DATA POLICY

Scope

This Privacy Policy applies to all pages of die-galerie.com (Section I) and our social media presence (Section II). It does not extend to any linked websites or online presences operated by other providers.

Data Controller

The entity responsible for the processing of personal data within the scope of this privacy policy is:

DIE GALERIE
Gesellschaft für Kunsthandel m.b.H.
Grüneburgweg 123
60323 Frankfurt am Main
Deutschland
T. +49 69 971 4710
F. +49 69 971 471-20
info@die-galerie.com

Questions regarding data protection

Should you have any questions regarding data protection in relation to our company or our website, please contact us using the details provided in the ‘Data Controller’ section.

Security

We have implemented comprehensive technical and organisational measures to protect your personal data from unauthorised access, misuse, loss and other external threats. To this end, we regularly review our security measures and adapt them to the latest technological standards.

Your rights

You have the following rights regarding your personal data, which you may exercise by contacting us:

Right of access: You may request information in accordance with Article 15 of the GDPR regarding your personal data that we process.
Right to rectification: Should the information concerning you no longer be accurate, you may request rectification in accordance with Article 16 of the GDPR. Should your data be incomplete, you may request that it be completed.
Right to erasure: You may request the erasure of your personal data in accordance with Article 17 of the GDPR.
Right to restriction of processing: You have the right, in accordance with Article 18 of the GDPR, to request a restriction on the processing of your personal data.
Right to object to processing: You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data carried out on the basis of Article 6(1)(e) or (f) of the GDPR, in accordance with Article 21(1) of the GDPR. In this case, we will not process your data further unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. Further processing may also take place if the processing serves to assert, exercise or defend legal claims (Article 21(1) of the GDPR) . Furthermore, pursuant to Article 21(2) of the GDPR, you have the right to object at any time to the processing of your personal data for the purposes of direct marketing; this also applies to any profiling insofar as it is related to such direct marketing. We draw your attention to the right to object in this privacy policy in connection with the respective processing.
Right to withdraw your consent: Where you have given your consent to processing, you have the right to withdraw it under Article 7(3) of the GDPR.
Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format (‘data portability’), as well as the right to have this data transmitted to another controller, provided the conditions of Article 20(1)(a) and (b) of the GDPR are met (Article 20 of the GDPR).

You may exercise your rights by contacting us using the contact details provided in the “Controller” section.

If you believe that the processing of your personal data infringes data protection law, you also have the right under Article 77 of the GDPR to lodge a complaint with a data protection supervisory authority of your choice. This includes the data protection supervisory authority responsible for the controller:

The Hessian Commissioner for Data Protection and Freedom of Information, PO Box 3163, 65021 Wiesbaden or: Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Telephone: 0611/1408 0, Email: poststelle@datenschutz.hessen.de, https://www.datenschutz.hessen.de.

I. Website

1. Access data

When you visit our website, your browser transmits information to the server to enable a connection to be established and to display the content securely, quickly, stably and in the correct format on your device.

The following data may be processed in this context:

Browser type/browser version,
Operating system used,
Language and version of the browser software,
Date and time of access,
Hostname of the accessing device,
IP address,
Content of the request (specific web page),
Access status/HTTP status code,
Websites accessed via the website,
Referrer URL (the previously visited website),
Indication of whether the request was successful and
Amount of data transferred.

This data is further stored to ensure the functionality of the website and the security of the IT systems.

The legal basis for the processing is Article 6(1)(f) of the GDPR. Our legitimate interests lie in ensuring the functionality of the website as well as its integrity and security. The storage of access data, in particular the IP address, enables us to detect and prevent misuse. This includes, for example, defending against requests that overload the service or any use of bots. The access data is deleted as soon as it is no longer required to fulfil the purpose of its processing. In the case of data collected for the provision of the website, this is the case when you end your visit to the website. The log data is deleted after seven days at the latest.

You may object to the processing. Your right to object applies where there are grounds arising from your particular situation. You can send us your objection using the contact details provided in the “Data Controller” section.

