Data Privacy Statement

WhiskyAuction.Com

Privacy policy

Table of contents:

1) Preamble

2) Controller and principle contact for data protection

3) Log files

4) Contact form

 5) Delivery request form

 6) Request form for Germany-wide pick-up service

 7) Form for placing a bid in an auction

 8) Form for requesting a forgotten BidderID or password

9) Registration process

10) Participation in an auction

11) Data security

12) Amendment of the privacy policy

13) Withdrawal

14) Rights of data subjects

 

1)   Preamble

Welcome to our website! We take the protection of your data and your privacy very seriously. The purpose of this document is to provide you with information about what types of data we process and when, for what purpose and on what legal basis we process data. In this document, we would like to explain to you how our services work and how we protect your personal data.

In accordance with Article 4 (1) of the GDPR, personal data means any information relating to an identified or identifiable individual. An identifiable natural person is one who can be identified, directly or indirectly. For further details, please refer to Article 4 (1) of the GDPR.

This privacy policy is accessible in electronic format through our website, https://whiskyauction.com/privacy  and may be downloaded, stored and printed any time.

If we use our legitimate interest or the legitimate interest of a third party as the legal basis for processing your personal data (Article 6 (1) point (f) of the GDPR), you have the right to object to this processing pursuant to Article 21 of the GDPR:

 

Pursuant to Article 21 of the GDPR, you have the right to object to the processing of your personal data which relies on our legitimate interests as the legal basis for the processing of personal data (Article 6 (1) point (f) of the GDPR).

Under Article 21 of the GDPR, you have the right to

object to the processing of your personal data at any time. We shall then no longer process your personal data for purposes of direct marketing or related profiling.

 

Likewise, we shall then no longer process your personal data for any other purpose, unless we can demonstrate compelling legitimate reasons for the processing which override your interests, rights and freedoms, or unless the processing serves to enforce, exercise or defend legal claims (cf. Article 21 (1) of the GDPR, so-called “Limited right to object") In this case, you have to set out the reasons for the objection, which relate to your particular situation.

 

Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the GDPR, you have the right to object to the processing of your personal data for reasons relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest (cf. Article 21 (6) of the GDPR).

 

Where applicable, we shall advise you again separately of your right to object to the processing of your data in the relevant sections of this document (e.g. by stating, "You have the right to object"), where you will also find additional information on the exercise of your right to object.

 

For reasons of presentation, to make the text easy to follow, we use links at various points to refer to information and privacy policies found on external websites (cf. section on "External links" in this privacy policy). We make every effort to keep the links that we list in this privacy policy up-to-date. Nevertheless, it is possible that, due to the constant updating of websites, the links may not function correctly. If you come across a broken link, we would appreciate if you notified us so that we can update it. 

 

2)  Controller and principle contact for data protection

The controller within the meaning of Article 4 (7) of the GDPR is:

 

WhiskyAuction.Com Thomas Krüger and Klaus Rosenfeld GbR

represented by its partners: Thomas Krüger and Klaus Rosenfeld

Timmerloh 8

D-24787 Fockbek

Telephone: +49 4331 56564

Email: Service@WhiskyAuction.Com

 

If you have any questions regarding the processing of your personal data or your rights with respect to data protection, please contact:

 

WhiskyAuction.Com Thomas Krüger and Klaus Rosenfeld GbR

represented by its partners: Thomas Krüger and Klaus Rosenfeld

Timmerloh 8

D-24787 Fockbek

Telephone: +49 4331 56564

Email: Service@WhiskyAuction.Com

3)  Log files

Every time you visit our website, we automatically collect data and information from your device's system and store it in so-called server log files. This is data which relates to an identified or identifiable natural person (in this case: website visitor). The data is automatically transmitted through your browser when you visit our website. This following data is collected:

·The time of accessing our website (host provider server query),

·URL of the referring website,

·Your operating system,

·Type and version of your browser,

·IP address of your computer.

We process this data to ensure that our website is accessible from your device, and that it displays correctly on your device or your browser. In addition, the data is used to optimise the website and to ensure the security of our systems. We do not analyse this data for marketing purposes.

The legal basis for data processing is Article 6 (1) point (f) of the GDPR. We have a legitimate interest in presenting you with a website optimised for your browser, and to allow communication between our server and your device. The latter, in particular, requires the processing of your IP address.

We store the data for 30 days.

 

Right to object

You have the right to object to the data processing. You can send us or communicate to us your objection at any time (e.g. by email to Service@WhiskyAuction.Com).

The provision of personal data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. While you are not under any obligation to provide us with your personal data, if you do not do so, you may not be able to use all the features of the website fully.

 

4)  Contact form

We offer a contact form on our website, which you can use to communicate with us online. When you use the contact form to communicate with us, we will process the data entered in the input fields.

This covers the following mandatory information:

·Name

·E-mail address

·Information from the text of the question or comment

You can also add more data on a voluntary basis. This may simplify and speed up the processing of your query. The following data may come into question here:

·Name

·Information from the text of the message

We treat mandatory and voluntary information equally. The mandatory information is necessary to contact you and to be able to process your request.

