We are pleased that you are visiting our website. The protection and security of your personal information when using our website is very important to us. We would therefore like to inform you at this point which of your personal data we collect when you visit our website and for what purposes it is used. Personal data is individual information about personal or factual circumstances of a specific or identifiable natural person (data subject), e.g. name, address, e-mail addresses, user behaviour. This is data with which we can identify you. In addition, you will also find information on data processing processes outside of this website (e.g. video conferences or newsletters).
Person responsible for data processing
for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR)
Hargesheimer Art Auctions Düsseldorf GmbH
Friedrich-Ebert-Strasse 11 + 12
+49 (0) 211 – 30 200 10
Data Protection Officer
Waldfeuchter Str. 266
Phone: 02452 / 99 33 11
This privacy statement complies with the legal requirements for transparency in the processing of personal data. This is any information relating to an identified or identifiable natural person. This includes, for example, information such as your name, age, address, telephone number, date of birth, email address, IP address or user behaviour when visiting a website. Information for which we cannot (or can only with disproportionate effort) establish a link to your person, e.g. through anonymisation, is not personal data. The processing of personal data (e.g. collection, retrieval, use, storage or transmission) always requires a legal basis and a defined purpose.
Stored personal data are deleted as soon as the purpose of the processing has been achieved and there are no legitimate grounds for further retention of the data. We will inform you in the individual processing operations about the specific storage periods or criteria for storage. Irrespective of this, we store your personal data in individual cases for the assertion, exercise or defence of legal claims and if there are statutory retention obligations.
Information according to Art. 13 GDPR
This information is intended for customers, interested parties, suppliers and employees. We process your personal data for the following purposes:
- To fulfil our contractual obligations to you (Art. 6 para. 1 lit. b GDPR).
- To carry out pre-contractual obligations (Art. 6 para. 1 lit. b GDPR).
- To respond to enquiries (Art. 6 para. 1 lit. b GDPR).
- If you have given us your consent to process your personal data for certain purposes (for example, to receive our newsletter), the data processing is based on your consent (Art. 6 para. 1 lit. a GDPR).
- To fulfil legal obligations to which our company is subject (Art. 6 para. 1 lit. c GDPR).
- To the extent necessary, we also process your data to protect our legitimate interests, in particular to assert legal claims and defend ourselves in legal disputes or to ensure IT security, to consult and exchange data with credit agencies to determine creditworthiness and default risks, for direct advertising and market research insofar as you have not objected to the use of your data for this purpose, for measures to manage business and further develop services and products, for measures to optimise products and sales, for measures to manage risk, to prevent or investigate criminal offences (Art. 6 para. 1 lit. f GDPR).
Categories of recipients of personal data
Within our company, only those employees have access to the data who absolutely need it to perform their tasks (need-to-know principle). Individual processes and services are carried out by carefully selected service providers who are based within the EEA and who comply with data protection regulations. If service providers commissioned by us receive access to personal data when performing your services, order processing agreements have been concluded with them in accordance with Art. 28 (3) GDPR.
Duration of data storage
The data processed by us is stored for the duration of the existence and processing of the contractual relationship and in compliance with statutory retention periods. These are, in particular, retention obligations under commercial and tax law in accordance with the German Commercial Code (HGB) and the German Fiscal Code (AO). The regular retention and documentation periods are up to ten years. If there is no contractual relationship, we only process the data for as long as the specific purpose requires.
Your data subject rights
As a data subject, you have the following rights with regard to the personal data concerning you:
- Right to information about the data we process about you.
- Right to rectification or deletion if incorrect, out of date or unlawfully collected by us.
- Right to restriction of processing if complete deletion is not possible, e.g. because we have to comply with statutory retention obligations.
- Right to object to processing where the data processing is based on a balance of interests (the so-called legitimate interest), as described above under “Purpose of the processing”. This is the case if the processing is not necessary, in particular, for the performance of a contract with you. When exercising your right to object, we ask you to explain the reasons why we should not process your data as we have done.
Of course, you can also object to the processing of your personal data for advertising purposes at any time. To do so, send your objection to our address given in the imprint or write us an e-mail to the address given in the imprint.
- Right of revocation if you have given us consent to process your data. You can assert your revocation against our company at any time without giving reasons. To do so, please contact the address given in the imprint.
- In addition, you have the right to complain to a data protection supervisory authority about the processing of your personal data by our company.
If you have any questions about data protection, please contact us by e-mail at the address given in the imprint.