2. Website maintenance and hosting

For the maintenance of our website, including hosting, we use the services of Artbutler, a service provided by teamspring GmbH, Reichenberger Str. 113a, 10999 Berlin. As part of this maintenance, Artbutler processes the access data mentioned in the section “Use of our website”, in particular your IP address and the data you provide in forms (e.g. enquiries, newsletters). The provider processes your personal data as our data processor on the basis of a data processing agreement in accordance with Article 28 of the GDPR.

3. Device information

In addition to the aforementioned access data, technologies are used when you use the website that store information on your device (e.g. desktop PC, laptop, tablet and smartphone) or access information already stored on your device. These technologies may include, for example, so-called cookies, pixels, LocalStorage, SessionStorage, IndexedDB or browser fingerprinting technologies. These technologies may be used to recognise you across devices and websites.

In accordance with Section 25(1) of the TDDDG, we generally require your consent to use these technologies. According to Section 25(2) of the TDDDG, such consent is not required only if the technologies either enable the transmission of a message via a public telecommunications network or if they are absolutely necessary to provide a telemedia service expressly requested by you.

a) Technically necessary device information

Some elements of our website serve the sole purpose of transmitting a message (Section 25(2)(1) TDDDG) or are strictly necessary to provide you with our website or individual functionalities of our website (Section 25(2)(2) TDDDG):

Language settings,
User preferences,
Log-in information,

Further information – including the storage duration of individual cookies – can be found in our Cookie Policy at https://wph24.artbutler.com/diegalerie/cookie-policy-eu/.

You can prevent this processing by adjusting the settings in your browser software. For elements whose storage period is not limited to the session, you can delete them in your browser settings once your session has ended.

b) Non-essential device information

We also use elements on the website that are not technically necessary. In accordance with legal requirements, we only use these technologies with your consent. Information on the individual technologies and functions can be found in our “Cookie Settings” within the consent management platform (“cookie banner”) as well as organised by function in the information below.

c) Consent Management Platform

We use a consent tool on our website to request your consent for the processing of your device information and personal data via cookies or other tracking technologies. This allows you to consent to or refuse the processing of your device information and personal data via cookies or other tracking technologies for the purposes listed. Such processing purposes may include, for example, the integration of external elements or statistical analysis.

You may grant or withhold your consent for all processing purposes, or grant or withhold your consent for individual purposes or individual third-party providers.

You can also change the settings you have made at a later date. The purpose of integrating the consent management platform is to allow users of our website to decide whether to accept cookies and similar functionalities, and to offer them the option to change any settings they have already made whilst continuing to use our website.

In the course of using the consent management platform, we process personal data as well as information relating to the end devices used. Information regarding the settings you have made is also stored on your end device.

The legal basis for the processing is Article 6(1)(c) of the GDPR in conjunction with Article 7(1) of the GDPR, insofar as the processing serves to fulfil the statutory obligations to provide evidence of consent. In all other respects, Article 6(1)(f) of the GDPR is the relevant legal basis. Our legitimate interests in the processing lie in the storage of user settings and preferences regarding the use of cookies and the evaluation of consent rates.

Twelve months after the user settings have been made, consent will be requested again. The user settings made will then be stored again for this period, unless you yourself delete the information regarding your user settings from the designated device storage beforehand.

You may object to the processing insofar as the processing is based on Article 6(1)(f) of the GDPR. Your right to object applies where there are grounds arising from your particular situation. You can send us your objection using the contact details provided in the “Controller” section.

The recipient of the personal data processed in this context is the provider of the consent management platform we use:

Complianz B.V. (Kalmarweg 14-5, 9723JG Groningen, Netherlands) for the “complianz” consent management platform

