handling your inquiry, communicating with you, and developing our products and services (Article 6(1)(f) of the GDPR).

If your inquiry concerns a (potential) conclusion of a contract, we process your data in order to be able to carry out pre-contractual measures (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
General inquiries and cases are generally stored for 2 years, but the storage time may vary depending on the content of the cases.

Accounting material, including personal data, which we are obliged to store in accordance with the Danish Consolidated Bookkeeping Act, is stored for up to 6 years.

Annual pass

Which people are covered?
Annual tick et holders.

For what purposes is the personal data used?
Issue and administer your annual pass as well as ensure identification when purchasing an annual pass.

What types of personal data are used?
Name, address, telephone number, date of birth, and possibly picture.

What is the legal basis for the processing?
To enter into a contract and ensure identification (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
5 years after the ticket expires.

Booking of restaurants

Which people are covered?
Restaurant visitors.

For what purposes is the personal data used?
Create and manage booking.

What types of personal data are used?
Contact information and other information you provide in connection with table reservations.

What is the legal basis for the processing?
To enter into an agreement (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
1 year after last booking.

Booking of banquet rooms

Which people are covered?
Contact person for booking.

For what purposes is the personal data used?
Create and manage booking.

What types of personal data are used?
Name, contact information and other information you provide in connection with booking.

What is the legal basis for the processing?
To enter into an agreement (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
1 year after last booking.

Google custom and lookalike audience

Which people are covered?
Persons who have consented to receive newsletters and/or marketing cookies.

For what purposes is the personal data used?
Create audiences for subsequent advertising for sales and marketing purposes through banners and advertisements.

What types of personal data are used?
Non-reversible hashed email address, user ID, geographic location, interests, IP address, MAC address, click behavior, interaction with ads, filled in data upon purchase, and search history.

What is the legal basis for the processing?

Our interest in spreading awareness of our products and services, including in relation to other persons who have similar interests (Article 6(1)(f) of the GDPR).

If you wish to object to Google, you can do so by controlling your ads on Google services via "Google Custom Match" in your Google Ads settings: https://support.google.com/google-ads/answer/6379332?hl=en.

You can also read more about how Google acts as joint data controller with us. You can read more about their processing of your personal data via this link: https://policies.google.com/privacy?hl=en.

When will the personal data be deleted?
Follows the deletion deadlines for newsletters and cookies.

Facebook custom and lookalike audience

Which people are covered?
Persons who have consented to receive newsletters and/or marketing cookies.

For what purposes is the personal data used?
Create audiences for subsequent advertising for sales and marketing purposes through banners and advertisements.

What is the legal basis for the processing?
Our interest in spreading awareness of our products and services, including in relation to other persons who have similar interests (Article 6(1)(f) of the GDPR).

You can object to Facebook by changing your settings on Facebook and disabling "Facebook Custom Audiences and Lookalike Audiences", following the instructions at the following link: https://facebook.com/settings/?tab=ads#.

Meta (Facebook) acts as joint data controller with us. You can read more about Facebook's processing of your personal data via this link: https://facebook.com/about/privacy

When will the personal data be deleted?
Follows the deletion deadlines for newsletters and cookies.

Competitions

Which people are covered?
Participants in competitions.

For what purposes is the personal data used?
Enter the contest and sending the prize if you win. Compliance with the conditions of competition.

Announce the winner on social media.

What types of personal data are used?
Name and e-mail as well as any information that you have won. We will also collect your address if you win a prize that needs to be physically shipped.

What is the legal basis for the processing?
Legitimate interest in conducting the competition and possibly publishing your name and sending the prize if you have won (Article 6(1)(f) of the GDPR).

Comply with the competition conditions (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
1 year after the end of the competition.

Organization of events, tours, events and events

Which people are covered?
Participants in events, tours, events and events.

For what purposes is the personal data used?
Registration, holding and administration.

What types of personal data are used?
Contact information and information about participation in the event, event, tour or event.

What is the legal basis for the processing?
Enter into an agreement (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
1 year after completion of the event.

Use of images and videos for marketing

Which people are covered?
Visitors or photos you have uploaded on social media.

For what purposes is the personal data used?
Marketing.

What types of personal data are used?
Photos/videos and contact information.

Your signature and copy of contract.

