Privacy policy

Version 1.0 from 14.02.2022

1. General information

We, art24 Services GmbH, operate the art24.world art trading platform ("platform"). The purpose of this privacy policy is to explain how we collect and process personal data in our company.

Within the context of our business activities, we are subject to the Swiss data protection law, in particular the Federal Act on Data Protection (FADP) and, where applicable, foreign data protection law, in particular the General Data Protection Regulation (GDPR) of the European Union (EU)

Particularly the latter is only applicable to natural persons with domicile in an EU/EEA state. The EU recognises that Swiss data protection law ensures adequate data protection.

By using our services and our platform, you agree to the processing of the data collected about you in the manner and for the purpose as described below. Personal data of third parties may only be provided to us if you are authorised to do so and if such personal data is correct.

We can amend this privacy policy at any time and without prior notice. The current version published on our platform is applicable in each case.

The masculine form of language we use is for simplification and applies equally to all other forms of gender expression.

2. Responsible for data protection issues

Responsibility for the content of this privacy policy and for the described data processing is held by art24 Services GmbH, Hinterbergstrasse 26, 6312 Steinhausen, privacy@art24.services, phone no.: +41 43 499 50 30.

Contact person for data protection matters at art24 World AG is:
art24 World AG
Sebastian Nellen
Hinterbergstrasse 26
Postfach 28
6312 Steinhausen
privacy@art24.world
Phone no.: +41 43 499 50 20

3. EU data protection representative

For natural persons with simple residency in countries of the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein, as well as for the country-specific supervisory authorities provided for by the GDPR, we designate the following person as EU data protection representative according to Article 27 of the GDPR:
VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Deutschland
info@datenschutzpartner.eu
https://datenschutzpartner.eu 

4. Terminology

For better understanding, we would like to start by clarifying the most important terms used in the following. In this regard, we adhere to the definitions from the Swiss Data Protection Act (Article 3 DPA).

5. Collection and processing of personal data

We process personal data that we receive from our users, visitors, customers, business partners, employees, authorities and other involved persons in the course of our business activities with them and third parties or that we collect in the course of operating our platform and other applications. In addition, we also collect publicly accessible data (e.g. from public registers, the Internet, the press, social media, etc.) if necessary and permissible for the fulfilment of our business activities.

6. Purpose of the data processing

We process the data collected in order to fulfil our legal and contractual obligations towards our users, visitors, customers, business partners, employees, authorities and other persons involved.

Furthermore, we process the data collected in order to improve the products and services you have requested, to manage your use of and access to our services, products and information, to maintain our business relationship with you, to carry out advertising and marketing measures ( provided that you have consented to the use of your personal data in this respect), to monitor and improve the performance of our services, to enforce legal claims or defend ourselves against them, to detect, prevent or resolve illegal activities as well as to generally guarantee our operations (in particular IT, platform, etc.). We only collect, use and disclose your personal data if this is permitted or required by law or if you have agreed to the disclosure of your data.

7. Legal basis of data processing

We process personal data in accordance with Swiss data protection law pursuant to Article 4 et seq. DSG (Article 6 revised FADP). Where a justification for processing your personal data is necessary, this is either based on your consent in accordance with Article 13 para. 1 FADP (Article 31 para. 1 revised FADP) or on a legal basis or on our predominant private interest on the data processing. Any processing of your personal data by other group companies is also based on Article 13 para. 2 FADP (Article 31 para. 2 revised FADP). 

In addition, we process - insofar as and to the extent that the GDPR is applicable - personal data in accordance with the following legal basis in connection with Article 6 para. 1 GDPR:

8. Processing time of personal data

We will process your personal data for as long as we are legally obliged to do so or for as long as our legitimate business interests require or as long as the purpose of collecting your data makes it necessary. The associated retention periods may result in your personal data or extracts from them being kept for several years after the end of the contractual relationship between you and us. If your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymised as far as possible.

