The following data privacy rules address how your personal data is handled and processed for the services that we offer you when you contact us initially, or where you communicate such data to us when logging in to take advantage of our further services.
The “controllers” within the meaning of the European General Data Protection Regulation* (GDPR) and other regulations relevant to data privacy are:
Art Directory GmbH, Erich-Fischer-Straße 3, D-78333 Stockach
Definitions under the new European GDPR made transparent for you:
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing of Your Personal Data
“Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
We also need this from you – whereby this is granted by you completely voluntarily – in the event that either we ask you for personal data that is not required for the performance of a contract or to take action prior to contract formation, and/or where the lawfulness criteria set out in Art. 6 (1) sentence 1, letters c) - f) of the GDPR would otherwise not be met.
In the event consent is required, we will request this from you separately. If you do not grant the consent, we absolutely will not process such data.
As a general rule, visiting our websites is possible without actively communicating your personal data (except for your IP address, which is sent automatically). We do not establish a profile at the individual level, we do not engage in any database marketing, and we do not sell any data.
Every time our website is accessed and every time a file is retrieved, we save data regarding that process in a log file. Such data includes:
IP address, date and time of access, description of the type of browser used and the requested access method/function of the requesting computer, type and/or category of file accessed, data volume, report of whether the attempted access was successful.
This data is saved and evaluated to the extent required for processing and for resolving technical issues. This data is not disclosed to third parties. The IP address is saved for a reasonable and permissible period of time for purposes of discovering abuse, defending against cyber-attacks, and for detecting and fixing malfunctions, and is subsequently anonymized (via truncation). To the extent that analytical tools are used, the IP address is likewise disclosed only in the aforementioned anonymized form.
Personal data that you provide to us for purposes of performance of a contract or to take action prior to contract formation and which is required for such purposes and processed by us accordingly includes, for example:
At the same time, we have the right in connection with contract fulfillment and for purposes of taking appropriate actions that lead to contract formation to obtain supplemental information from third parties (for example: if you assume obligations to us, we generally have the right to have your creditworthiness verified by a credit reporting agency within the limits allowed by law. Such necessity exists in particular due to the special characteristics of auction sales, since in the event your bid is declared the winning bid, you will be depriving the next highest bidder of the possibility of purchasing the artwork. Therefore your credit standing – regarding which we always maintain the strictest confidentiality – is extremely important.)
Registration/Logging In/Providing Personal Data When Contacting Us
You can choose to register with us and provide your personal data either directly (over the phone, through the mail or via email) or on our website.
You would do this, for example, if you would like to participate in an online auction and/or are interested in certain works of art, artists, styles, eras, etc., or want to offer us (for example) pieces of art for purchase or sale.
Which personal data you will be providing to us is determined based on the respective input screen that we use for the registration or for your inquiries, or the information that we will be requesting from you or that you will be providing voluntarily. The personal data that you enter or provide for this purpose is collected and stored solely for internal use by us and for our own purposes.
We have the right to arrange for this information to be disclosed to one or more external data processors, for example a delivery service, which will likewise use it solely for internal use imputed to the processor’s controller.
This can also be, for example, to the art trade which we cooperate with in case you contact us with the intention to purchase or sell a certain object or express your interest in doing so. On the basis of your aforementioned interest in buying or selling a certain object, and your knowledge of the fact that we can act as an intermediary with the art trade, it is in mutual interest, also in accordance with Article 6 (1) sentence 1 (f) of the GDPR, that the art trading company which we informed about your interest to get in contact you with the intention of contract initiation/contract processing. We will only disclose those personal data relevant for this purpose, such as name, address, other contact details, information on the object, style, era and price ideas.
When you show an interest in our services, in each case accompanied by the voluntary provision of your personal data, this simultaneously allows us to notify you of services offered by our house, to provide you with targeted marketing materials, and to send you promotional offers on the basis of your profile by phone, mail, or email. If there is a specific form of notification that you prefer, we will be happy to arrange to meet your needs once you inform us of these. The same is permitted to aforementioned data processors, e.g. the art trade, to whom we will pass on your personal data regarding your interest in purchase or sale. We assure highest possible confidentiality at all times.
When you show an interest in certain works of art, artists, styles, eras, etc., be this through your above-mentioned participation at registration, through your interest in selling, consignment for auction, or purchase, in each case accompanied by the voluntary provision of your personal data, this simultaneously allows us to notify you of services offered by our house and our company that are closely associated in the art marketplace with our auction house, to provide you with targeted marketing materials, and to send you promotional offers on the basis of your profile by phone, mail, or email. If there is a specific form of notification that you prefer, we will be happy to arrange to meet your needs once you inform us of these.
You can use the “Help” function on most web browsers to learn, for example, how you can block cookies or delete cookies that have been received. This allows you to permanently reject the storage of cookies. We would like to point out, however, that the parts of our online services that require you to be logged in will no longer function without cookies.
Your Rights Relating to the Processing of Your Personal Data
Pursuant to the provisions of the GDPR, you have the following rights in particular:
Where the processing of your personal data is based on consent as set out in Art. 6 (1) a) or Art. 9 (2) a) of the GDPR, you also have the right to withdraw consent as set out in Art. 7 of the GDPR. Before any request for corresponding consent, we will always advise you of your right to withdraw consent.
To exercise the aforementioned rights, you can contact us directly using the contact information stated at the beginning. Furthermore, Directive 2002/58/EC notwithstanding, you are always free in connection with the use of information society services to exercise your right to object by means of automated processes for which technical specifications are applied.
Right to Complain Under Art. 77 of the GDPR
If you believe that the processing of personal data concerning yourself by Art Directory GmbH is in violation of the GDPR, you have the right to lodge a complaint with the relevant office, e.g. in Bavaria with the Data Protection Authority of Bavaria (Bayerisches Landesamt für Datenschutzaufsicht, BayLDA), Promenade 27 (Schloss), D-91522 Ansbach
How Long We Store Data
Multiple storage periods and obligations to archive data have been stipulated in various pieces of legislation; for example, there is a 10-year archiving period (Sec. 147 (2) in conjunction with (1) nos. 1, 4, and 4a of the German Tax Code (Abgabenordnung), Sec. 14b (1) of the German VAT Act (Umsatzsteuergesetz)) for certain kinds of business documents such as invoices. We would like to draw your attention to the fact that in the case of contracts, the archiving period does not start until the end of the contract term. We would also like to advise you that in the case of cultural property we are obligated pursuant to Sec. 45 and Sec. 42 of the German Cultural Property Protection Act (Kulturgutschutzgesetz) to record proof of meeting our due diligence requirements and to retain this for a period of 30 years. This may also include the recording and retention of some or all of your personal data. Once the periods prescribed by law or necessary to pursue or defend against claims (e.g., statutes of limitations) have expired, the corresponding data is routinely deleted. Data not subject to storage periods and obligations is deleted once the storage of such data is no longer required for the performance of activities and satisfaction of duties under the contract. If you do not have a contractual relationship with us but have shared your personal data with us, for example because you would like to obtain information about our services or you are interested in the purchase or sale of a work of art, we take the liberty of assuming that you would like to remain in contact with us, and that we may thus process the personal data provided to us in this context until such time as you object to this on the basis of your aforementioned rights under the GDPR, withdraw your consent, or exercise your right to erasure or data transmission.
Valid as of: May 2018
*Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)