Copy of consent and copy of consent from your parent or guardian if you are under 15 years old.

What is the legal basis for the processing?
We base the processing of your personal data on our legitimate interest in being able to market ourselves on, among other things, social media and the website in the case of a mood / current image where it is difficult or impossible to identify you. (Article 6(1)(f) of the GDPR). In accordance with the Danish Data Protection Agency's current guidelines, we carry out an overall assessment in order to assess whether publication of the image requires your prior consent.

If the overall assessment shows that publication requires your prior consent or conclusion of a contract, we will obtain this or conclude the contract before using the image or video of you for marketing purposes (Article 6(1)(a) (consent) of the GDPR and Article 6(1)(b) (contract) of the GDPR).

When will the personal data be deleted?
When consent is revoked or when the contract expires.

Storage of mood images depends on the specific situation but is generally not deleted from social media unless you object. See below how you can object.

Injuries

Which people are covered?
Injured.

For what purposes is the personal data used?
Handle physical damage occurring at the museum and defend or establish legal claims.

What types of personal data are used?
Name, address, telephone, e-mail and description of the damage.

Description of the damage may contain sensitive personal data in the form of health information.

What is the legal basis for the processing?
Legitimate interest in handling the damage, including in relation to damages, legal claims and insurance (Article 6(1)(f) of the GDPR).

Establish and defend legal claims where it is strictly necessary to process health data (Article 9(2)(f) of the GDPR).

When will the personal data be deleted?
3 years from completion of claims handling.

Legal claims, compliance with guidelines/statutes and quarantines

Which people are covered?
Persons involved in incidents in violation of legislation or internal guidelines/bylaws.

For what purposes is the personal data used?
Defend, exercise and establish legal claims and, in certain cases, exclude persons from future visits or report the matter to the police.

What types of personal data are used?
Description of the incident, which may involve general information, criminal information and, in special cases, sensitive information such as race or health.

What is the legal basis for the processing?
Legitimate interest in establishing, defending, and asserting legal claims, as well as to exclude persons from future visits if the person has acted contrary to guidelines or legislation.

Article 6(1)(f) of the GDPR (general personal data:

Section 8(3) of the Danish Data Protection Act (criminal information).

Article 9(2)(f) of the GDPR (if sensitive information such as race or health is included).

When will the personal data be deleted?
At the end of the case or 3 years after notification.

The list of expelled persons is kept for as long as the quarantine is in force.

Broadcast service announcements

Which people are covered?
People who have purchased products from us or participated in events, events or similar.

For what purposes is the personal data used?
To inform about your purchase or visit.

What types of personal data are used?
Email or phone number.

What is the legal basis for the processing?
Legitimate interest in informing about a variety of circumstances, including in case of pandemics, practical conditions, cancellations, changes and other significant matters related to the purchase or visit (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?
3 years after last purchase or participation.

Send satisfaction surveys and market research and generally improve our products and services

Which people are covered?
People who have purchased products from us, visitors or people who have participated in events or the like.

For what purposes is the personal data used?Improve our products and services and marketing. In addition, to generally ensure customer satisfaction.

What types of personal data are used?
Contact information, language, nationality and purchase information and satisfaction.

When will the personal data be deleted?
3 years after last purchase or participation.

Issue gift cards

Which people are covered?
Gift card recipients.

For what purposes is the personal data used?Register, issue, and manage the gift card.

What types of personal data are used?
Contact information, payment information and content of gift cards.

What is the legal basis for the processing?
Enter into and comply with an agreement on gift cards (Article 6(1)(b) of the GDPR).

Ensure compliance with the Danish Payment Act in relation to electronic gift cards (Article 6(1)(c) of the GDPR).

When will the personal data be deleted?
1 year after gift card expiration.

Accounting material, including personal data, which we are obliged to store in accordance with the Danish Consolidated Bookkeeping Act, is stored for up to 6 years.

Comply with the Danish Consolidated Bookkeeping Act

Which people are covered?
Payers.

For what purposes is the personal data u
Ensure documentation of the purchase in accordance with The Danish Consolidated Bookkeeping Act.

What types of personal data are used?
Transaction Information.

What is the legal basis for the processing?
Legal obligation cf. the Danish Consolidated Bookkeeping Act (Article 6(1)(c) of the GDPR).

