Privacy Information

 “Auctions” of Dorotheum GmbH & Co KG

Date:                  29.07.2019

Subject:                  Data Protection Information (Auctions) for www.dorotheum.com

1

Processing activity

Auctions Division

2

Responsible entity

Dorotheum GmbH & Co KG

Palais Dorotheum

Dorotheergasse 17, 1010 Vienna

FN 213974 v (HG Vienna)

Email: client.services@dorotheum.at

3a

Purposes of data processing:

  • On the legal basis of contract fulfilment or contract preparation (Art. 6 para. 1 point b GDPR)

 

 

  • Purchase, sale and public auctions of movable goods (pursuant to § 158 GewO 1994 as amended) from various departments (overview of departments : https://www.dorotheum.com/en/c/all-departments-27/ )
  • Exercise of the arms trade (pursuant to § 139 GewO 1994 as amended)
  • Estimation of works of art and other movable goods of various categories
  • Catalogue production and dispatch (auction catalogues)
  • Production and dispatch of Dorotheum myART MAGAZINE
  • Auction promotion (analogue as well as online and digital)
  • Auction processing (current auctions and online auctions)
  • Buyer invoicing
  • Auction-related logistics
  • Customer service (customer consulting)
  • Operation of customer loyalty programs and the website www.dorotheum.com
  • Customer satisfaction and loyalty development though the organisation of charity auctions, sweepstakes, events and customer surveys
  • Provision of communication channels as a service for registered users (myDorotheum)
  • Auction controlling

 

3b

Purposes of data processing:

  • On the legal basis of the fulfilment of a legal obligation to which we are subject (Art. 6 para. 1 point c GDPR)

 

 

  • Measures to prevent money laundering and terrorist financing (§ 365m GewO)
  • Duties of care according to the Cultural Property Return Act (§ 9 KGRG)
  • Austrian Commercial Code (§ 212 UGB)
  • Tax code (§ 132 BAO)

 

3c

Purposes of data processing

  • On the legal basis of our (predominant) legitimate interests (Art. 6 para. 1 point f GDPR)

 

 

  • Recovery and winning of new customers
  • Direct marketing activities
  • Prevention and investigation of criminal offences
  • Provision of IT security and IT operations

 

4

Legal basis for data processing

 

  • Contract fulfilment and implementation of pre-contractual measures
  • Direct marketing activities

 

5

Description of our (predominant) legitimate interests for direct marketing purposes:

We also process personal customer data (but not those of children or special categories of personal data within the meaning of Art. 9 GDPR [“sensitive data”]) in order to use them as information sources regarding our services and for direct advertising for (further) services.

We process personal data relating to persons with whom we have had personal contact (e.g. at auctions, events, trade fairs, invitations, etc. ...) through exchanging business cards, for the purpose of establishing contact, for the establishment of a contact database and for customer acquisition. Data derived from business cards may be supplemented with data from public sources (e.g. company register, company website).

We have a legitimate interest in the processing of personal data for the purpose of direct marketing (recital 47, last sentence of the GDPR). The customer data that we have at our disposal from existing contractual relationships and for which the storage period is still valid will be processed. This does not extend the storage period. The primary goal of data processing is customer acquisition with the aim of re-establishing a (pre-)contractual relationship and securing customer loyalty. In doing so, we rely on the freedom of employment protected by conventional and constitutional law (Art. 6 StGG) and freedom of communication (in particular Art. 10 ECHR, which also protects advertising measures) and on the following rights:

  • for the transmission of postal information and advertising including the dispatch of catalogues and Dorotheum myART MAGAZINE;
  • to make intelligence-related and advertising calls following consent;
  • for the transmission of electronic mail (e-mail and auction newsletters) following consent;
  • for the transmission of electronic mail (e-mail and auction newsletters) pursuant to Art. 107 para. 3 TKG (“Existing Customer Information”).

 

6

Opposition to processing for the purposes of direct marketing (Art. 21 GDPR)

You may object to the use of your personal data for direct marketing purposes at any time and without stating reasons. The objection means that we will no longer process your personal data for these purposes in the future.

7

Description of our (predominant) legitimate interests for purposes of data processing within the Group:

We are part of a group of companies. In order to fulfil our extensive obligations, we also make use of the services of affiliated companies. We have a predominant legitimate interest in this (recital 48 of the GDPR).

8

Evaluation of personal aspects of the client (“profiling”)

“Scoring”:

For the purpose of optimal customer care, we store customer activities (e.g. submissions, complaints, etc.) so that we can take relevant and targeted measures to improve customer satisfaction and loyalty and customise our service.