When you send a message, we also store the following data:

·Your IP address

·Date and time of submitting the request

Please note that the scope of the personal data collected from the contact form also depends on the data you enter in the body of the message in the contact form.

The purpose of processing of personal data provided on a mandatory or voluntary basis is to process the contact request and to communicate with the user for purposes of answering his query. The other personal data processed upon submitting the contact form (IP address, date and time of submission) serve to prevent misuse of our contact form.

The legal basis for the processing of data as described herein is Article 6 (1) point (f) of the GDPR. Our legitimate interest is to offer you the opportunity to contact us at any time to allow us to respond to your queries.

The personal data will only be processed as long as it is necessary for the provision of this feature.

The additional personal data collected during submission will be erased after 90 days at the latest.

The recipient of the data is our server host, who works on our behalf under the terms of a data processing agreement.

 

Right to object

You have the right to object to the processing of your personal data at any time. You can send us or communicate to us your objection at any time (e.g. by email to Service@WhiskyAuction.Com).

 

The provision of personal data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. While you are not under any obligation to provide us with your personal data, if you do not do so you may not be able to use our contact form.

 

5)  Delivery request form

There is a delivery request form on our website, which you can use to send a bottle to an auction. You can also use this form to order safety boxes for delivering bottles.

When you use this form to communicate with us, we will process the data entered in the input fields.

This covers the following mandatory information:

·E-mail address

·Information from the message text relating to your delivery wishes.

You can also add more data on a voluntary basis. This may simplify and speed up the processing of your query. The following data may come into question here:

·First name

·Surname

·Street and house number

·Postcode and location

·Country

·Information from the message text relating to your delivery wishes.

We treat mandatory and voluntary information equally. The mandatory information is necessary to contact you and to be able to process your request.

When you send a message, we also store the following data:

·Your IP address

·Date and time of submitting the request

Please note that the scope of the personal data collected from the delivery request form also depends on the data you personally enter in the body of the message in the form relating to your delivery request.

The purpose of processing the personal data provided on a mandatory or voluntary basis is to process the delivery request and to communicate with the user for purposes of answering the query. The other personal data processed upon submitting the delivery request form (IP address, date and time of submission) serve to prevent misuse of our form for delivery requests.

The legal basis for the processing of data as described herein is Article 6 (1) point (f) of the GDPR. Our legitimate interest is to offer you the opportunity to contact us at any time to allow us to respond to your queries.

The personal data will only be processed as long as it is necessary for the provision of this feature.

The additional personal data collected during submission of the delivery request form will be erased after 90 days at the latest.

The recipient of the data is our server host, who works on our behalf under the terms of a data processing agreement.

 

Right to object

You have the right to object to the processing of your personal data at any time. You can send us or communicate to us your objection at any time (e.g. by email to Service@WhiskyAuction.Com).

The provision of personal data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. While you are not under any obligation to provide us with your personal data, if you do not do so, you may not be able to use our form.

6)   Form for requesting Germany-wide pick-up service

We offer a form on our website, which you can use to request a Germany-wide pick up service. We pick up collections starting from 100 bottles of malt whiskey anywhere in Germany, if need be, free of charge. By prior arrangement, we can also pick up collections starting from 30 bottles, if necessary.

When you use this form to communicate with us, we will process the data entered in the input fields.

This covers the following mandatory information:

·Name

·E-mail address

·Address

·Number of bottles

·Required pick-up date

You can also add more data on a voluntary basis. This may simplify and speed up the processing of your query. The following data may come into question here:

·Fixed or mobile telephone number

We treat mandatory and voluntary information equally. The mandatory information is necessary to contact you and to be able to process your request.

When you send a message, we also store the following data:

·Your IP address

·Date and time of submitting the request

Please note that the scope of the personal data collected from the delivery request form also depends on the data you personally enter in the body of the message in the form relating to your delivery request.

The purpose of processing the personal data provided on a mandatory or voluntary basis is to process the delivery request and to communicate with the user for purposes of answering the query. The other personal data processed upon submission (IP address, date and time of submission) serve to prevent misuse of our form for requesting Germany-wide pick-up service.

The legal basis for the processing of data as described herein is Article 6 (1) point (f) of the GDPR. Our legitimate interest is to offer you the opportunity to contact us at any time to allow us to respond to your queries.

The personal data will only be processed as long as it is necessary for the provision of this feature.

The additional personal data collected during submission of the form for requesting Germany-wide pick-up service will be erased after 90 days at the latest.

The recipient of the data is our server host, who works on our behalf under the terms of a data processing agreement.

 

Right to object

You have the right to object to the processing of your personal data at any time. You can send us or communicate to us your objection at any time (e.g. by email to Service@WhiskyAuction.Com).

 

The provision of personal data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. While you are not under any obligation to provide us with your personal data, if you do not do so, you may not be able to use our form.

 

7) Form for placing a bid in an auction

As a registered user, you can use our website to place bids in auctions. To do this, select a bottle that you are interested in. The bidder's form is displayed on the “Bid page" for the respective bottle.