When will the personal data be deleted?
Accounting material, including personal data, which we are obliged to store in accordance with the Danish Consolidated Bookkeeping Act, is stored for up to 6 years.

Sponsorships and contributions

Which people are covered?
Sponsor/contributors.

For what purposes is the personal data u
Manage the sponsorship and issue invoices.

What types of personal data are used?
Name, address, e-mail, telephone, size of sponsorship, company name, position, signature and in some cases CPR number.

What is the legal basis for the processing?
Legal obligation cf. the Danish Consolidated Bookkeeping Act and the Danish Tax Act (Article 6(1)(c) of the GDPR).

Legal obligation, cf. section 11(2)(1) of the Danish Data Protection Act, whose social security number (CPR-number) is required in relation to reporting to the tax authorities.

Enter into an agreement on sponsorship / contribution (Article 6(1)(b) of the GDPR).

When will the personal data be deleted?
7 years from completion of the sponsorship.

Booking of educational offers

Which people are covered?
Participants in training

For what purposes is the personal data u
Register and conduct training.

What types of personal data are used?
Name, address, email and telephone number.

What is the legal basis for the processing?
Legal obligation cf. the Danish Consolidated

Enter into an agreement on teaching (Article 6(1)(b) of the GDPR).

Legitimate interest in registering and verifying participants (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?
6 months after completion of training.

Conflict management

Which people are covered?
Visitors.

For what purposes is the personal data u
Initiate cases about other visitors' behavior.

What types of personal data are used?
Contact information and description of incidents.

What is the legal basis for the processing? Legitimate interest in handling conflicts and ensuring proper behaviour in accordance with guidelines (Article 6(1)(f) of the GDPR).

When will the personal data be deleted?
6 months after case closed.

Handling complaints

Which people are covered?
People who complain about our products, visits, or services.

For what purposes is the personal data u
Handle the complaint in accordance with applicable legislation, guidelines and terms and conditions.

What types of personal data are used?
Description of complaint, time of purchase, visit or experience and contact information.

What is the legal basis for the processing?
To assess whether the agreement has been complied with (Article 6(1)(b) of the GDPR).

To assess the complaint in relation to the Danish Sale of Goods Act and the Consumer Contracts Act (Article 6(1)(c) of the GDPR).

When will the personal data be deleted?
2 years from the closure of the complaint.

Cooperation with companies

Which people are covered?
Suppliers and partners.

For what purposes is the personal data u
General planning, fulfillment and administration of collaborations, including contracts.

Administration such as processing payments, evaluating credit ratings, accounting, auditing, as well as providing support.

Product and service development.

Statistics and analysis.

Conflict management.

What types of personal data are used?
Name, email address, telephone number and corresponding contact details

Individual information, such as preferred languages

Organisational information such as company name and address, job title, area of employment, primary place and country of work.

Contractual information such as orders, invoices, contracts and other agreements between your company that may include, for example, your contact information.

Financial information, such as payment terms, bank details and credit ratings (in the case of a sole proprietorship).

What is the legal basis for the processing?
In certain cases, the processing of your personal data is necessary for the performance of a contract (Article 6(1)(b) of the GDPR).

We may process your personal data on the basis of our legitimate interests in, for example, managing day-to-day operations in accordance with lawful and fair business practices, including planning, executing and administering the cooperation or our legitimate interest in, for example, carrying out credit ratings, statistics, analyses, marketing activities (where consent is not required), providing support, improvement and development of our products and services. The processing may also be necessary for our legitimate interest in preventing fraud or establishing, defending or asserting legal claims (Article 6(1)(f) of the GDPR).

The processing of your personal data will in some cases be necessary for compliance with legal obligations, such as our obligation to prevent illegal activities (Article 6(1)(c) of the GDPR).

When will the personal data be deleted?
2 years after last contact.

5. To whom do we disclose your personal data?

In some special cases, we disclose your personal data to independent data controllers. In the following table, we have listed the categories of these third parties, what personal data may be disclosed about you to the third parties and the legal basis for the disclosure.

We note that your personal data may also be disclosed with your prior consent, including to third parties via the cookie consent.

Lawyers, insurance companies, authorities, police and courts

Types of personal data
Relevant information in relation to a specific dispute, including in some cases video recordings and damage incidents.

