Data Privacy Policy

The following data privacy notice aims to provide you with information on how we process your personal data and inform you about your rights according to data protection law.

Which data we process and how it is used depends significantly upon the contractual object and the services agreed upon. This information covers all services provided by us, including the provision of our website (henceforth referred to as: "website"), and applies to customers, their authorised representatives or correspondents, as well as potential customers with whom no contractual agreement yet exists.

1.   Who is responsible for processing my data and who can I contact? 

The responsible address is:

Kunsthaus Lempertz KG
Neumarkt 3
50667 Cologne
Tel.: +49 221 925729 0
Fax: +49 221 925729 6

You can contact our data protection officer under:

Kunsthaus Lempertz KG
Dr. Takuro Ito
Neumarkt 3
50667 Cologne
Tel.: +49 221 925729 0
Fax: +49 221 925729 6

2.  What sources and data do you process?

We process the personal data which our customers provide us with during the course of our business relationship with them. Insofar as it is necessary for commercial purposes, we also process personal data that can be legally obtained from publicly available sources (such as debtor registers, land registries, trade or association registers, the press, the internet) or which can be lawfully provided to us by our representatives or other third parties.

This relevant personal data includes particulars (name, address and other contact details, date and place of birth, nationality), legitimisation data (for example ID data) and authentication data (such as examples of a signature, login data). They can also include order data (such as payment orders), data gleaned from carrying out our contractual obligations (for example sales data from transactions), information about your financial situation (for example credit ratings, origins of financial assets), advertisement and sales data (for example for event management), various documentary data (for example risk ratings), and other data comparable to the above mentioned categories.

We also register data when you read information or download data from our website. This allows us to carry out statistical analyses and optimise our services according to your needs. We register and record every visit to our website and every time data on our website is accessed. This data is used to carry out internal system-relevant and statistical processes. Further personal details are only recorded when this data is provided voluntarily, for example when filling out a registration form or questionnaire. 

We would like to note that any transfer of data via the internet (such as e-mail communication) can harbour security risks. It is impossible to provide complete protection of your data from third parties.


Our website uses some so-called cookies. Cookies do not harm your device and do not harbour viruses. They only serve to make our services more effective, user friendly, and safe. Cookies are small text files which are filed on your computer and saved by your browser.

The majority of these cookies are so-called “session cookies”. They are automatically deleted after the end of your website visit. Other cookies remain saved on your device until you delete them. These cookies allow us to recognise your browser when you visit our website again.

You can configure your browser so that it informs you when cookies are being set and allows you to authorise them on a case-by-case basis, but also to exclude cookies from being set either in specific cases or in general, and to automatically delete cookies when you close your browser. Deactivating cookies can impair the functionality of the website. 

Cookies which are required in order to carry out certain functions of electronic communication or to provide specific, desirable services (for example the shopping cart function) are stored according to art. 6 para. 1 lit. f GDPR. We have a legitimate interest in storing your cookies in order to provide services which are optimised and free of technical errors.

Other cookies which may be stored (for example cookies used to analyse your internet usage) are covered in a separate area of this data protection policy.

Google Analytics

This website uses Google Analytics, a web analysis service provided by Google ("Google"). Google Analytics uses so-called “cookies”, text data files which are saved on your computer and allow this service to analyse your website usage. As a rule, the information generated from the cookie about your website usage is transferred to one of Google's servers in the US and stored there.

The activation of IP anonymisation on this website means that if you are inside the European Union or any of the other contracting states of the European Economic Area, your IP address will be shortened by Google before being sent. Only in exceptional cases will a full IP address be sent to one of Google's servers in the US and shortened there.

At the website operator's request, Google uses this information to analyse your website usage, create reports about website activity, and provide other services for the website provider relating to website and internet usage. The browser IP address collected for Google Analytics is not connected to any other data collected by Google.

You can prevent cookies being saved by changing your browser settings; however, we would like to point out that, should you do this, you will not be able to use all features of this website to their full potential. You can also prevent Google from receiving or analysing the data from the cookie created when you visit this website (including your IP address) by clicking on the following link and downloading and installing the browser plug-in.

