HAUSER & WIRTH will function as the “controller” within the meaning of Article 4 number 7 of Regulation (EU) 2016/679, also known as the “General Data Protection Regulation” (“GDPR”).
II. Collection and storage of Personal Data; manner and purpose of their usage
1. Processing of data for usage of the Website
Whenever you access our Website through your browser, respectively via your mobile terminal device, we will collect only the Personal Data which your browser, respectively your mobile terminal device, automatically transmits to us so as to allow you to visit the Website and to ensure system stability and security. This may include, in particular:
• Your IP address;
• Your device’s identifier, i.e. the unique ID number of your terminal device;
• The content, date, and time of the access request;
• The time zone of the requesting computer, respectively of the mobile terminal device;
• The website from which the access request is being referred;
• The web page for which access is being requested;
• The http status code;
• The data volume transmitted;
• Your browser ID;
• Your operating system;
• The language and version of your browser software; as well as
• The Advertising Identifier (IDFA).
Processing this data will serve the following purposes:
• To establish a trouble-free connection to the Website;
• To display our goods and services;
• To ensure the usability of our Website;
• To analyze system stability and security; and
• To fulfill additional administrative objectives.
The legal basis for this processing of the Personal Data concerning you is Article 6 paragraph 1 sentence 1 lit. f) of the GDPR. Our legitimate interest in this context results from the aforementioned data processing purposes.
2. Data processing when the contact form is used
We give you the option of contacting us by means of the “Contact” form provided on the Website. To use this form, you must fill in your name and a valid email address. Processing these data serves our legitimate interest in providing proper answers to your contact inquiries and is therefore performed on the basis of Article 6 paragraph 1 sentence 1 lit. f) of the GDPR.
3. Data processing for purchasing our goods and using our services
If you wish to purchase our goods and use our services, you may be asked at various times to provide us with Personal Data such as the following:
• Your name;
• Your postal address;
• Your email address,
• Your telephone number or mobile phone number; and
• Your credit card information.
We will process the Personal Data concerning you for the following purposes, and said Personal Data are required for these purposes:
• To fulfill contractual obligations, respectively to perform pre-contractual measures, in accordance with Article 6 paragraph 1 sentence 1 lit. b) of the GDPR, i.e. so as to be able to transact your purchases, process your payments, provide you with customer service, correspond with you, handle claims asserted by you or us, assure the technical administration of our Website, and manage our customer data;
• To fulfill statutory requirements in accordance with Art 6 paragraph 1 sentence 1 lit. c) of the GDPR or to serve the public interest in accordance with Article 6 paragraph 1 sentence 1 lit. e) of the GDPR, i.e. so as to protect both you and us (including our affiliated companies) against fraud.
III. Forwarding data concerning you to processors and third parties
In order to process the data concerning you, we will make use of specialized external service providers, such as online-marketing providers, providers of automated marketing solutions, providers of web-analysis tools as well as IT-service providers. We carefully select these service providers and instruct them duly, they are bound by our instructions and are regularly monitored and checked.
In addition, we may transfer the Personal Data concerning you to third parties (suppliers, sub-contractors, shipping companies, the credit institutions we have contracted for payment settlement or other payment service providers) insofar as this is required for our contractual performance pursuant to Article 6 paragraph 1 sentence 1 lit. b) of the GDPR, respectively in order to pursue our legitimate interests pursuant to Article 6 paragraph 1 sentence 1 lit. f) of the GDPR.
Finally, we may also transfer your data to our affiliated companies, including Hauser & Wirth Menorca SL, Hauser & Wirth Gallery Ltd., Hauser & Wirth Inc., Hauser & Wirth AG and Hauser & Wirth Limited (“Affiliated Companies”), insofar as this is permitted to pursue our legitimate interests within the meaning of Article 6 paragraph 1 sentence 1 lit. f) of the GDPR. These interests specifically include: processing your order, delivering the ordered goods, processing of your payment details, the provision of support services and ensuring efficient business operations.
In all other respects, the Personal Data concerning you will not be transferred to third parties unless you have first granted your consent pursuant to Article 6 paragraph 1 sentence 1 lit. a) of the GDPR or if doing so is legally permissible within the meaning of Article 6 paragraph 1 sentence 1 lit. c) of the GDPR.