d) Integration of third-party content

Google Maps

This website uses the “Google Maps” service provided by “Google” (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter: “Google” and “Google Maps”) for the purpose of displaying maps or map sections, thereby enabling you to use the map function on the website conveniently. By visiting the website, Google receives the information that you have accessed the relevant subpage of our website. In addition, some of the data mentioned in the section ‘Use of our website’ is transmitted to Google. This occurs regardless of whether Google provides a user account through which you are logged in, or whether no user account exists. If you are logged in to Google, your data will be directly associated with your account. If you do not wish for this association with your Google profile, you must log out before activating the button. Google stores your data as usage profiles and processes them, regardless of whether you have a Google user account, for the purposes of advertising, market research and/or the needs-based design of its website. With regard to the storage of and access to information on your device, your consent forms the legal basis in accordance with Section 25(1) of the TDDDG; your consent also forms the legal basis for further processing in accordance with Article 6(1)(a) of the GDPR. Google also processes your personal data in the USA. An adequacy decision by the European Commission exists for data transfers to the USA. Google, LLC is certified under this decision. In addition, so-called standard contractual clauses have been concluded with Google, LLC to oblige Google, LLC to maintain an adequate level of data protection. You can obtain a copy of the standard contractual clauses at https://cloud.google.com/terms/sccs. Further information on the purpose and scope of processing by the plug-in provider and the storage period for Google Maps can be found at https://policies.google.com/privacy?hl=de.

You may withdraw your consent to the processing at any time by deselecting the toggle under “Settings” in the consent tool for the relevant third-party provider. The lawfulness of the processing remains unaffected until the withdrawal is exercised.

Matterport

For our virtual exhibition and trade fair tours (3D models), we use the “Matterport” service, a service provided by CoStar Realty Information, Inc. (1201 Wilson Boulevard, Arlington, VA 22209, USA). CoStar uses technologies such as cookies to distinguish you from other users during your virtual tour. The storage period of the cookie is limited to the duration of your visit to the website. With regard to the storage of and access to information on your device, the legal basis is Section 25(2) of the TDDDG, as the processing is strictly necessary to be able to offer you the virtual tour; for further processing, the legal basis is Article 6(1)(b) of the GDPR. CoStar also processes your personal data in the USA. To this end, standard contractual clauses have been concluded with CoStar to oblige CoStar to maintain an adequate level of data protection. You can obtain a copy of the standard contractual clauses at:

https://www.costar.com/sites/costar.com.na/files/2026-01/Costar%20DPA%20SCCs%20%28Modular%201%20%26%202%2C%203%20Schedules%201-4%29.pdf.

WordPress Plugins

As part of the operation of our website, various plugins provided by “WordPress” (Automattic, Inc., 60 29th Street #343, San Francisco, CA 94110-4929, USA; hereinafter: “WordPress”) are used for the purpose of optimising and securing the delivery of our website content.

Further information – including the storage duration of individual cookies – can be found in our Cookie Policy at https://wph24.artbutler.com/diegalerie/cookie-policy-eu/.

The aforementioned plugins process information generated by the user’s device regarding the use of our website and interactions with our website, as well as access data, e.g. your IP address, the date and time of access, as well as some of the data mentioned under ‘Use of our website’, are processed on the servers of ‘WordPress’. The legal basis for the processing is Article 6(1)(f) of the GDPR. Our legitimate interests lie in optimising the display of content and in the more targeted control and monitoring of our website content.

“WordPress” also processes some of the data in the USA. An adequacy decision by the European Commission exists for data transfers to the USA. The provider of WordPress (Automattic, Inc.) is certified under this decision. The data is deleted once storage is no longer necessary, in some cases as soon as you leave the website. Further information on data protection at “WordPress” can be found at https://wpml.org/documentation/support/browser-cookies-stored-wpml/ and at https://www.wordfence.com/help/general-data-protection-regulation/.

You may object to the processing. Your right to object applies where there are grounds relating to your particular situation. You may send us your objection using the contact details provided in the ‘Data Controller’ section.

4. Contacting our company

When you contact our company, e.g. by email or via an enquiry form on the website, we process the personal data you provide in order to respond to your enquiry. To process enquiries via the contact form, it is essential that you provide a name, a valid email address and details of your enquiry. When you send the message to us, your IP address and the date and time of registration are also processed. The legal basis for the processing is Article 6(1)(f) of the GDPR or Article 6(1)(b) of the GDPR if the contact is aimed at concluding a contract. If the enquiry is aimed at concluding a contract, the provision of your data is necessary and mandatory. If the data is not provided, it will not be possible to conclude or perform the contract or to process the enquiry. The other data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our IT systems. We will delete the data collected in this process once processing is no longer necessary, or, where applicable, restrict processing to comply with existing statutory retention obligations.