Data processing under the Money Laundering Prevention Act
According to § 2 para. 1 GwG (Money Laundering Prevention Act), we are obliged to comply with measures to prevent money laundering and terrorist financing. The measures required by law include, among others, the identification of contractual partners (§ 11 GwG) if a certain transaction amount is exceeded. Under certain circumstances, we are also obliged to report suspicious transactions or transaction intentions (§§ 43 ff. GwG). As part of the mandatory identification and / or reporting, we collect personal data and, if necessary, pass it on to the Central Financial Transaction Investigation Unit (FIU). The legal basis for the collection and forwarding of data is Art. 6 Para. 1 lit. c) GDPR in conjunction with the respective statutory provisions of the GwG. Unless other statutory provisions on record-keeping and retention obligations provide for a longer period in individual cases, we are obliged to retain the data for five years. After the expiry of the retention period, the data will be destroyed in accordance with data protection law without the need for a separate request to do so.
Under the conditions of the statutory provisions of the General Data Protection Regulation (GDPR), you have the following rights as a data subject:
- Information pursuant to Art. 15 GDPR on the data stored about you in the form of meaningful information on the details of the processing as well as a copy of your data;
- Correction according to Art. 16 GDPR of incorrect or incomplete data stored by us;
- Deletion pursuant to Art. 17 GDPR of the data stored by us, insofar as the processing is not necessary for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;
- Restriction of processing pursuant to Art. 18 GDPR, insofar as the accuracy of the data is disputed, the processing is unlawful, we no longer need the data and you object to their deletion because you need them for the assertion, exercise or defence of legal claims or you have objected to the processing pursuant to Art. 21 GDPR.
- Data portability pursuant to Art. 20 GDPR, insofar as you have provided us with personal data within the scope of consent pursuant to Art. 6 Para. 1 lit. a GDPR or on the basis of a contract pursuant to Art. 6 Para. 1 lit. b GDPR and these have been processed by us with the aid of automated procedures. You will receive your data in a structured, common and machine-readable format or we will transfer the data directly to another responsible party, insofar as this is technically feasible.
- Objection according to Art. 21 GDPR against the processing of your personal data, insofar as this is carried out on the basis of Art. 6 Para. 1 lit. e, f GDPR and there are reasons for this which arise from your particular situation or the objection is directed against direct advertising. The right to object does not exist if overriding compelling legitimate grounds for the processing can be demonstrated or the processing is carried out for the assertion, exercise or defence of legal claims. Where the right to object does not exist for individual processing operations, this is indicated there.
- Revocation pursuant to Art. 7 (3) GDPR of your consent with effect for the future.
- Complain to a supervisory authority pursuant to Art. 77 GDPR if you believe that the processing of your personal data violates the GDPR. As a rule, you can contact the supervisory authority of your usual place of residence, your place of work or our company headquarters.
Data processing in detail
In the following, we inform you about the individual processing operations, the scope and purpose of the data processing, the legal basis, the obligation to provide your data and the respective storage period. An automated decision in individual cases, including profiling, does not take place.
Provision of the website
When you call up and use our website, we collect the personal data that your browser automatically transmits to our server. The following information is temporarily stored in a so-called log file:
- IP address of the requesting computer
- Date and time of access
- Name and URL of the retrieved file
- Website from which the access is made (referrer URL)
- Browser used and, if applicable, the operating system of your computer, as well as the name of your access provider.
Our website is not hosted by ourselves, but by a service provider who processes the aforementioned data on our behalf in accordance with Art. 28 GDPR for the purpose of providing the website.
The hoster is used for the purpose of contract fulfilment vis-à-vis our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).
We use the following hoster:
ALL-INKL.COM – Neue Medien Münnich
Owner: René Münnich
Hauptstraße 68 | D-02742 Friedersdorf
Nature and scope of the processing
When you send us enquiries (e.g. via contact form, e-mail or telephone), we store all data resulting from this (e.g. name, e-mail address, subject of the enquiry, etc.). We need this data to process your enquiry and to be able to answer follow-up questions. We do not pass on this data without your consent.
Purpose and legal basis
The processing of this data is based on Art. 6 (1) lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. Otherwise, the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if you have given it beforehand.
The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your enquiry). Mandatory legal provisions – in particular retention periods – remain unaffected.
Contact form for applicants
Nature and scope of the processing
You have the opportunity to apply to us on our website (e.g. by e-mail, post or via the online application form).