You can find general information about Google Analytics and data protection under: or under

You can prevent Google Analytics from collecting data when you visit this website by clicking the following link. This downloads an opt-out cookie which will prevent further data being collected when you visit this website:

We allow Google Analytics to process your personal data on the legal grounds provided in article 6 paragraph 1 lit. f GDPR. The goal of this data processing and our legitimate interest are in the analysis of the usage of this website.

Server Log Files

The website provider automatically gathers and saves information in so-called server log files, which are automatically sent to us by your browser. These include:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the PC used
  • Time of server inquiry
  • IP address

This data cannot be connected to a specific person. The data are not brought into connection with other data sources. We reserve the right to subsequently check this data if we have grounds to suspect any illicit usage. The legal grounds for the processing of this data are provided by article 6 paragraph 1 lit. f GDPR. The goal of this data processing and our legitimate interest are the ease of administration of the website, the ability to present website data according to viewer requirements, and the opportunity to recognise and penalise hacking.   

Social Media Plug-ins

Various third party services are incorporated into this website. These include so-called plug-ins, which provide information hosted by certain outside servers or allow for interaction with social media services. The third party social media networks and services incorporated into our website are: Facebook, Google+, Google Maps, Instagram, Twitter, Vimeo, Youtube.

In order to increase data protection on our website, these plug-ins are not activated automatically, but instead must be activated by you. This only happens when you click on a social media link. This guarantees that your browser does not automatically connect to the servers of these plug-in providers when you visit a page of our website that includes their plug-ins. This only occurs once you have activated the plug-in and given your permission for the browser to create a direct connection with the servers of the plug-in providers. The contents of the specific plug-in are then sent to your browser and embedded in the website.

These plug-ins can transfer services from the service providers according to their settings, provider, and user interaction. This occurs, for example, when you click on a map from Google Maps, a linked twitter wall, or an integrated Facebook “like” button. This also occurs when you click on multimedia services which are not directly hosted on this website but instead streamed via third party hosts such as YouTube.

The social media settings for networks such as Facebook, Google+, Instagram, and Twitter have been chosen in such a way that the connection and transfer of your data only occurs when you click on the specific link. The other services are used to embed content in our website. In this case, data transfer can take place as soon as you visit the web page in which these services are embedded.

We have no influence on the data collected by these third party providers and we are not responsible for the data processing that occurs in the sense of the GDPR. Thus, we cannot provide conclusive or comprehensive information about the extent, legal framework, purposes, or saving periods of the data collection carried out by these providers.

We would therefore like to refer you to the data protection policies of the providers which we use. Here you can inform yourself about the purposes and extent of their data collection and processing as well as your rights with regards thereto:

• Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA;

• Google Inc. (für Google+ und Google Maps), 1600 Amphitheater Parkway, Mountain View, California 94043, USA;

• Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA;

• YouTube LLC with headquarters in 901 Cherry Avenue, San Bruno, CA 94066, USA,

• Instagram LLC, 1601 Willow Rd. Menlo Park, California 94025, USA,


3.         Why do we process your data (purposes of data processing) and on what legal basis?

We also process your personal data for purposes aside from providing our website (see point 2 above) in accordance with the requirements set out by the EU general data protection regulation (GDPR), the Bundesdatenschutzgesetz (BDSG), and the Kulturgutschutzgesetz (KGSG): 

a. In order to perform contractual obligations

(art. 6 para. 1 lit. b GDPR) 

We process data in order to carry out purchase transactions as part of our contractual agreements with customers, or to carry out pre-contractual services such as auction registrations and the placing of bids. The purposes of this data processing are related to the specific service being provided and can include requirement analyses and the completion of transactions.

b. In order to safeguard legitimate interests 

(art. 6 para. 1 lit. f GDPR) 

Insofar as necessary, the processing of your data can also go beyond the fulfilment of contractual obligations and serve to safeguard our legitimate interests or those of third parties. Some examples of this would include:

  • Consultation and exchange of data with credit agencies (such as SCHUFA) in order to calculate risks
  • Testing and optimisation of requirement analysis processes for the purposes of contacting customers directly
  • Advertisement, including invitations to events, provided you have not objected to the use of your data for this purpose
  • Sending of newsletters
  • Defence of legal claims and defence during legal disputes
  • Ensuring IT security and safeguarding Lempertz' IT services
  • Preventing and solving crimes
  • Video security in order to uphold property rights and collect evidence in cases of burglary or fraud
  • Measures to ensure security of our buildings and facilities (for example entry controls)
  • Measures to safeguard property rights
  • Measures to manage our company and develop services
  • Risk control
  • Creating new customer and business relationships
  • According to § 42 KGSG, we - as commercial traders - are required to:
  • Know the name and address of the seller, the consignor, the purchaser and/or the commissioner
  • Provide descriptions and illustrations by which the cultural good can be identified
  • Investigate the provenance of the cultural good
  • Verify documents proving the object's rightful import or export
  • Check for import, export, or sales prohibitions and limitations
  • Verify whether the cultural good is recorded in publicly available lists and data bases, and obtain a written or electronically transmitted declaration from the consignor or seller that they are entitled to feely dispose of the cultural good in question 

c. Consequences of your consent

(art. 6 para. 1 lit. a GDPR)

When you provide us with consent to process your personal data for specific purposes (such as sending marketing materials per email), it confirms the legality of this data processing. You can withdraw your consent at any time. This includes declarations of consent given before the GDPR came into effect, ie. before 25th May 2018. The withdrawal of your consent does not affect the legality of data processing carried out prior to this withdrawal.

d. Due to legal requirements (art. 6 para. 1 lit. c GDPR) or when it is in the public interest (art. 6 para. 1 lit. e GDPR)

We are also required to act according to a number of legal obligations, these include legal requirements (such as money laundering regulations, cultural goods regulations, tax regulations) and regulatory requirements. The purposes of this data processing include, among other uses, credit assessments, identity and age checks, prevention of fraud and money laundering, prevention of market abuse, performance of checks and reports required by tax law, and the analysis and regulation of risks within Kunsthaus Lempertz KG. 

4.    Who receives my data? 

We do not disseminate customers' personal data. The only time your personal data can be disseminated is in cases in which this is required by law or when you yourself have provided consent.

Apart from this, intermediary offices responsible for ongoing customer service may also receive data when necessary. According to these prerogatives, the recipients of personal data may include:

  • Public offices and institutions (such as tax authorities, law enforcement authorities) in the case of legal or bureaucratic obligations
  • Credit or financial service institutions or similar institutes who receive your data to enable us to carry out our contractual obligations to you (such as banks)
  • Other Lempertz branches for the purposes of risk regulation due to legal or bureaucratic obligations

The service providers and vicarious agents used by us may receive your personal data when they have signed a contractual data processing agreement to protect your personal data. These include companies in the categories of IT service providers, logistics firms, printing companies, telecommunications providers, debt collection companies, as well as consulting and marketing firms.

Further recipients of data may include those companies for whom you have provided consent for the transfer of your data.

5.    Will my data be transferred to third countries or international organisations? 

As a rule, none of your data is transferred to states outside of the European Union (so-called third countries). However, data transfer may occur in individual cases, such as:

  • When such a transfer is necessary to carry out your orders (for example payment of shipping orders)
  • When it is required by law (for example in accordance with the law for the protection of cultural goods)
  • When you have provided consent for such a transfer

6.    How long is my data stored?

We process and store your personal data for as long as is necessary in order to carry out our contractual and legal obligations towards you.

Should your data no longer be required to carry out contractual or legal obligations, it is deleted regularly, unless it is necessary to store the data for a set time period for the following purposes:

  • To comply with legal retention periods required by trade and tax regulations such as the German commercial code (HGB), money laundering law (GWG), and the law for the protection of cultural goods (KGSG). The retention and documentation period stipulated by the KGSG is 30 years, according to § 45, 2 KGSG. The relevant documents can be recorded and stored in electronic form.
  • To retain evidence in accordance with legal statutes of limitation. According to §§ 195ff. of the German civil code (BGB), statutes of limitation extend to up to 30 years, although the regular statute is three years.

As long as no contractual relationship exists, we will delete your data as soon as it becomes apparent that no such relationship is likely to come into effect in the future, or when you inform us that you do not wish for us to process your data.

