Privacy Policy
This privacy policy applies to my website (www.isabellagorny.com) and the services I provide online and in person. It was last updated on 17 February 2026.
1. Who is responsible for the processing of your personal data?
Controller of the personal data pursuant to Article 4 (7) of the General Data Protection Regulation (GDPR):
Isabella Gorny
Gorny & Mosch GmbH
Maximiliansplatz 20
80333 Munich
Germany
2. For which purposes do I process your personal data and on which legal basis?
a) Visiting my website
aa) Log data
When you visit my website, your browser automatically sends information to my server. I process this usage and log data such as:
IP address from which you access my website;
date and time of access;
name and URL a file you retrieved;
referrer URL (website from which you accessed my website);
browser type and operating system;
screen resolution;
access provider
for the following purposes:
to display my website to you;
to evaluate and ensure stability and security of my website;
for statistical evaluations in the context of my website’s operation.
Legal basis for this processing is Article 6 (1) (f) GDPR. My legitimate interest follows from the aforementioned purposes. The log data are automatically deleted after your browser session, at the latest after seven days – unless further storage is required for the aforementioned purposes.
b) Contacting me
When you get in touch with me by email, phone or via a contact form on my website, I process the personal data you submit (e.g. name, email, phone, message) to respond to your request and, if applicable, for further correspondence.
Legal basis for this processing is Article 6 (1) (b) GDPR for requests within the scope of a contract or prior to a contract and Article 6 (1) (f) GDPR for other requests. My legitimate interest follows from the aforementioned purpose to respond to your request.
c) Buying my art, using my services
When you buy my art or use my services, I process the necessary personal data based on Article 6 (1) (b) GDPR.
If I process data concerning health or other special categories of personal data pursuant to Article 9 (1) GDPR, this processing is based on your consent pursuant to Article 9 (2) (a) GDPR. The consent can be withdrawn at any time.
e) Marketing messages
aa) Newsletter
I will only send you my email newsletter with information about my activities and invitations to upcoming events if you have given your prior consent pursuant to Article 6 (1) (a) GDPR. You may unsubscribe at any time, for example by using the link at the end of each marketing email or by email to isabella@isabellagorny.com.
If you subscribe to my newsletter, the data submitted in the form will be transmitted to me. The registration for my newsletter takes place in a so-called double opt-in procedure. This means that after registration, you will receive an email in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with other people’s email. When registering for the newsletter, the user’s IP address and the date and time of registration are stored. This serves to prevent misuse of the services or the email address of the person concerned. The data is not passed on to third parties. An exception exists if there is a legal obligation to pass on the data. The data is used exclusively for sending the newsletter. You can unsubscribe from the newsletter and withdraw your consent to the storage of your personal data at any time. For this purpose, an unsubscribe link can be found in each marketing email. Legal basis for the processing of the data after registration for the newsletter is your consent pursuant to Article 6 (1) (a) GDPR.
bb) Existing customers
If you have already bought my art or used my paid services as a client, I may inform you by email or letter about similar products or services of mine if you have not objected to this. Legal basis for this processing is Article 6 (1) (f) GDPR in conjunction with Section 7 (3) of the Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG). My legitimate interest follows from the aforementioned purpose of direct marketing (cf. Recital 47 GDPR).
You may object to the use of your email or postal address for marketing purposes at any time without additional costs, for example by using the link at the end of each marketing email or by email to isabella@isabellagorny.com.
f) Other purposes
If necessary, I may process personal data for other purposes, in particular:
to assert legal claims and defense in legal disputes;
to ensure IT security;
to prevent and investigate criminal offences.
Legal basis for this processing is Article (6) (1) (f) GDPR. My legitimate interest follows from the aforementioned purposes.
3. Who gets access to your personal data?
I do not pass on personal data to third parties except where
you have given your prior consent pursuant to Article 6 (1) (a) GDPR;
necessary to enforce my rights, in particular, to assert legal claims and defense in legal disputes and there is no overriding interest on your side pursuant to Article 6 (1) (f) GDPR;
there is a legal obligation pursuant to Article 6 (1) (c) GDPR;
necessary for the performance of or entering into a contract with you pursuant to Article 6 (1) (b) GDPR.
I may use service providers (for example companies in the IT services, telecommunications, and marketing industries) as processors. These service providers may also receive data as processors for me if this is permissible under data protection law.
4. How long do I store your personal data?
I erase your personal data when it is no longer needed for the purpose for which it was originally collected.
I process your personal data for the duration of our business relationship if necessary.
After expiry of relevant retention and documentation obligations as well as relevant statutory limitation periods, I delete the data.
I am subject to various storage and documentation obligations which may arise, among other things, from the Commercial Code (Handelsgesetzuch – HGB) and the Fiscal Code (Abgabenordnung – AO). The retention and documentation periods specified there are 6 years for correspondence in connection with the conclusion of a contract and 10 years for accounting documents pursuant to Sections 238, 257 (1) and (4) HGB, Section 147 (1) and (3) AO.
Statutory limitation periods are, for example, generally 3 years, but they can, in certain cases, be up to 30 years pursuant to Sections 195 et seq. of the Civil Code (Bürgerliches Gesetzbuch – BGB).
Log data and cookies are deleted within the periods specified in 2. a) aa) and bb) above.
5. Which data protection rights do you have?
You have the following rights regarding your personal data processed by me:
access pursuant to Article 15 GDPR in conjunction with Section 34 of the Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG);
rectification pursuant to Article 16 GDPR;
erasure pursuant to Article 17 GDPR in conjunction with Section 35 BDSG;
restriction of processing pursuant to Article 18 GDPR;
data portability in a structured, current and machine-readable format pursuant to Article 20 GDPR.
Where the processing of your personal data is based on legitimate interests pursuant to Article 6 (1) (f) GDPR, you have the right to object to the processing of your personal data pursuant to Article 21 GDPR if there are reasons for this arising from your particular situation pursuant to Article 21 (1) GDPR or where your personal data are processed for direct marketing purposes pursuant to Article 21 (2) GDPR. In the latter case, you have a general right to object – without the need to specify any reasons for your objection.
Where the processing of your personal data is based on your consent pursuant to Article 6 (1) (a) GDPR, you have the right to withdraw your consent at any time pursuant to Article 7 (3) GDPR. As a result, I cannot continue processing your personal data based on this consent in the future.
To assert these rights, you may contact us by email to isabella@isabellagorny.com or under the contact details in 1. above.
Irrespective of these rights, you also have the right to lodge a complaint with a supervisory authority – in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement – if you consider that the processing of your personal data infringes applicable data protection regulations (Article 77 GDPR in conjunction with Section 19 BDSG).