 

“Profiling”:

For the purpose of optimal customer service and customer information, we store the areas of interest (categories) selected by you in myDorotheum as well as the objects to be observed selected by you. We use these rated interests to automatically notify you by e-mail.

9

Opposition to profiling

You may object to the use of your personal data for profiling purposes at any time and without stating reasons or deactivate the relevant areas of interest in myDorotheum. The objection or deactivation in myDorotheum means that we will no longer process your personal data for profiling purposes in the future.

10

Obligation to provide personal data

You must provide us with your personal data in order to enable us to fulfil the contract in accordance with our General Terms and Conditions for Auctions (https://www.dorotheum.com/de/c/agb-47/) and in compliance with the statutory provisions mentioned in section 3b.

11

Automated decision making

You are not subject to any automated decision that has any legal effect on you.

12

External recipients of your personal data within the Group

 

  • Dorotheum spol. s r.o. (Czech Republic)
  • Dorotheum s.r.l. (Italy)
  • Dorotheum Ltd (United Kingdom)
  • Doro internet Handels GmbH & Co KG
  • Dorotheum Beteiligungs-GmbH

 

13

Categories of external economic service providers to whom we may transfer your personal data if required

 

  • Tax Consultant / Auditor
  • Lawyers
  • Contracted service providers:
    • Logistics partner
    • NL dispatch service provider
    • Software service provider
    • Agencies
    • Print shops

 

14

Third country transfer

USA (EU-US Privacy Shield) - see paragraphs 20 to 24

15

Storage period

We will delete your personal data as soon as it is no longer required for the above-mentioned purposes. Personal data may be retained for the period during which claims may be asserted against our company (statutory limitation period of thirty years), as well as for contractual documentation and proof of ownership.

In addition, we store your personal data insofar as we are legally obliged to do so. Corresponding duties of proof and storage result, among other things, from the duties of care under the Cultural Property Return Act (§ 9 KGRG), which also provide for a storage duty of 30 years in order to make the cultural property and its contributor identifiable, including the purchase and sales prices, the Commercial Code, the Tax Code and the provisions of commercial law to prevent money laundering and terrorist financing. The storage periods are at least five and seven years respectively.

16

Your rights with respect to us:

 

 

Basis

Content

 

Right to revoke consent under data protection law (Art. 7 para. 3 GDPR)

As a person affected by the processing of personal data, you have the right to revoke your consent to the processing of your personal data at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of consent up to the revocation.

 

Right to information (Art. 15 GDPR and Art. 4 (6) DSG)

You have the right to request information from us as to whether your personal data is being processed, provided that the provision of this information would not endanger business or commercial interests of the responsible person or third party.

 

Your right of access includes the following information:

  • processing purposes,
  • the categories of personal data processed by us,
  • the recipients or categories of recipients to whom personal data have been or will be disclosed,
  • if possible, the planned duration for which your personal data will be stored or, if this is not possible, the criteria for determining this duration,
  • the existence of your right to correction or deletion of the personal data concerning you or to restriction of processing by us as the responsible party or your right to object to this processing,
  • the existence of a right of appeal to the Austrian Data Protection Authority as supervisory authority.

 

 

Right to rectification of data (Art. 16 GDPR)

You have the right to demand the immediate correction of your incorrect personal data or its completion.

 

Right to data deletion (Art. 17 GDPR)

You have the right to demand that your personal data be deleted immediately if the reasons stated in Art. 17 para. 1 GDPR are fulfilled.

 

Right to limit data processing (Art. 18 GDPR)

You have the right to demand that the processing of your personal data be restricted if the reasons stated in Art. 18 para. 1 GDPR are fulfilled.

 

Right to data transferability (Art. 20 GDPR)

You have the right to receive the personal data that you have provided to us in a structured, common and machine-readable format, provided that the legal requirements are met.

 

Right of opposition (Art. 21)

You have the right to object at any time to the processing of your personal data for the purpose of direct marketing.

17

Right of appeal (Art. 77 GDPR and § 24 DSG)

You have the right to lodge a complaint with the supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR or the DSG.

18

Supervisory authority

Austrian Data Protection Authority Wickenburggasse 8-10, 1080 Vienna

Phone: +43 1 52 152-0 E-mail: dsb@dsb.gv.at

www.dsb.gv.at

19

Auction Newsletter

The dispatch of our auction newsletter takes place on the basis of consent given by you.