IV. Transfers of Personal Data to third countries
Insofar as we transmit Personal Data to countries located outside of the European Economic Area (“EEA”), we will ensure that the data recipient guarantees an adequate level of data protection within the meaning of Article 45 of the GDPR. If no adequacy decision is available, HAUSER & WIRTH will strive to ensure that the data recipient has put in place appropriate safeguards within the meaning of Article 46 of the GDPR and specifically utilizes the standard contractual clauses of the European Union for the transfer of data into non-EU third countries in their respectively current version.
When it comes to transferring data to the United States, HAUSER & WIRTH will strive to ensure that the data recipient enters into obligation to follow and observe the principles of the Privacy Shield Framework (i.e. principles setting forth minimum standards for the handling of Personal Data).
HAUSER & WIRTH utilizes so-called “cookies” on its Website, i.e. small files containing text information that are placed on your hard drive (“Cookies”) whenever you call up the Website. The Cookie will be used to store certain information about the specific terminal device you are using. This does not mean, however, that we will obtain direct knowledge of your identity in the process.
The data processed by the Cookies are required for the aforementioned purposes in order to allow us to pursue our legitimate interests and to allow third parties to purse their legitimate interests pursuant to Article 6 paragraph 1 sentence 1 lit. f) of the GDPR.
VI. Deployment of analytics and tracking technologies
We use the analytics and tracking technologies, respectively technologies offered by third-party-provider, described below; we do so on the basis of Article 6 paragraph 1 lit. f) of the GDPR for the following purposes (among others):
• To perform data analyses;
• To collect statistics on the use of our Website and to evaluate them so as to optimize our offering;
• To enhance and manage our offering on an ongoing basis;
• To optimize our advertising measures and quantify their success; and
• To provide you with advertising.
These are legitimate interests within the meaning of the aforementioned statutory provision.
1. Google Analytics
Google has been certified under the Privacy Shield Framework, meaning that an adequate level of data protection is in place in accordance with the corresponding Implementing Decision of the European Commission. The certificate is available online for inspection under https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI. However, your IP address will first be shortened on our Website by Google within Member States of the European Union or in other states signatory to the Agreement on the European Economic Area (EEA). Only in exceptional cases will the full IP address be transferred to a Google server in the Unites States and shortened there.
Google will use this information on our behalf in order to analyze your usage of our Website, to compile reports on Website activities for us, and to provide us with other services relating to Website and internet usage. In certain cases, this information may also be transferred to third parties, insofar as this is mandated by the law or insofar as third parties have been commissioned with processing the data. Google will not merge your IP address with other data held by Google.
You can block the storage of the relevant Cookie in your browser by configuring your browser settings accordingly. Please be advised, however, that this may prevent you from using all the functions of our Website to their full extent.
In addition, you can prevent Google from recording the data generated by the Cookie regarding your usage of the Website (including your IP address) and from processing such data by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
For further information on data protection in connection with Google Analytics, please navigate to the “Help” section of Google Analytics via the following link: http://google.com/intl/de/analytics/privacyoverview.html.
2. Google AdWords Conversion Tracking
In order to collect statistics on the use of our Website and in order to optimize our Website for your benefit, we also use Google Conversion Tracking. This is a service offered by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”). To this end, Google places a Cookie (see Section V of this Privacy Statement) on your computer whenever you reach our Website by way of a Google Ad. These Cookies become invalid after 30 days and cannot be used to identify you personally. If you visit one of our web pages and assuming the Cookie has not yet expired, both we and Google will be able to see that you clicked on the ad and that it referred you to our site. Each AdWords customer receives a different Cookie, so that the Cookies cannot be tracked across the websites of multiple AdWords customers.
Google will use this information on our behalf to generate visitor statistics for our Website. We will use these visitor statistics to determine the total number of users referred to us by AdWords advertisements and to optimize our AdWords advertising efforts accordingly. This information may also be transferred to third parties insofar as this is mandated by law or insofar as third parties process these data on a commissioned basis. Neither we nor any other advertising customers of Google AdWords will receive information from Google that allows you to be personally identified.