7.    What are my rights with regards to data protection? 

All data subjects have the right of access according to article 15 GDPR, the right of rectification according to article 16 GDPR, the right to erasure according to article 17 GDPR, the right to restriction of processing according to article 18 GDPR, the right to object according to article 21 GDPR (see below), and the right to data portability according to article 20 GDPR. The right of access and the right to erasure are subject to the limitations stipulated by §§ 34 and 35 of the German federal data protection act (BDSG). You also have the right to lodge a complaint with the responsible data protection supervisory authority (article 77 GDPR, in conjunction with § 19 BDSG). In the case of Lempertz KG, the responsible authority is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).

You can always withdraw your consent to the processing of personal data. This includes declarations of consent given before the GDPR came into effect, ie. before 25th May 2018. Please note that such objections only apply to future data processing, the withdrawal of your consent does not affect the legality of data processing carried out prior to this withdrawal.

You can exercise these rights by contacting the entities mentioned under point 1.

8.  Am I under obligation to provide data? 

As part of our business relationship, you are required to provide such data as is necessary in order for us to initiate and carry out this relationship and fulfil the contractual responsibilities involved, as well as those data which we are required to collect by law. Generally, without this data we would be unable to enter into or carry out any business contract with you.

We are especially required to carry out measures stipulated by anti money laundering regulations, such as insisting that you identify yourself with a valid ID whenever you enter into a business relationship with us, and recording and storing your name, place and date of birth, nationality, address, and ID documents. In order for us to meet these legal demands, according to anti money laundering regulations you are required to provide us with the necessary information and documents and to inform us immediately of any changes to the aforementioned which take place during the course of our business relationship. Should you fail to supply the correct information and documents, we cannot begin or continue the desired business relationship with you.   

Should no contractual relationship exist between you and Lempertz, you are under no obligation to tolerate the use of your data and have the right to object to the storing or processing of your data at any time. You can provide this objection via telephone, post, fax, or email. Please send your objection to:

Kunsthaus Lempertz KG 

Dr. Takuro Ito
Neumarkt 3
50667 Cologne
Tel.: +49 221 925729 0
Fax: +49 221 925729 6

In the case of an objection, we will delete your data from our systems.

9. To what extent does automated decision making take place? 

Generally, we do not use automated decision making as described in article 22 GDPR when initiating or carrying out business relations. Should such a process be used in individual cases, you will be informed insofar as this is required by law.

10.  When does profiling take place? 

In some cases, we process your data automatically with the aim of analysing certain aspects (profiling). We use profiling in the following scenarios:

  • When we are required to do so according to law or regulations designed to prevent money laundering, the funding of terrorism, and asset-related crimes. To do this, we may carry out data analyses (including analyses of payments). These measures also serve to increase your security.
  • We use analysis tools in order to provide you with targeted information about our services. These make our communications and advertisements more user-friendly.
  • We use scoring when assessing creditworthiness. The scoring process is designed to calculate the likelihood of a customer being able to carry out payment responsibilities in accordance with their contractual obligations. The scoring may take into account income situation, spending habits, existing liabilities, profession, employer, duration of employment, experiences from previous business relationships, repayment of previous credits, as well as the information provided by credit agencies. Scoring is based on a mathematically and statistically recognised and proven method. The scores reached help us make decisions with regards to contractual agreements and form a part of our usual risk management measures.

Information regarding your right to object according to article 21 of the general data protection regulation (GDPR)

1 . Right to object in individual cases 

You have the right to object at any time to the processing of your personal data carried out in accordance with article 6 paragraph 1 letter e GDPR (data processing for tasks carried out in the public interest) and article 6 paragraph 1 letter f GDPR (data processing according to legitimate interests pursued) on grounds relating to your particular situation, this also applies to profiling carried out in the spirit of article 4 no. 4 GDPR.

Should you object, we will no longer process your personal data, unless we can prove that there are cogent interests in this processing which are worthy of protection that outweigh your interests, rights, and liberties, or when the processing serves to enforce, exert, or defend legal rights.

2. The right to object to the processing of data for the purposes of direct marketing

We occasionally process your personal data for the purposes of direct marketing. You have the right to object to the processing of data relating to your person for this purpose at any time; this also applies to profiling insofar as this is carried out in connection with direct marketing.

Should you object to data processing for the purposes of direct marketing, we will refrain from using your data for these purposes.

You can send your informal objection to the following address: 

Kunsthaus Lempertz KG
Dr. Takuro Ito
Neumarkt 3
50667 Cologne
Tel.: +49 221 925729 0
Fax: +49 221 925729 6