Purpose and legal basis
We process the personal data of applicants in accordance with the legal requirements for the purpose of processing the application procedure and carrying out pre-contractual measures within the meaning of Art. 6 para. 1 lit. b. GDPR and § 26 BDSG according to German law (initiation of an employment relationship) and – if you have given your consent – Art. 6 para. 1 lit. a GDPR. The consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.
If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Section 26 BDSG and Art. 6 (1) lit. b GDPR for the purpose of implementing the employment relationship.
Your data will be stored for a period of 6 months beyond the end of the application process. This is usually done to fulfil legal obligations or to defend against any claims arising from legal regulations. We are then obliged to delete or anonymise your data. In this case, the data is only available to us as so-called metadata without direct personal reference for statistical evaluations (for example, proportion of women or men in applications, number of applications per period, etc.).
If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for continued storage no longer applies.
Admission to the applicant pool
As part of the application process, we offer applicants the opportunity to be included in our “talent pool” for a period of 12 months on the basis of consent within the meaning of Art. 6 Para. 1 lit. a. GDPR to be included.
The application documents in the talent pool will be processed solely in the context of future job advertisements and the employee search and will be destroyed at the latest after the deadline. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future.
If you receive an offer of employment with us as part of the application process and accept this, we store the personal data collected as part of the application process for at least the duration of the employment relationship.
We offer you our newsletter on this website. If you would like to subscribe to it, we need your e-mail address and other data proving that it is your e-mail address and that you agree to receive the newsletter. No other personal data is collected unless you provide it voluntarily (e.g. name, telephone number, place of residence, etc.).
When processing the data you provide when registering for the newsletter, we rely exclusively on your consent pursuant to Art. 6 (1) lit. a GDPR as the legal basis. You can revoke your consent to the processing and storage of your personal data at any time (e.g. via the “unsubscribe” link in the newsletter) for the future.
We store your personal data that you have provided for the purpose of receiving the newsletter until you unsubscribe from the newsletter with us or the dispatch service provider. This does not apply to data that we have stored from you for other purposes.
If you unsubscribe from the newsletter mailing list, your email address will be stored in a blacklist by us or the mailing service provider for an indefinite period of time. This is done to prevent future mailings to you. The data from the blacklist will only be used for this purpose and will not be merged with other data. This is not only in your interest, but also in our legitimate interest according to Art. 6 para. 1 lit. f GDPR to fulfil our legal obligations when sending newsletters. You can object to the storage if your personal interests outweigh our legitimate interest.
Registration of a customer account
We collect, process and use personal data only insofar as they are necessary for the establishment, content or amendment of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. We process and use personal data about the use of this website (usage data) only insofar as this is necessary to enable the user to use the service or to bill the user.
The collected customer data will be deleted after completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.
You have the option of creating a customer account, which allows us to store the data you provide for future purchases. This data is stored revocably when the account is opened and can be deleted by you in the customer area at any time.
When you register, we may initially collect the following data:
- Salutation, first name, last name,
- a valid e-mail address,
- Telephone number (landline and/or mobile)
- Copy of ID
The collection of this data takes place,
- to be able to identify you as our customer;
- in order to be able to process, fulfil and handle your order;
- for correspondence with you;
- for invoicing;
- for the settlement of any existing liability claims, as well as the assertion of any claims against you;
- to ensure the technical administration of our website;
- To comply with applicable laws, especially in the area of money laundering prevention.
- to manage our customer data.
We are obliged by commercial and tax law to store your address, payment and order data for a period of ten years.
Your personal data will only be passed on to third parties by us to the service partners involved in the processing of the contract. In cases where your personal data is passed on to third parties, we strictly adhere to the principle of data minimisation.
Presence on social media platforms
Data processing by social networks
We operate publicly accessible profiles on social networks. You can find the social networks we use in detail below.
Social networks such as Facebook, Twitter etc. can generally analyse your user behaviour extensively. By visiting our social media presences, the following data protection-relevant processing operations are triggered:
If you are logged into your social media account and visit our profile, the operator of this social medium can track this visit. Independently of this, the operator may also process your data (e.g. IP address) under certain circumstances if you are not logged into your account or you do not have an account at all.
The operator summarises this data in user profiles in which your preferences and interests are stored. These profiles are used to display personalised advertising inside and outside the respective social media presence. If you have an account with the respective social network, the personalised advertising can be displayed on all devices on which you are or were logged in.