Legal basis
Article 6(1)(f) of the GDPR (legitimate interest).

Article 6(1)(c) of the GDPR (legal obligation to report descriptions of damage to security authorities).

Tax in connection with sponsorships

Types of personal data
Contact information and social security number.

Legal basis
Article 6(1)(c) of the GDPR (legal obligation) cf. tax legislation.

Section 11(2)(1) of the Danish Data Protection Act, whose CPR number is required in relation to reporting to the tax authorities.

Payment acquirers

Types of personal data
Payment and card information.

Legal basis
Article 6(1)(b) (contract) of the GDPR.

6. To whom do we entrust your personal data?

Suppliers (third parties) may have access to your personal data on the basis of a contractual relationship with ARoS when providing relevant services to ARoS, such as the providers of video surveillance solutions, hosting providers, conducting satisfaction surveys, sending newsletters, placing cookies and for marketing in general. Such suppliers (data processors) will only process personal data on the basis of a data processing agreement and in accordance with our instructions.

7. Do we transfer your personal data to unsafe third countries?

If your personal data is transferred to data processors or data controllers established in countries outside the EU/EEA that do not have an adequate level of protection, such transfer will only take place when a transfer is based on the EU Commission's standard contractual clauses. Transfer of personal data to the USA may also take place based on the EU-US Data Privacy Framework. If you have any questions about the basis for transfers to countries outside the EU/EEA, please contact us at info@aros.dk.

8. If you visit our profiles otherwise social media pages

This section contains the policy for ARoS's processing of personal data collected through ARoS's profiles or social media pages.

ARoS have profiles or pages on the following social media:

Facebook (Meta Platforms Ireland Ltd.)
- Facebook's privacy policy is available here
- Meta and ARoS are joint data controllers of Facebook pixels, which you can accept via cookies as further described above. Meta's privacy policy and the information in this section also apply to Facebook pixels, with the exception of the information relating solely to our profile on Facebook.
YouTube (Google Ireland Ltd.)
- Google's privacy policy is available here
LinkedIn (LinkedIn Ireland Unlimited Company)
- LinkedIn's privacy policy is available here
X (X Corp (X))
- X’ privacy policy is available
Instagram (Meta Platforms Ireland Ltd.)
- Instagram's privacy policy is available here
TikTok (TikTok Technology Limited and TikTok Information Technologies UK Limited)
- TikTok's privacy policy is available here

For LinkedIn, Facebook, TikTok, Instagram ARoS together with the social media providers are joint data controllers for the processing of personal data collected in connection with your interactions with the profiles, including the profiles' postings.

ARoS and the providers of LinkedIn, Facebook, TikTok, Instagram and Pinterest have entered into an agreement on the distribution of the data protection tasks. According to these agreements, ARoS and the social media providers are each responsible for the tasks associated with the processing they each undertake. However, it has been agreed between ARoS and the provider of Facebook and Instagram that the provider is responsible for enabling you to exercise your rights as described in the 'Your rights' section below in connection with the use of Facebook and Instagram, and that it is ARoS that is responsible for providing you with the information described below. In addition, it is agreed between ARoS and LinkedIn that LinkedIn is responsible for responding to requests from you regarding the rights described in the 'Your Rights' section below.

ARoS also uses the provider of YouTube as a data processor in connection with these entities' use of YouTube and in this connection also shares certain information about your interactions, interests, etc. with YouTube. This sharing takes place on the basis of our and Google's legitimate interest in optimizing marketing and the service, including our videos on YouTube (Article 6(1)(f) of the GDPR).

Collection of personal data

When you visit or interact with our social media profiles, ARoS and the social media provider in question may collect, process and store the following types of personal data about you:

Information available on your profile, including your name, gender, marital status, workplace, interests, photo and city
Whether you "like" or have used other reactions to our profile
Comments you leave on our posts
That you have visited our profile
Your IP address

Purposes of processing

ARoS processes your personal data for the following purposes:

Improving our products and services, including our social media profiles and pages
Statistics and analysis
To communicate with you if you comment on a post, leave a review or send us a message
Marketing in general

The social media providers process, among other things, your personal data for the following purposes:

Improving their ad system
To provide ARoS with statistics that social media providers compile on the basis of, among other things, your visit to our profiles and pages
Advertising and personalization of activities on the Site

Basis for processing

The processing of your personal data is based on the following basis:

Legitimate interests: ARoS the processing of your personal data is based on our legitimate interests in being able to communicate with and market ourselves to you on our social media profiles, as well as our legitimate interest in improving our products and services (Article 6(1)(f) of the GDPR)

Storage period

Your personal data will be stored for 2 years. However, the information may be stored longer in anonymised form. Please refer to the privacy policy of the individual social media providers for information on how long they keep your personal data.