9. Data processing in connection with the usage of our platform

9.1. Cookies

The software Cookiebot is used for cookie consent. The following source code includes Cookiebot in our platform:

<script id="Cookiebot" src="https://consent.cookiebot.com/uc.js" data-cbid="adc67a23-522b-4807-b62e-b28e7fbe2b0a" data-blockingmode="auto" type="text/javascript"></script>

9.2. Contact form

You have the possibility to use a contact form to get in touch with us. The collection and transmission of the following data is possible:

We have marked the mandatory fields (*). The provision of personal data in other fields or in the context of any other method of contact (e.g., by email, telephone) is voluntary. Within the area of application of the DSGVO, this data is processed for the purpose of initiating or fulfilling a contract (Art. 6 para. 1 lit. b DSGVO) or on the basis of our legitimate interest in processing the requests addressed to us (Art. 6 para. 1 lit. f DSGVO) or based on your consent (Art. 6 para. 1 lit. a DSGVO).

9.3. Platform hosting provider

We host our platform with a Swiss hosting provider with its headquarters and server location in Switzerland (VSHN AG). With each visit to our platform, the hosting provider automatically collects and stores information (server log files) which your browser transmits. This includes the name and URL of the accessed file, date and time, amount of data, web browser and web browser version, operating system, the domain name of your internet provider, the so-called referrer URL (the page from which you accessed our website) and the IP address. This usage data serves to identify technical problems, to ensure security and to statistically evaluate the use of our platform and thus the further development of our offer.

The mentioned data is processed by us for the following purposes: 

Within the area of application of the DSGVO, the processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f DSGVO) in accordance with the purposes listed above or your consent (Art. 6 para. 1 lit. a DSGVO).

9.4. User data

You can register to our platform ("user") in order to use further functions of our platform. The latest GTC are applicable and can be found at https://art24.world/legal/terms. The mandatory information requested during registration must be provided in full. Otherwise, registration is not possible. For important changes, for example in the range of services offered or in the case of technically necessary changes, we use the email address provided when you first registered in order to inform you this way.

For all purposes related to the fulfilment of the contract, we are entitled to collect, process and use personal data of the user and, if applicable, also of the user's employees, bodies or third parties involved. Your consent also includes the use for marketing purposes.

Users may process and use personal data of other users, which they legally collect in the course of using the platform, exclusively for the performance of their pre-contractual and contractual services. With disclose out the expressed permission of the user concerned, they are in particular prohibited from disclosing this data on to third parties (e.g., for marketing purposes).

The user explicitly authorises us to process his personal data and data related to him and to disclose it to third parties abroad and hence worldwide. These recipients may also be located in countries where there may not be an equivalent level of data protection. The user explicitly agrees to the transfer of data to these countries.

The user explicitly declares that consent for the processing of personal data as described above has been given and that the legal requirements for transfer to and processing through us have been fulfilled.

Within the scope of application of the GDPR, the processing of this data takes place either for the purpose of initiating and fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) or based on your consent (Art. 6 para. 1 lit. a GDPR).

9.5. Payments

We may offer paid products and/or services (esp. user subscriptions). In this case, we may use third party services for the payment processing. The use of your personal data and payment data by these third-party providers is regulated in the privacy policy of these providers. 

Datatrans
We use the services of Datatrans. The provider is Datatrans AG, Kreuzbühlstrasse 26, 8008 Zurich, Switzerland ("Datatrans"). Datatrans follows the standards set by PCI-DSS, which are managed by the PCI Security Standards Council. PCI-DSS requirements help to ensure the secure handling of payment information.

In the case of a payment with Datatrans, your payment data will be forwarded from our platform to Datatrans via an interface to their e-payment platform in order to carry out the payment. You can find more information on how Datatrans handles your personal data in their privacy policy: https://www.datatrans.ch/en/privacy-policy.

Within the scope of application of the GDPR, the transfer of your data to Datatrans is based on the execution of the contract (Art. 6 para. 1 lit. b GDPR) as well as on our justifiable interest (Art. 6 para. 1 lit. f GDPR) in the use of reliable and secure payment processing. 

9.6. Newsletter

On our platform, we offer you the possibility to subscribe to our newsletter, through which we will inform you regularly about offers, products and information.

In order to send you a personalised newsletter, we require your first and last name, email address as well as information that allows us to verify that you are the owner of the email address provided and that you agree to receiving the newsletter. This data will only be used for the purpose of sending you the newsletter. You are free to provide us with further information on a voluntary basis. This personal data will not be passed on to third parties outside our company respectively our group of companies. For your registration to the newsletter, we use the so-called double opt-in procedure. After your registration you will receive an e-mail in which we ask you to confirm your registration. The subscriptions to the newsletter are recorded. This includes the storage of the time of registration and confirmation as well as the IP address. In addition, any changes to your submitted data are logged.

