Data Privacy

Data protection notice

360X Art AG (“we”, “us”, “our”) processes personal data only as provided by law, in particular the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the German Data Protection Act (Bundesdatenschutzgesetz, “BDSG”). This data protection notice (the “Notice”) provides information about the processing of personal data relating to you when using our website and its functions at https://www.360xart.com (our “Website”).

Personal data refers to any information relating to an identified or identifiable natural person (“Data Subjects”), such as our Website visitors, and may include their name, contact details or technical identifiers.


Table of Contents:

(Click on a heading to jump directly to a specific section below)

  1. 1. Who We Are and ow You Can Reach Us
    1. 1.1 Our Identity as Data Controller
  2. 2. How We Process Personal Data When You Visit This Website
    1. 2.1 Personal Data Processing By Our Web Servers
    2. 2.2 Use of Netlify As Our Hosting Services Provider and Content Delivery Network
  3. 3. How We Process Personal Data When You Contact Us
    1. 3.1 Personal Data Processing Related to Email Correspondence
    2. 3.2 Personal Data Processing Related to the Use of Our Contact Form
  4. 4. How We Process Personal Data When You Send Us Your Application For a Job Offer
    1. 4.1 Use of Personio for Job Offer and Application Management
    2. 4.2 Do You Have to Provide Your Personal Data to Us?
    3. 4.3 Legal Basis For Processing Your Personal Data Throughout the Application Procedure
    4. 4.4 Period For Which We Will Store Your Personal Data From the Application Procedure
  5. 5. Your Rights as a Data Subject
  6. 6. We Refrain from Automated Individual Decision-making
  7. 7. General Technical and Organizational Measures
  8. 8. Changes to this Data Protection Notice

1. Who We Are and How You Can Reach Us

1.1 Our Identity as Data Controller

360X Art AG
Neue Rothofstraße 13-19
60313 Frankfurt am Main
Deutschland

E-Mail: info@360xart.de

2. How We Process Personal Data When You Visit This Website

2.1 Personal Data Processing By Our Web Servers

When you visit our Website without providing any other personal data that is technically necessary for establishing a connection to our web servers and for displaying our Website, your browser will automatically send certain information to our web servers. The following categories of personal data are collected automatically:

  • Public IP address of the requesting entity or of your end user device;
  • Date and time of the request, time zone included;
  • Requested URL, including query parameters and request headers;
  • Access status/HTTP status code;
  • Amount of data transferred in each case;
  • Website from which the request originates (so-called referrer URL);
  • HTTP headers (including your browser type, version and language; your operating system and interface; name of your Internet Service Provider).

The legal basis we rely on to process your personal data is Art. 6(1), sentence 1, lit. f GDPR, which allows us to process personal data when it is necessary for our legitimate interests. In particular, we process the abovementioned categories of personal data for ensuring the continuity of our business by letting you access our Website without disruptions and maintain the integrity of our IT systems (e.g., for preventing server overload through distributed denial-of-service (DDoS) attacks). Such personal data will be temporarily stored in server log files for as long as necessary to maintain and improve the security and stability of our IT systems over a period of 90 days.

2.2 Use of Netlify As Our Hosting Services Provider and Content Delivery Network

2.2.1 Netlify

We are using hosting services provided by Netlify, Inc., 2343 3rd Street 296, San Francisco CA 94107, United States of America (“Netlify”). Netlify processes personal Data on our behalf and our instructions in accordance with a Data Processing Agreement (Art. 28 GDPR). In the course of data processing by Netlify, personal data may be processed outside of the European Union or the European Economic Area, including the United States of America. In this regard we have entered into Standard Contractual Clauses (Module 2: Transfer controller to processor) as appropriate safeguards with Netlify. You can find a copy of the Standard Contractual Clauses at https://www.netlify.com/v3/static/pdf/netlify-dpa.pdf.

3. How We Process Personal Data When You Contact Us

3.1 Personal Data Processing Related to Email Correspondence

When you contact us by email or via contact form, we will collect, use and store personal data you provide (such as art work related data and activities, your name, your email address, your contact details and further information provided by you) to process and answer your enquiry adequately. All Data that you provide to us via contact form is transferred between your browser and our servers in encrypted form.