In the process, Google will place a Cookie on your computer (see Section V of this Privacy Statement) insofar as you use certain Google services or visit certain websites forming part of the Google content network. These Cookies cannot be used to identify you personally.
The information generated by the Cookie so placed on your computer concerning your usage of our Website (including your IP address) will be transferred to a Google server located in the United States and stored there. As explained above, Google has been certified under the Privacy Shield Framework, meaning that an adequate level of data protection is in place in accordance with the corresponding Implementing Decision of the European Commission. The certificate is available online for inspection under: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI. However, your IP address will first be shortened on our Website by Google within Member States of the European Union or in other states signatory to the Agreement on the European Economic Area (EEA). Only in exceptional cases will the full IP address be transferred to a Google server in the United States and shortened there.
You can prevent the storage of these Cookies in your browser by configuring your browser settings accordingly. Please be advised, however, that this may prevent you from using all the functions of our Website to their full extent.
Furthermore, you can object against interest-based advertising from Google. To do this, you must call up www.google.de/settings/ads from each of the internet browsers you use and then make the desired setting changes.
3. Google Tag Manager
We also use Google Tag Manager. This service allows website tags to be managed by way of a user interface. Tags are small code elements the purpose of which includes measuring traffic and visitor behavior. Google Tag Manager merely implements such tags. This does not cause any Cookies to be placed, meaning that no Personal Data will be recorded. Google Tag Manager triggers other tags which may themselves record data under certain circumstances. Google Tag Manager does not access these data, however. Once the deactivation function has been selected at the domain or Cookie level, it will remain in effect for all tracking tags implemented by Google Tag Manager.
VII. Use of social plug-ins
Our Website makes use of the so-called “social plug-ins” of social networks, e.g. Facebook, Instagram, YouTube, Twitter, WeChat and Sina Weibo (Facebook, Instagram, YouTube, Twitter, WeChat and Sina Weibo being collectively referred to hereinbelow as “Social Networks” and the corresponding plug-ins as “Plug-ins”). With these Plug-ins, we offer you the option to interact with the Social Networks and with other users, which allows us to improve our offering and to make it more appealing to you, while at the same time raising awareness of our enterprise. The legal basis for the use of social Plug-ins is Article 6 paragraph 1 sentence 1 lit. f) of the GDPR. Responsibility for ensuring data protection-compliant operations lies with the respective provider.
We use the Plug-ins of the Facebook network, such as the “Like” button. These Plug-ins are offered and operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (“Facebook”), and are clearly designated by the Facebook logo. In addition, we utilize Plug-ins of the Instagram service, operated by Instagram LLC, 1601 Willow Rd, Menlo Park, CA 94025, USA (“Instagram”). These Plug-ins are designated by the Instagram logo. We also use the Plug-ins of the YouTube network, which is owned by Google Inc., San Bruno, California, USA (“YouTube”), whereby the YouTube logo serves as the designator. Our Website also features Plug-ins which are integrated, offered, and operated by the Twitter service owned by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA (“Twitter”), these Plug-ins are designated by the Twitter logo or the suffix “Tweet.” We furthermore utilize the Plug-ins of the WeChat network, which is offered and operated (for users in the EEA) by Tencent International Service Europe B.V., a Dutch company with its registered office in 26.04 on the 26th floor of Amstelplein 54, 1096 BC Amsterdam, Netherlands, and (for users outside the EEA, Switzerland or the People’s Republic of China (excluding Taiwan, Hong Kong and Makau) Tencent International Service Pte. Ltd., a company based in Singapore at 10 Anson Road, #21-07 International Plaza, Singapore 079903 (“WeChat”); these Plug-ins are designated by the WeChat logo. Finally, we utilize the Plug-ins of the Sina Weibo network operated by Sina Corporation, 37F, Jin Mao Tower, 88 Century Boulevard, Pudong New District, Beijing NEJ 00000, China (“Sina Weibo”), which are designated by the Sina Weibo logo.
Whenever you access a web page of ours that contains this type of Plug-in, your browser will establish a direct connection to the server of the respective Social Network. The content of the Plug-in will be transferred directly to your browser from the corresponding Social Network and will be integrated into the Website without our being able to exercise any control over said content.