Our social media presences are intended to ensure the most comprehensive presence possible on the Internet within the meaning of Art. 6 (1) lit. f GDPR. The analysis processes carried out by the operators of the social networks may be based on different legal bases, which are to be specified by the respective providers.
Responsible person and assertion of rights
If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. Facebook).
Despite the joint responsibility with the social media portal operators, we have no full influence on the data processing procedures of the portals. Our options are largely determined by the corporate policy of the respective provider.
The data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Mandatory legal provisions – in particular retention periods – remain unaffected.
We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The data collected is also transferred to the USA and other third countries.
We have entered into a Joint Processing Agreement (Controller Addendum) with Facebook which sets out which data processing operations we and Facebook are responsible for. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.
You can adjust your advertising settings independently in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.
You can find more information on data processing by Facebook at https://www.facebook.com/about/privacy/.
We have a profile on Instagram. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381.
We use online conferencing tools to communicate with our clients. The tools we use in detail are listed below. When you communicate with us via video or audio conferencing, your personal data will be collected and processed by us and the provider of the relevant tool.
The tools collect the data you provide, including your email address and phone number. They also process the duration of the conference, when you attended the conference, number of participants and other metadata.
In addition, the provider of the tool processes all technical data that are necessary for the handling of the conference. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speakers, and the type of connection.
When you share content in this service, it is stored on the providers’ servers. This includes cloud recordings, chat messages, voice messages and photos and videos you have shared while using this service.
Please note that we do not have full influence on the data processing procedures of the tools used. For further information on data processing by the conference tools, please refer to the data protection declarations of the respective tools used.
Purpose and legal basis
The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 lit. b GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). If you have previously given your consent to data processing, your data will be processed solely on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.
The data collected directly by us via the video and conference tools is deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory legal retention periods remain unaffected.
We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.
Communication via WhatsApp
For communication with our customers and other third parties, we use, among other things, the instant messaging service WhatsApp Business, of WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
WhatsApp is used on the basis of our legitimate interest in communicating as quickly and effectively as possible with customers, interested parties and other business and contractual partners (Art. 6 para. 1 lit. f GDPR). If you have previously given your consent to data processing, your data will be processed solely on the basis of Art. 6 para. 1 lit. a GDPR; consent can be revoked at any time.
The communication content exchanged between and on WhatsApp remains with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after processing your enquiry has been completed). Mandatory legal provisions – in particular retention periods – remain unaffected.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.whatsapp.com/legal/business-data-transfer-addendum.
The company is certified according to the “EU-US Data Privacy Framework” (DPF), an agreement between the European Union and the USA, which aims to ensure compliance with European data protection standards for data processing in the USA. Certification under the DPF obliges companies to comply with these data protection standards. You can find more information at: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt00000011sfnAAA&status=Active
We have set our WhatsApp accounts so that it does not automatically match data with the address book on the smartphones in use.
To ensure that personal data is processed according to our specifications and in compliance with the GDPR, we have concluded a contract on commissioned processing (AVV) with the provider.
We use on this website functions and services of Elfsight, a service of SP Iusupov A.A., 0015, Armenia, Yerevan, Paronyana str., 19/3, 201.
Type and scope of data processing
We use Elfsight on this website with reference to Art. 6 para. 1 lit. f GDPR to inform you about the quality of our services. If you have given your consent to the processing of your data, the data processing is based solely on Art. 6 para. 1 lit. a GDPR in conjunction with §25 para. 1 TTDSG. You can revoke your consent at any time.
To ensure that personal data is processed according to our specifications and in compliance with the GDPR, we have concluded an order processing agreement (AVV) with the provider.
We use etracker services and functions on this website, which are offered by etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany, to analyse the user behaviour of our website visitors.
Through the analysis, data of the visitors is collected, with which pseudonymised profiles of the users can be created. In doing so, etracker uses technologies (e.g. cookies or fingerprinting systems) to recognise visitors when they visit the website again. The collected data is not used to identify you as a user or to combine it with other personal information about you, unless you give your consent.
When using etracker, we rely on Art. 6 (1) lit. f GDPR as the legal basis for processing personal data, as we have a legitimate interest in analysing the use of our website. This enables us to optimise our online presence and offers for you. If you have previously given your consent to the processing of data on this website by etracker, the processing of your data will take place solely on the legal basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. You can revoke your consent at any time.
To ensure that personal data is processed according to our specifications and in compliance with the GDPR, we have concluded a contract on commissioned processing (AVV) with the provider.