You may object to the processing provided it is based on Article 6(1)(f) of the GDPR. Your right to object applies where there are grounds arising from your particular situation. You may send us your objection using the contact details provided in the ‘Data Controller’ section.

5. Contact Management

We process the personal data of our customers and prospective clients, which we have received, for example, in connection with a purchase, a trade fair contact or via an enquiry, in our contact management system. Your data – in particular your name, contact details such as your postal address, email address and telephone number, any purchases made and other data provided – is stored for the purpose of customer and contact management. In particular, we use your postal address to occasionally inform you by post about news from our gallery (e.g. announcements of trade fairs and exhibitions, introductions to artists).

The legal basis for the processing is Article 6(1)(f) of the GDPR. Our legitimate interest lies in customer and contact management. We will delete the data collected in this context once processing is no longer necessary, or, where applicable, restrict processing to comply with existing statutory retention obligations.

Please note that you may object at any time to the receipt of direct marketing and to processing for the purposes of direct marketing without incurring any costs other than the transmission costs in accordance with standard rates. In this regard, you have a general right to object without giving reasons (Article 21(2) of the GDPR). To do so, click on the unsubscribe link in the relevant email or send us your objection using the contact details provided in the “Data Controller” section.

6. Email Marketing

Marketing to Existing Customers

We reserve the right to use the email address you provided during a purchase, in accordance with legal requirements, to send you news from our gallery via email following your purchase (e.g. announcements of fairs and exhibitions, introductions to artists), provided you have not already objected to this processing of your email address:

The legal basis for data processing is Article 6(1)(f) of the GDPR. Our legitimate interests in the aforementioned processing lie in customer care and marketing. We will delete your data when you terminate the usage process. We use an external email marketing service to send the emails. Further information on this service provider can be found in the section ‘Email Marketing Service’.

Please note that you may object to receiving direct marketing and to processing for the purposes of direct marketing at any time, without incurring any costs other than the transmission costs charged at standard rates. You have a general right to object without giving reasons (Article 21(2) of the GDPR). To do so, click on the unsubscribe link in the relevant email or send us your objection using the contact details provided in the “Controller” section.

You have the option of receiving email notifications about products that are back in stock, as well as subscribing to our newsletter via email, through which we regularly inform you about news from our gallery (e.g. announcements of fairs and exhibitions, introductions to artists).

To receive the newsletter, you must provide your name and email address.

We process this data for the purpose of sending the newsletter and for as long as you remain subscribed to the newsletter. We use an external marketing service provider to send the newsletter. Further information on this can be found in the section “Marketing Service Providers”.

The legal basis for the processing is Article 6(1)(a) of the GDPR. We process your data until you withdraw your consent.

You may withdraw your consent to the processing of your email address for the purpose of receiving the newsletter at any time, either by clicking directly on the unsubscribe link in the newsletter or by sending us a message using the contact details provided under “Data Controller”. This does not affect the lawfulness of the processing carried out on the basis of your consent up to the time of your withdrawal.

Newsletter tracking

We also statistically analyse newsletter open rates, the number of clicks on links contained therein and the reading duration. For this purpose, usage behaviour on our websites and within the newsletters we send is analysed using device-specific information (e.g. the email client used and software settings). For this analysis, the emails sent contain so-called web beacons or tracking pixels, which are single-pixel image files that are also embedded on our website.

The legal basis for the processing is Article 6(1)(a) of the GDPR. We will delete your data if you cancel your newsletter subscription.

You may withdraw your consent at any time, either by sending us a message (see the contact details in the ‘Controller’ section) or by clicking the unsubscribe link contained in the newsletter. This does not affect the lawfulness of the processing carried out on the basis of your consent up to the time of your withdrawal.