You can withdraw your consent to the storage of your personal data and its use for the newsletter dispatch at any time. You will find a link to do so in every newsletter. 

For processing, sending and analysing the newsletter, we use the services of mailXpert, the provider mailXpert GmbH, Schulstrasse 37, 8050 Zurich, Switzerland. You can find the privacy policy of mailXpert GmbH (in german language) by clicking the following link: https://www.mailxpert.ch/datenschutz.

Within the scope of the GDPR, the processing of the data collected as part of your newsletter subscription is based on your consent (Art. 6 para. 1 lit. a GDPR).

9.7. Links to other websites

Our platform contains hyperlinks to third-party websites that are not operated or controlled by us. We are not responsible for their content or data protection practices.

9.8. Google Inc.

9.8.1. General information

Our platform uses functions and services of Google Inc. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in the European area.

In addition to the following explanations, you will find further information in the Google privacy statement on data protection at Google: https://policies.google.com/privacy?hl=en-GB.

In the scope of application of the GDPR, the processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in an appealing internet appearance as well as in increasing our reach or based on your consent (Art. 6 para. 1 lit. a GDPR).

9.8.2. Services used by Google

Our platform uses functions of the web analytics service Google Analytics, Google Tag Manager, Google AdSense and Google Ads. In addition, we use Google Maps to embed maps, Google Fonts to use fonts and Google reCAPTCHA to protect our platform from spam and misuse.

Google Analytics uses cookies, which enable an analysis of your use of the platform. The information generated by cookies about your use of our platform is transferred to Google servers (if necessary, also in the USA) and stored there.

Google Tag Manager is a solution that allows us to manage website tags through one interface. Google Tag Manager is a cookie-less domain that does not collect any personal data. Google Tag Manager triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made on domain or cookie level, it remains in place for all tracking tags implemented with Google Tag Manager.

Google AdSense uses cookies and web beacons (invisible graphics). With the help of web beacons, Google can evaluate information (e.g., visitor traffic, clicks) on these pages. The information generated by cookies and web beacons about your use of our platform (including your IP address) and delivery of advertising formats is transmitted to Google servers (if necessary, also in the USA) and stored there. This information may be passed on by Google to contractual partners of Google.

Furthermore, we use the advertising tool Google-Ads to promote our platform. For this purpose, we use the analysis service "Conversion Tracking" from Google on our platform. If you have accessed our platform via a Google ad, a cookie will be placed on your computer. These so-called "conversion cookies" lose their validity after 30 days and are not used for your personal identification. If you visit certain pages of our platform and the cookie has not yet expired, we and Google can recognise that you, as a user, have clicked on one of our ads placed on Google and have been redirected to our platform. The information obtained with the help of conversion cookies is used by Google to compile visitor statistics for our platform. Through these statistics, we can determine the total number of users who have clicked on our ad and which pages of our platform were subsequently accessed by the respective user. However, we do not receive any information that personally identifies users. You can prevent the installation of conversion cookies by setting your browser accordingly, for example by using a browser setting that generally deactivates the automatic setting of cookies or specifically only blocks cookies from the domain "googleadservices.com".

On our platform we use Google Maps to embed maps. By using Google Maps, data is transmitted to Google and may also be stored on Google servers in the USA.

Our platform uses so-called Web Fonts provided by Google to display fonts in a uniform manner. The Google Fonts are installed locally. There is no connection established to Google servers. You can find more information about Google Web Fonts under: https://developers.google.com/fonts/faq.

Furthermore, we use the Google service reCAPTCHA on our platform. The associated query serves the purpose of distinguishing whether entries (e.g., in the contact form) are made by a human or by automated machine processing. The query includes the dispatch of the IP address and any other data required by Google for the reCAPTCHA service to Google. For this purpose, your input will be transmitted to Google and used further there. Your IP address will, however, be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement of the European Economic Area (cf. also section 10.8.4 "IP anonymisation" below). Only in exceptional cases the full IP address will be transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate your usage of the service. According to Google, the IP address transmitted by your browser as part of reCAPTCHA will not be merged with other Google data. By clicking on the query, you agree to this processing of your data, which means that the data processing is performed based on your consent.