Who do social media providers share your personal data with?

The social media providers may, among other things, share your personal data with the following categories of recipients:

Other entities within the group of which the social media provider is part of
External partners providing analysis and survey services
Advertisers
Other individuals who visit our social media profile or page (to the extent your information is publicly available)
Researchers and other academics
Forskere og andre akademikere

You can find more information about who the social media providers share your personal data within the privacy policy of the individual providers.

The social media providers may transfer your personal data to recipients outside the EU/EEA in accordance with applicable data protection legislation. You can read more in the privacy policies of the individual providers.

You can read more about who ARoS shares your personal data within the sections above titled "To whom do we disclose your personal data?" and "To whom do we entrust your personal data?".

9. What rights do you have?

General rights
When ARoS processes personal data about you as stated above, you have several rights under applicable data protection legislation:

You have the right to access the personal data we process about you
You have the right to object to our collection and further processing of your personal data
You have the right to rectification and erasure of your personal data, however, with certain statutory exceptions, including the Danish Consolidated Bookkeeping Act
You have the right to request the restriction of the processing of your personal data
In certain circumstances, you can request to receive a copy of your personal data as well as to transmit the personal data you have provided to us to another data controller (data portability)
You can withdraw any consents you may have given at any time. We will then delete your personal data unless we can continue processing on other grounds. Our newsletter can be unsubscribed by clicking on the link at the bottom of the newsletter. Withdrawal of consent will have effect on the future processing of your personal data. Withdrawal of your consent does not affect the lawfulness of the processing we carried out based on the consent before the withdrawal.

Right to object
You always have the right to object to the collection and further processing of your personal data, including the right to object to our processing based on the balancing of interests rule pursuant to Article 6(1)(f) of the GDPR. This applies, among other things, when we process your information for marketing purposes.

Required information
Please note that the processing of your personal data as stated under section 2 above may be required by law or contractually necessary as a prerequisite for us to comply with the law and to be able to manage purchases and visits. This will be the case if we have indicated that the legal basis for the processing is Article 6(1)(b) (contract) or (c) (legal obligation) of the GDPR. Information you must provide to enter into a contract may also be indicated by an asterisk (*) via the website.

Refusal to provide this information, objection to our processing of this information or demand for deletion of this information may result in you not being able to purchase our services or enter into an agreement with us.

10. Do you have questions and do you want to exercise your rights?

If you have any questions about this privacy policy or if you wish to complain about the way we process your personal data, please feel free to contact us:

ARoS Aarhus Kunstmuseum
Adress: Aros Allé 2, 8000, Aarhus C
CVR no.: 39 79 99 28
Email: info@aros.dk
Phonenumber: + 45 8730 6600

If your complaint is not resolved by us and you want to proceed with the case, you can complain to the Danish Data Protection Agency:

The Danish Data Protection Agency
Carl Jacobsens Vej 35
DK-2500 Valby
Phone: 33 19 32 00
Email: dt@datatilsynet.dk

11. Links to other websites

Our website may contain links to other websites. We are not responsible for the content of other websites (third party websites) or for the procedures such third parties have for collecting and processing personal data. When you visit a third-party website, you should read the website owner's privacy policy and other relevant policies.

12. Changes to the Privacy Policy

This privacy policy does not constitute an agreement between ARoSand you, but instead forms the basis of our duty of disclosure under data protection legislation. We reserve the right to make changes to this Privacy Policy from time to time in accordance with applicable data protection laws. In case of changes, the date and version number at the top of the privacy policy will be changed. The privacy policy in force at any time will always be available via link. In case of material changes to the Privacy Policy, you will receive an email or other notification with reference to the updated Privacy Policy.