Email marketing service

We use the following email marketing service

“Mailchimp” provided by Intuit, Inc. (2700 Coast Ave, Mountain View, CA 94043, USA; hereinafter: “Mailchimp”); Mailchimp also processes your data in the USA. An adequacy decision by the European Commission exists for data transfers to the USA. Intuit, Inc. is certified under this decision. In addition, standard data protection clauses have been concluded with Intuit, Inc. to oblige Intuit, Inc. to maintain an adequate level of data protection. You can view a copy of the Standard Data Protection Clauses at Mailchimp via https://mailchimp.com/de/legal/data-processing-addendum/#2._Rollen_und_Verantwortlichkeiten. Further information can be found in Intuit Inc.’s privacy policy at: https://www.intuit.com/privacy/statement/.

II. Social Media Presence

General

We maintain publicly accessible profiles on various social networks (hereinafter collectively referred to as: “our profiles”). Your visit to our profiles triggers a variety of data processing operations. Below, we provide an overview of which of your personal data we collect, use and store when you visit our profiles. You are not obliged to provide us with your personal data. However, this may be necessary for certain features of our profiles on social networks. These features will not be available to you, or will only be available to a limited extent, if you do not provide us with your personal data.

When you visit our profiles, your personal data is collected, used and stored not only by us, but also by the operators of the respective social network. This occurs even if you do not have a profile on the respective social network yourself. The specific data processing operations and their scope vary depending on the operator of the respective social network and are not necessarily transparent to us. Details regarding the collection and storage of your personal data, as well as the nature, scope and purpose of its use by the operator of the respective social network, can be found in the privacy policies of the respective operators:

a) Instagram

You can view the privacy policy for the social network Instagram, which is operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, at https://privacycenter.instagram.com/policy.

d) Facebook

You can view the privacy policy for the social network Facebook, which is operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, at https://www.facebook.com/privacy/policy/?locale=de_DE.

e) YouTube

The privacy policy for the video platform YouTube, which is operated by YouTube, LLC (head office at 901 Cherry Avenue, San Bruno, CA 94066, USA; hereinafter: “YouTube”), a subsidiary of “Google” (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA; hereinafter: “Google”) can be viewed at https://policies.google.com/privacy?hl=de.

2. Communication with users

We use our profiles for public relations purposes relating to our company and to communicate with and establish contact with potential customers. In the course of using our profiles, we process personal data such as your name, your profile picture and the information you have provided via interactive features (e.g. commenting, sharing and rating). The legal basis for the operation of our profiles and the processing of personal data is Article 6(1)(f) of the GDPR. Our legitimate interest lies in the public relations activities of our company.

When you visit our profiles, data may be processed outside the European Union, and in particular in the USA. An adequacy decision by the European Commission exists for data transfers to the USA. The social media providers mentioned are certified under this decision. Further information regarding any data transfer to a third country and the relevant legal basis can be found in the privacy policies of the social networks.

We have no influence over the retention period of your personal data that you have published on our profiles. We store your data until the purpose of the processing has been fulfilled, or we restrict processing if statutory retention obligations apply. Further information on data protection and the retention period can be found in the privacy policies of the social networks linked above.

You may object to the processing. Your right to object applies where there are grounds arising from your particular situation. You may send us your objection using the contact details provided in the ‘Data Controller’ section.

3. Statistical information and joint responsibility with social networks

The operators of the social networks on which we maintain our profiles provide us with statistical analyses of interactions with our profiles in anonymised form. We use this data to improve the user experience on our profiles. It is not possible for us to draw conclusions about individual users or access individual user profiles. Our legal basis for processing the information from the statistical analysis is Article 6(4) of the GDPR in conjunction with Article 6(1)(f) of the GDPR. Our legitimate interest in the statistical analysis lies in improving and tailoring our advertising measures based on the information collected and in gaining further insight into user interaction on our profiles.

According to the case law of the European Court of Justice, the use of statistical analyses may, under certain circumstances, be classified as data processing under joint responsibility between the social network operator and the profile owner. Against this background, we have concluded a joint responsibility agreement in accordance with Article 26 of the GDPR with the following social network operators:

Facebook and Instagram:

You can view the joint controller agreement for Instagram and Facebook Page Insights at https://www.facebook.com/legal/controller_addendum.