9.8.3. Opt-out-Cookie

You can prevent the collection of your data through Google Analytics by clicking on the following link: https://tools.google.com/dlpage/gaoptout?hl=de. An opt-out-Cookie will be set which will prevent the collection of your data on future visits to this platform.

9.8.4. IP anonymisation

We have activated the "IP anonymisation" function on our platform. Through this, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate your usage of the platform, to compile reports on platform activities and to provide us with further services related to platform usage and internet usage. According to Google, the IP address transmitted by your browser will not be merged with other Google data.

9.8.5. Browser plugin

You are able to prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all the functions of our platform to their full extent. You can also prevent the collection of data generated by the cookie and referring to your use of the platform (incl. your IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de

10. Further data processing

10.1. General information

When you use our services or contact us, we collect and process - depending on the business case - the following general personal data about you:

Within the scope of the GDPR, this data is either processed for the purpose of initiating and fulfilling a contract (Art. 6 par. 1 lit. b) GDPR) or based on our legitimate interest (Art. 6 par. 1 lit. f) in processing the requests addressed to us or based on your consent (Art. 6 par. 1 lit. a) GDPR).

10.2. Ways of contacting

If you contact us outside our platform (e.g., by email, telephone, post), your enquiry including all related personal data will be stored and processed by us for the purpose of processing your request. This data will only be passed on to third parties outside our group with your consent.

Within the scope of the GDPR, the processing of this data takes place for the purpose of initiating and fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in processing the enquiries addressed to us or based on your consent (Art. 6 para. 1 lit. a GDPR).

10.3. Cloud service provider

For the purpose of storing and processing your personal data, we use the services of the following external cloud service providers:

10.4. Applicant data

We accept applications by post, email or contact form. We treat your data strictly confidential. Your personal data will only be passed on within our company or group to persons who are entrusted with processing your application. By submitting your application to us, you expressly consent to the forwarding of your application documents to group companies.

We process the personal data sent to us as part of your application and the personal data collected as part of our application process to the extent that this is necessary to decide on the conclusion and execution of an employment contract.

Within the scope of the GDPR, this data is processed either for the purpose of initiating and fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or based on your consent (Art. 6 para. 1 lit. a GDPR).

11. Data transmission to third parties

11.1. General information

Where necessary and to the extent legally permitted, we will also disclose your personal data to third parties in the context of our business activities. This includes, among others:

We work as far as possible with service providers who are based in Switzerland. However, data may also be transferred abroad (EU/EEA) or to third countries (outside Switzerland, EU/EEA and therefore worldwide) within the scope of our business activities. By taking appropriate measures, we ensure compliance with the legal requirements. Specifically, the responsible authority either has an adequacy decision or we conclude a contractual agreement with the third party (based on standard contractual clauses of the EU Commission) or there are corresponding certifications, or we obtain your expressed consent. By accepting this privacy policy, you explicitly consent to such disclosure of your personal data to group companies and third parties as far as this is necessary for the provision of our services and products and any associated fulfilment of contracts.

Within the scope of the GDPR, such processing is based on the completion of a contractual relationship (Art. 6 para. 1 lit. b GDPR), our legitimate interests (Art. 6 para. 1 lit. f GDPR) or your consent (Art. 6 para. 1 lit. a GDPR).

11.2. Order processing contracts

Where necessary, we have concluded corresponding order processing contracts with our data processors. The data processors agree to comply with data protection and data security regulations. In addition, they grant us comprehensive inspection and control rights as well as rights of information, rectification and deletion.

11.3. Notice on data transfer to the USA

As stated in this privacy declaration, we also use, among other things, tools and services from companies based in the USA. This allows your personal data to be transferred to the US servers of the respective companies. We would like to point out that the USA is currently not considered a safe third country within the meaning of EU and Swiss data protection law. In this regard, there is a risk that US authorities will access the personal data without you being able to defend yourself as a person effected. We have no influence over these data processing activities. By accepting this privacy declaration, you expressively consent to the transfer of your personal data to the USA.

In the scope of application of the GDPR, this data transfer is based on your consent (Art. 6 para. 1 lit. a GDPR).

12. Social networks (social media)  

12.1. General information

We maintain the publicly accessible profiles on social networks as listed below. For this purpose, you will find linked graphics to the different networks on our platform. By clicking on one of these graphics, you will be redirected to the selected social network. After forwarding, the network collects and processes your information in the following manner.