Regardless of whether you maintain a user account with a Social Network or whether you have logged on to the respective Social Network, web pages that contain Plug-ins from that Social Network will transfer information to the corresponding Social Network in the USA, Singapore or China, where this information will be stored. This will include the type and version of your operating system and browser, respectively, as well as your IP address and the domain name and/or date stamp, respectively time stamp, associated with your visit. Each time the web page is called up, the respective Social Network will deposit a Cookie containing an identifier that will remain valid for two years. Since your browser automatically co-transmits this Cookie each time a connection is established with a server, the corresponding Social Network fundamentally would be able to generate a profile of the online web pages called up by the user associated with the identifier. If you have logged on to the respective Social Network at the time, said Social Network will be able to match up the profile to the user account you maintain with that Social Network and thus to you personally. But even if you are not logged in to the respective Social Network when you use our Website, this will not preclude such a match-up from occurring, for example when you log in with the corresponding Social Network at some later time.
Whenever you interact with these Plug-ins, e.g. by activating the “Like” or “Tweet” button or by posting a comment, the corresponding information will be sent from your browser directly to the corresponding Social Network and stored there, without our being able to exert any influence in this regard. The information will also be published on the Social Network and will be displayed to your contacts on said network.
For Facebook: http://de-de.facebook.com/policy.php;
For Instagram: https://help.instagram.com/519522125107875?helpref=page_content;
For YouTube: https://policies.google.com/privacy?hl=de;
For Twitter: http://twitter.com/privacy;
For WeChat: https://www.wechat.com/en/privacy_policy.html; and
For Sina Weibo: https://www.whatsonweibo.com/privacy-policy/.
The above links will also guide you to additional information on your relevant rights and configuration options when it comes to protecting your privacy. Facebook/Instagram, YouTube/Google, and Twitter are certified under the Privacy Shield Framework, meaning that an adequate level of data protection is in place in accordance with the corresponding Implementing Decision of the European Commission. The certificates are available online for inspection here:
For Facebook/Instagram: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC.
For YouTube/Google: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
For Twitter: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active
If you, as the user of a Social Network, wish to prevent the corresponding Social Network from collecting information regarding you during your visit to our Website, you can log out of that Social Network when commencing your visit to the Website, erase the corresponding Social Network’s cookie (if one exists) from your browser, and select the “Block Third-Party Cookies” function on your browser. In this case, your browser will not transfer any Cookies to the servers in the event of embedded content of other providers. Note, however, that this configuration, besides blocking the Plug-ins, may also cause certain functions extending across webpages to become unavailable.
Subject to your consent, which can you can grant when registering on our Website, we will email you our newsletter regarding our goods and services or the goods and services of our Affiliated Companies, insofar as we believe they may be of interest to you.
You can object at any time against having data concerning you used for direct advertising purposes with effect for the future, and you can unsubscribe from the newsletter by clicking the corresponding link included in each newsletter email, or by emailing a corresponding declaration to: firstname.lastname@example.org.
We reserve the right to email you offers for goods and services also without your consent insofar as they are similar to ones you have already purchased. You have the right to object at any time against having your data processed for advertising purposes by emailing us a corresponding declaration at email@example.com, or by clicking on the corresponding link in our newsletter. This will not give rise to any costs other than the base rate of transmission costs.
The legal basis for processing your data for purposes of sending out newsletters is Article 6 paragraph 1 sentence 1 lit. a), respectively lit. f), of the GDPR.
For the purpose of sending you emails and our newsletter, we use the newsletter distribution platform MailChimp offered by Rocket Science Group, LLC, 675 Ponce De Leon Ave NE # 5000, Atlanta, GA 30308, USA (“MailChimp”). To this end, the personal data concerning you are transmitted to MailChimp servers in the USA and will be stored there. MailChimp has been certified under the Privacy Shield Framework, meaning that an adequate level of data protection is in place in accordance with the corresponding Implementing Decision of the European Commission. The certificate is available online for inspection under: https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG.