We process your Data exclusively to handle your query or if we are obliged to carry out certain processing activities for legal reasons (for example, for tax reasons). In addition, we may process your data to defend our rights (e.g. passing on your data to investigating authorities in the event of suspected deception or forgery).

We will erase such data when storage is no longer necessary according to the circumstances (e.g., when we have provided a final response to your enquiry). Alternatively, we will restrict the processing if there are any applicable legal retention obligations, in particular where federal German laws require us to store our electronic correspondence containing commercial letters and other business and/or tax-related documents for a period of up to six or ten years (see, Sec. 147 of the German Tax Code, Sec. 257 of the German Commercial Code).

The legal basis for such processing is Art. 6(1), sentence 1, lit. f GDPR, unless your enquiry is intended to take steps prior to entering into, to perform or to terminate a contract with us. In this case, the legal basis follows from Art. 6(1), sentence 1, lit. b GDPR. Insofar as we process your data on the basis of a legal obligation, the legal basis is Art. 6(1), sentence 1, lit. c GDPR. The processing of your data in the event of a suspected attempt at deception or suspected falsification is Art. 6(1), sentence 1, lit. f GDPR.

3.2 Personal Data Processing Related to the Use of Our Contact Form

Depending on the information you submitted through our contact form, we may also share personal data that you provided by this means with our partner 360X AG, headquartered in Gervinusstraße 17, 60322 Frankfurt am Main, Germany. The legal basis for such processing is Art. 6(1), sentence 1, lit. f GDPR, unless your enquiry is intended to take steps prior to entering into, to perform or to terminate a contract with us. In this case, the legal basis follows from Art. 6(1), sentence 1, lit. b GDPR. You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you based on Art. 6(1), sentence 1, lit. f GDPR (Art. 21(1) GDPR), including sharing your personal data with our aforementioned partners.

Data retention and erasure takes place according to the criteria we explain under section 3.1 above.

4. How We Process Personal Data When You Send Us Your Application For a Job Offer

4.1 Use of Personio for Job Offer and Application Management

We use the personnel administration and applicant management software of Personio GmbH, Rundfunkplatz 4, 80335 München, Germany (“Personio”). If you send us your application through Personio’s application form, personal data included therein will be transmitted and stored using TLS encryption to Personio’s servers located in Frankfurt, Germany. Such data can only be accessed with a decryption key. We have signed a Data Processing Agreement with Personio, which is acting as a data processor and processes personal data of applicants on our behalf and instructions. Personio provides more information on its efforts to comply with the GDPR and its technical and organizational measures at https://www.personio.com/data-security/. For the processing of personal data on Personio’s website, please refer to their data privacy policy available at https://www.personio.com/privacy-policy/.

4.2 Do You Have to Provide Your Personal Data to Us?

To apply for a job with us, you need to provide us with the data required for assessing and perhaps selecting you. The information required in each case can be found in the job description or will be stated specifically in the application form. This includes personal data such as your name, address, a means of contact, and proof of the qualifications required for a position with us. Upon request, we will be happy to provide you with the information required for a specific position.

You are not required to use Personio’s application form and can send us your application by letter instead, for example. Please note, however, that despite the widespread use of transport encryption, we cannot guarantee the security of the transmission of any email that you send to us for applying. Therefore, sending unencrypted emails to us is at your own risk.

4.3 Legal Basis For Processing Your Personal Data Throughout the Application Procedure

The legal basis for processing your personal data throughout the application procedure follows from Art. 6(1), sentence 1, lit. b GDPR in conjunction with Sec. 26(1), sentence 1 BDSG.

Where we collect special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. health data, such as the existence of a severe disability, or ethnic origin) from applicants during the application process, to allow us or the applicant to exercise the specific rights in the field of employment and social security and social protection law, such data will be processed in accordance with Art. 9(2) lit. b GDPR in conjunction with Sec. 26(3), sentence 1 BDSG. Where necessary for the protection of vital interests of applicants or other persons, Art. 9(2) lit. c GDPR serves as a legal basis. For the purposes of preventive or occupational medicine, for the assessment of the working capacity of the applicant, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, we rely on Art. 9(2) lit. h GDPR in conjunction with applicable provisions from European Union or German law. If we ask for your voluntary and express consent in this respect, we process special categories of personal data on the basis of Art. 9(2) lit. a GDPR in conjunction with Sec. 26(3), sentence 2 BDSG.