You can unsubscribe from the auction newsletter by clicking the unsubscribe link at the end of each auction newsletter. If you have subscribed to other Dorotheum-Juwelier, Dorotheum-Pfand or Dorotheum-Galerie newsletters, the cancellation of your subscription from the auction newsletter will not affect the newsletters you have subscribed to in other Dorotheum areas. You must cancel these separately in each case.

For the dispatch of our auction newsletter we commission an external service provider. The latter has undertaken to comply with the applicable data protection provisions vis-à-vis us.

20

myDorotheum

Registration for myDorotheum takes place using the double opt-in procedure. After registration you will receive an e-mail asking you to confirm your registration. This confirmation e-mail is used to check whether the owner of the e-mail address as the person concerned has authorised the receipt of automated notifications. The personal data transferred to us when you register for myDorotheum is determined by the input mask used for this purpose.

21

Contact via our website www.dorotheum.com

Due to legal requirements, our website contains information that enables us to be contacted electronically quickly and enables you to communicate directly - including by electronic means - with our company. If you contact us by e-mail or via a contact form, the personal data you provide will be stored automatically. Such personal data transmitted to us by you on a voluntary basis will be stored by us for the purpose of processing or contacting you. This personal data will not be passed on to third parties.

22

Privacy policy regarding the use of Google Analytics on www.dorotheum.com

This website uses Google Analytics, a web analysis service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

 

Google Analytics uses so-called “cookies”, that is, text files that are stored on your computer for the purpose of enabling an analysis of how users navigate the website. The information generated by the cookie about your use of this website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will comply with the privacy provisions of the US Safe Harbor Agreement.

 

During your visit to our website the following data will be recorded:

 

  • Pages viewed
  • Your behaviour on the pages (e.g. clicks, scrolling behaviour and length of stay)

 

  • Your approximate location (country and city)
  • Your IP address (in abbreviated form, so that no clear identification is possible)
  • Technical information such as browser, Internet provider, terminal device and screen resolution
  • Source of your visit (i.e. via which website or advertising medium you came to us)

 

Google will use this information for the purpose of evaluating how you use the website, drafting reports on website activity for website operators and providing further services related to website activity and Internet usage.

 

However, if IP anonymisation is activated on this website, your IP address will be first shortened within Member States of the European Union or in other states that are signatories of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. IP anonymisation has been activated on this webpage.

 

Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.

 

You can prevent the installation of cookies by selecting the appropriate setting of your browser software. However, it must be emphasised that in this case you may not be able to use the full functionality of this website.

 

You can also prevent Google from collecting and processing the data generated by the cookie concerning your use of the website (including your IP address) by downloading and installing the browser plug-in available at the following link: tools.google.com/dlpage/gaoptout

 

For more information about Google’s terms of use and privacy policy, please visit www.google.com/intl/de/policies/ bzw. unter www.google.com/intl/de/policies/privacy/.

 

Please note that on this website Google Analytics has been expanded with the code “gat._anonymizeIp();” in order to ensure an anonymised collection of IP addresses (so-called IP masking).

 

Dorotheum GmbH & Co KG uses Google Analytics to analyse website use, e.g. in the form of anonymous evaluations and graphics on page views and visits, as well as for remarketing, reports on impressions in the Google Display Network, integration of DoubleClick Campaign Manager and Google Analytics reports on performance according to demographic characteristics and interests.

 

Google Analytics stores cookies in your web browser for a period of two years from the point of your last visit. These cookies contain a randomly generated user ID that can be used to recognise you on future website visits.

 

The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 14 months. Other data remain stored in aggregated form for an indefinite period.

23

Privacy policy regarding the use of Google Double Click and remarketing at www.dorotheum.com

Our website dorotheum.com uses Google Double Click, an online advertising service of Google Inc. (“Google”). Google Double Click uses so-called cookies, text files that are stored on users’ computers, enabling an analysis of their use of the website. Google Double Click also uses so-called web beacons (invisible graphics). Web beacons make it possible to evaluate specific information, such as visitor traffic to the pages of our website. The information generated by cookies and web beacons about the use of this website (including users’ IP addresses) and delivery of advertising formats is transmitted to a Google server in the Unites States for storage. Google may forward this information to its contractual partners. Google will not, however, combine your IP address with any other data you have stored.