MailChimp offers comprehensive opportunities to analyze how newsletters are opened and used. In order to evaluate user behavior, the emails sent out include so-called web beacons, respectively tracking pixels, which are one-pixel image files that are stored on our Website. In order to perform analyses, we and/or MailChimp will merge the data collected from you and the web beacons with your email address and an individual ID. The links sent in the newsletter also include this ID. We will use the data obtained in this way to create a user profile to allow us to customize the newsletter to your personal interests. In the process, we will capture the time at which you read our newsletters, on which links you click in the newsletters, and will deduce your personal interests from this conduct. We will merge these data with the actions you have taken on our Website. MailChimp can by its own admission also use this data to enhance or improve its own services, e.g. to technically enhance the dispatch procedure and display of the newsletter or for commercial purposes to be able to determine which countries the recipients are from. However, MailChimp will not use the data of our newsletter recipients to contact them itself or forward it to third parties.
IX. Duration of storage
We will store the Personal Data concerning you for as long as required to fulfill the respective storage purpose. Once this is no longer the case, we will erase your data unless we are bound to observe a longer retention period in accordance with Article 6 paragraph 1 sentence 1 lit. c) of the GDPR, namely on the basis of tax laws, commercial laws, or other statutory archiving/documentation obligations, or unless you have consented to an extended storage period in accordance with Article 6 paragraph 1 sentence 1 lit. a) of the GDPR.
X. Your rights
In accordance with Article 15 of the GDPR, you are entitled to obtain access at any time to any Personal Data of yours that are being stored by us. In particular, you may request information about any of following matters: the processing purposes involved; the categories of data regarding you being stored; the categories of recipients of such data; the planned storage period; the existence of a right to demand rectification, erasure, restriction of processing or a right to object; the existence of a right to lodge a complaint with a supervisory authority; the origin of your data, insofar as they were not obtained from you; as well as the existence of an automated decision-making process, including profiling; you also have the right to request explanatory details.
In addition, you can demand the rectification of incorrect data pursuant to Article 16 of the GDPR, as well as the erasure of Personal Data pursuant to Article 17 of the GDPR insofar as their processing is not required to exercise the right of freedom of expression and information, to fulfill a statutory obligation, to serve the public interest, or to assert, enforce or defend legal claims.
You furthermore have the right, pursuant to Article 18 of the GDPR, to demand that a block or restriction be placed on the processing of the Personal Data concerning you insofar as: their correctness is disputed by you; the processing is unlawful but you object to the erasure of the data; we no longer require the data but you still require it in order to assert, enforce or defend legal claims; or you have expressly objected against the data being processed pursuant to Article 21 of the GDPR.
Furthermore, you are entitled pursuant to Article 20 of the GDPR to obtain the Personal Data you have provided to us in a structured, commonly used, and machine-readable format, or to demand that such data be transmitted to some other authorized party.
Finally, insofar as the Personal Data concerning you are being processed on the basis of legitimate interests pursuant to Article 6 paragraph 1 sentence 1 lit. f) of the GDPR, you have the right, pursuant to Article 21 of the GDPR, to at any time object to having the Personal Data concerning you processed, on grounds relating to your particular situation or insofar as your objection specifically refers to processing for purposes of direct advertising. In the latter case, you will enjoy a fundamental right to object that will be honored by HAUSER & WIRTH without your having to state grounds in connection with a particular personal situation.
If you believe that our processing of the Personal Data concerning you is not consistent with applicable law, you may lodge a complaint with a competent supervisory authority pursuant to Article 77 of the GDPR.
If the processing of your data is based on a declaration of consent you have granted pursuant to Article 6 paragraph 1 lit. a) of the GDPR, you have the right to any time withdraw said consent with effect for the future.
XI. Data security
In the course of visits to our Website, we employ the widely-used SSL process in conjunction with the respectively highest level of encryption supported by your browser.
In all other respects, we take appropriate technical and organizational security measures in order to protect your data against manipulation, loss, destruction, and unauthorized access by third parties. Our security measures are kept consistently up-to-date based on the latest state of the technical art.
XII. Your contact for data protection matters
If you have questions about how the Personal Data concerning you is collected, processed or used, if you wish to obtain information regarding your data or to have them rectified, blocked or erased, or if you wish to withdraw your consent, please contact our Data Protection Officer at: firstname.lastname@example.org.