4.4 Period For Which We Will Store Your Personal Data From the Application Procedure

If your application is successful, your applicant data will be further processed by us to establish, perform and terminate the employment relationship.

Otherwise, if the application for a job offer is not successful, the data of the applicants will be deleted. We will also erase personal data from applicants if they withdraw their application, which they are entitled to do at any time. We will erase personal data from the application procedure no later than six months after this procedure has been completed. Such storage is necessary to allow us to answer any follow-up questions about the application procedure and enable us to provide evidence under the requirements for the equal treatment of applicants arising from the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz) and applicable time limits. Invoices for any reimbursement of travel expenses will be retained in accordance with tax law requirements (see, section 3.1 above).

5. Your Rights as a Data Subject


  • As a Data Subject, you have the right to obtain confirmation as to whether personal data relating to you are being processed by us and, where that is the case, the right to access to the personal data to you and a copy thereof (Art. 15(1) and (3) GDPR).
  • If we process inaccurate personal data, you have the right to rectification (Art. 16 GDPR).
  • In some cases described by law, you may request the erasure of personal data concerning you or the restriction of processing (Art. 17 and 18 GDPR).
  • If processing is based on your consent within the meaning of Art. 6(1), sentence 1, letter a GDPR and/or Art. 9(2), letter a GDPR, you may withdraw your consent at any time (Art. 7(3) GDPR), which would not affect the lawfulness of processing based on consent before its withdrawal.
  • If processing is based on your consent within the meaning of Art. 6(1), sentence 1, letter a GDPR and/or Art. 9(2), letter a GDPR and the data processing is carried out by automated means, you have a right to receive the personal data concerning you in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (Art. 20 GDPR).
  • You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you based on Art. 6(1), sentence 1, letter e or f GDPR (Art. 21(1) GDPR).
  • You may object to the processing of your personal data on the basis of Art. 6(1), sentence 1, letter f GDPR for direct marketing purposes at any time (Art. 21(2) GDPR), without stating grounds relating to your particular situation. However, we would like to point out that we do not process your personal data for this purpose.
  • Furthermore, you have the right to lodge a complaint with the competent data protection supervisory authority. You can for example contact the supervisory authority in the EU Member State of your habitual residence, place of work or place of the alleged infringement. The data protection supervisory authority responsible for us is the Hessian Commissioner for Data Protection and Freedom of Information, P.O. Box 3163, 65021 Wiesbaden, Germany, Telephone: +49 (0)611 1408-0, https://datenschutz.hessen.de.

If you have any questions or complaints about how we process your personal data, we recommend that you first contact us (see the contact details under section 1.1 above).

6. We Refrain from Automated Individual Decision-making

We do not make any automated decisions based solely on automated processing, including profiling, which produce legal effects concerning the visitors of our Website or similarly significantly affect them.

7. General Technical and Organizational Measures

We have taken appropriate technical and organizational measures to protect the personal data you provide against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. For instance, our employees and all persons acting under our authority are obliged to comply with data protection laws and to process personal data in a confidential manner. To protect the personal data of our users, we also use a secure online transfer protocol, the so-called “Transport Layer Security” (TLS) transmission. You can recognize this by a final “s” appended to the URL (“https://”) or a closed lock symbol in your browser. Clicking on the symbol provides you with further information about the TLS certificate used. Symbols and explanations may vary according to the browser you are using. TLS encryption ensures the encrypted and complete transmission of your data.

8. Changes to this Data Protection Notice

New legal requirements, corporate decisions or technical developments may lead to changes to this Notice and require us to adapt this Notice accordingly. You will always find the current version on our Website. Please note that external links to third-party websites or their contact information may change over time. If you find any information that is outdated, please let us know.