 

Furthermore, our website uses remarketing with Google Analytics for online advertising. This allows us to offer you personalised ads based on the interests you have shown on our website in appropriate advertising spaces on other websites. This includes the use of cookies by third parties, including Google. The combined use of first-party cookies (such as Google Analytics cookies) and third-party cookies (such as DoubleClick cookies) allows us to serve you ads based on your previous visits to this site and to optimise and evaluate your experience. With the help of remarketing, information about your surfing behaviour is collected and stored for marketing purposes in anonymous form (targeting/retargeting). This data is stored on your computer using cookies. Using an algorithm, targeted product recommendations can then be displayed as personalised advertising banners on other websites (so-called publishers). Under no circumstances can this data be used to identify you personally as a visitor to this website. The collected data will only be used to improve the advertising offer.

 

Users can prevent the installation of cookies and Google Double Click in various ways:

 

a) by changing the settings on their browser software accordingly;

b) by opting out of interest-based ads from Google;

c) by opting out of interest-related ads from the advertisers that are part of the self-regulating campaign “About Ads”;

d) by permanently opting out with a browser plug-in.

 

Deleting cookies in your browser settings will also delete the settings named under b) and c).

 

You can find more information about data protection and cookies with regard to advertisements through Google Double Click in Google’s privacy statement, especially under the following links:

 

www.google.de/policies/privacy/partners/

www.google.de/intl/de/policies/technologies/ads

support.google.com/adsense/answer/2839090

24

Privacy policy regarding the use of Google Adwords

Our website dorotheum.com uses the web analysis service Google Adwords of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“ Google”). Google Adwords uses cookies for the purpose of targeting visitors via remarketing campaigns with online advertising at a later point in time in the Google advertising network. To serve remarketing ads, third parties such as Google use cookies based on a visit to this website. As a user, you have the option of deactivating the use of cookies by Google by accessing the page for deactivating Google at www.google.com/ads/preferences.

25

Privacy policy regarding the use of Facebook Custom Audiences at www.dorotheum.com

This website uses Custom Audiences, a web analysis service of Facebook Ireland Limited (“Facebook”). Facebook Custom Audiences uses so-called tracking tools (such as Pixel, SDKs and APIs), which are implemented on the website dorotheum.com and the Dorotheum mobile app. Data concerning actions taken by users on the website dorotheum.com or the mobile Dorotheum app (“Event Data”) is transferred to a server of Facebook Inc. in the USA and saved there, in order to create custom audiences of people who have visited our website dorotheum.com (“custom audiences of dorotheum.com”) or to create custom audiences of people who have used our Dorotheum mobile app (“custom audiences of the Dorotheum mobile app”).

 

In connection with such audience targeting and optimisation, Facebook will: Use Event Data collected from our website dorotheum.com or mobile app for ads optimisation only after such Event Data has been aggregated with other data collected from other advertisers or otherwise collected on Facebook. Not allow other advertisers or third parties to target advertising solely on the basis of Event Data collected from our website dorotheum.com or mobile apps.

 

By clicking the button to “accept” the cookie banners and by visiting our website dorotheum.com, the user accepts the following conditions:

 

(a) third parties, including Facebook, may use cookies, web beacons, and similar technologies to collect or receive information from dorotheum.com and elsewhere on the internet and use that information to provide measurement services and target ads,

 

(b) users of our website dorotheum.com can opt-out of the collection and use of information for ad targeting, and

 

(c) users can access a mechanism for exercising such choice (e.g. www.aboutads.info/choices oder www.youronlinechoices.eu/).

26

Privacy policy regarding the use of sharing at www.dorotheum.com

Our website hosts share buttons for the social networks Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA, Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA, YouTube, YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA, Instagram from Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. The share buttons can be recognized by their respective logos.

 

All share buttons are set up to comply with data protection regulations. Only when you click on the respective “Share Button” on our website (and only then) will a direct connection be established between your browser and the server of the operator of the respective social network. According to the operators of the aforementioned social networks, no personal and company-related data is collected from the social networks without a click on the respective share button. Such data, including the IP address, is only collected and processed for logged-in members. If you do not wish your visit to our website to be linked to your social network user account, please log out of that social network user account.

 

Within this context, we would like to point out that as the provider of the website we are not aware of the content of transmitted data or its use by social networks. You can find more information about the use of data by social networks in the privacy statements of the aforementioned social networks.

27 Privacy Policy regarding the use of Auction Mobility bidding platform:  When you register for an auction and enter the bidding room, your transactions will be processed by Auction Mobility, a US-based platform provider with whom we have a contract.   Auction Mobility is a processor and has signed onto EU Standard Contractual Clauses for the import and processing of personal data.  Auction Mobility will receive transaction information through its bidding room platform. You can learn more about how Auction Mobility uses your information in their Privacy Policy: https://www.auctionmobility.com/platform-privacy-policy/

Privacy Information (PDF)