By visiting our social network profiles, personal data about you may be collected. For example, if you are logged into your accounts on the social networks and visit our profile at the same time, the portal operator may be able to assign this visit to your user account. Even if you have logged out of your account or if you do not have an account with the respective portal, your personal data may be collected. Such a collection of data can take place, for example, through the setting of cookies or web beacons. Based on the data collected this way, the portal operators can create user profiles and display advertisement based on your interests. For further information, please consult the respective data protection declarations of the portal operators.

Within the scope of the GDPR, the use of social networks and the associated data processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR). In particular, we want to use it to present ourselves on the internet and to increase our reach.

12.2. Facebook fan page

We use functions of the Facebook fan page service. These functions are offered by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland. As operator of the Facebook fan page, we and the operator of the social network Facebook are joint data controllers.

We have agreements with Facebook which, among other things, set out the terms of use for the Facebook fan page. These terms are mainly based on the Facebook terms of use: https://www.facebook.com/terms.php. Visit the Facebook privacy policy https://www.facebook.com/policy.php, for more information about how Facebook manages personal data, or contact Facebook via https://www.facebook.com/help/contact/540977946302970.

12.3. Facebook pixel

We use Facebook's visitor action pixel to measure conversions. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. The collected data is, however, according to Facebook, also transferred to the USA and other third countries.

With the help of this service, the behaviour of platform visitors can be tracked after they have been redirected to our platform by clicking on a Facebook ad. The purpose of this measure is to evaluate the effectiveness of Facebook ads for statistical and market research purposes and to be able to optimise future advertising and marketing activities based on this.

The data collected is anonymous for us as the operator of the platform, which means that we are unable to draw any conclusions about the identity of the users. However, the data is transferred to Facebook and processed. In particular, Facebook can match this data to the respective user profile and thus use the data for its own advertising purposes. This may also be the case if you have not logged in to Facebook. We have no influence on the range and further use of the data by Facebook. Visit the Facebook privacy policy https://www.facebook.com/policy.php, for more information on how Facebook manages personal data, or contact Facebook via https://www.facebook.com/help/contact/540977946302970.

12.4. LinkedIn

We maintain a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. You can find further information on how LinkedIn handles your personal data in their privacy policy: https://www.linkedin.com/legal/privacy-policy.

LinkedIn uses advertising cookies. If you would like to deactivate them, please follow this link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

12.5. Instagram

We use functions of the Instagram service. Provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. If you are logged into your Instagram account, you can link the content of this platform to your Instagram profile by clicking on the Instagram button. This allows Instagram to connect your visit to this platform to your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the data transmitted or its use through Instagram. For more information, please consult Instagram's privacy policy: https://instagram.com/about/legal/privacy/.

12.6. Youtube

In addition to linked graphics, we also use plugins from YouTube, a site operated by Google. The operator of the site is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube's servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out from your YouTube account.

For more information on the handling of user data, please consult YouTube's privacy policy at: https://www.google.de/intl/de/policies/privacy

12.7. Google My business

We use Google My business by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland("Google"). When you visit and interact with our Google My Business listing, Google also collects your IP address and other information that is collected in the form of cookies on your terminal device. This information is collected for statistical purposes. The data collected about you in this context will be processed by Google and may also be transmitted to the USA. The use of Google My Business is at your own responsibility.

Further explanations can be found in the Google privacy policy: https://policies.google.com/privacy.

13. Your rights as a person concerned

Provided that the legal requirements are fulfilled, you as the data subject have the right,

If you assume that your data has been processed unlawfully, you can file a complaint with the responsible supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

If you wish to correct, block, delete or obtain information about the personal data stored about you, or if you have any questions regarding the collection, processing or use of your personal data, or if you wish to revoke consent you have given, you can contact the above mentioned data protection officer (figure 2) or the EU data protection representative (figure 3) or the UK data protection representative (figure 4) at any time. 

14. Data security

To secure your data, we maintain technical and organisational security measures in line with the current state of the art. Communication via our platform is encoded through the use of the SSL/TLS encryption protocol. However, we would like to point out that even encrypted data transmission on the Internet always entails security risks. Seamless protection of the data against access by third parties cannot be guaranteed.