If you place a bid using this form, we will process the date and your BidderID entered in the input field.

When you submit your bid, the following data will also be stored:

·Your IP address

·Date and time of submitting the request

The purpose of the processing of personal data is to assign the submitted bid to your BidderID. The other personal data processed upon submission (IP address, date and time of submission) serve to prevent misuse of our form for placing a bid in an auction.

The legal basis for the processing of your personal data and BidderID data is Article 6 (1) point (b) of the GDPR.

The legal basis for the processing of other personal data is Article 6 (1) point (f) of the GDPR. Our legitimate interest is to ensure that the option to place a bid in an auction is not abused.

The personal data will only be processed as long as it is necessary for the provision of this feature.

The additional personal data collected during submission of the form for placing a bid in an auction will be erased after 90 days at the latest.

The recipient of the data is our server host, who works on our behalf under the terms of a data processing agreement.

 

Right to object

You have the right to object to the processing of your personal data at any time. You can send us or communicate to us your objection at any time (e.g. by email to Service@WhiskyAuction.Com).

 

The provision of personal data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. While you are not under any obligation to provide us with your personal data, if you do not do so you may not be able to use our contact form.

 

8)  Form for requesting a forgotten BidderID or password

We offer a form on our website, which you can use to request a forgotten BidderID or password. When you use this form to communicate with us, we will process the data entered in the input fields, such as the date and your e-mail address.

When you submit your query, we also store the following data:

·Your IP address

·Date and time of submitting the request

The purpose of processing personal data is to process your query regarding a forgotten BidderID or password, and to get in touch with you (the sender) for purposes of answering your query. The other personal data processed upon submitting the contact form (IP address, date and time of submission) serve to prevent misuse of our contact form.

The legal basis for the processing of data as described herein is Article 6 (1) point (f) of the GDPR. Our legitimate interest is to offer you the opportunity to contact us at any time so that we can send you your new BidderID or current password.

The personal data will only be processed as long as it is necessary for the provision of this feature.

The additional personal data collected during submission of the form for requesting a forgotten BidderID or password will be erased after 90 days at the latest.

The recipient of the data is our server host, who works on our behalf under the terms of a data processing agreement.

 

Right to object

You have the right to object to the processing of your personal data at any time. You can send us or communicate to us your objection at any time (e.g. by email to Service@WhiskyAuction.Com).

 

The provision of personal data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. While you are not under any obligation to provide us with your personal data, if you do not do so you may not be able to use our contact form.

 

9)  Registration process

You have the option to create a user account on our website to receive a BidderID which you can use to take part in auctions.

 

a)    Computop

As a first step, we offer you the option to enter your Visa or Mastercard credit card number, expiry date and the card verification number into a form provided by Computop Wirtschaftsinformatik GmbH, Schwarzenbergstraße 4, 96050 Bamberg, Germany (Computop Paygate). The personal data you enter into the form (Computop Paygate) will only be stored at Computop.

Computop Paygate is an interface that enables the technical control of payment transactions from different channels. Computop Paygate is located in a data processing centre in Düsseldorf. It cannot be ruled out that Computop could also transmit the information to a server in a third country that is not a member of the EU.

By integrating Computop, we can offer you the option to pay by credit card when you participate in an auction on our website. Payments are handled directly through Computop. Computop is certified according to the Data Security Standard of the Payment Card Industry (PCI-DSS certified).PCI-DSS is an information security standard developed by the major credit card companies (American Express, Discover, JCB, MasterCard and Visa) to improve controls over credit card data handling and to reduce fraud.

All personal data communicated to or collected by Computop are managed by Computop.

Computop automatically checks whether a transaction can be executed using the credit card you have specified. An amount of € 1 will be reserved on the credit card you specified in the form. If Computop comes to the conclusion that a transaction or reservation is not possible, the registration process on our website cannot proceed and will be terminated.

If the outcome of the check by Computop is positive, Computop will transmit to us only pseudonymised payment data.

Computop always truncates or masks credit card numbers or bank details on the display whenever the full credit card number or bank details are not required. The truncation of credit card numbers or bank account details is required under PCI-DSS in its current version. In addition, the credit card numbers or bank details must be made illegible when displayed or stored in accordance with the PCI-DSS requirements and the procedures specified therein. According to the information provided by Computop, these requirements are regularly externally audited and certified as part of the certification process.

Under the data processing agreement (Article 28 of the GDPR) we have mandated Computop to convert the credit card numbers you specify into so-called pseudo card numbers (PCN). This is a pseudonymised replacement for the real credit card number, which we can store and use in future transactions. PCN is automatically generated by Computop Paygate when you make a payment by credit card. The last three digits of the PCN are identical to the real credit card number. When you make a payment, the real credit card number will be transmitted directly to and stored by the PCI-DSS certified Computop Paygate; they will not be sent to us and neither will they be stored by us. Computop Paygate will inform us about the payment result using PCN.

For more information about Computop, please refer to https://www.computop.com/de/https://www.computop.com/de/loesungen/computop-paygate/https://www.computop.com/de/unternehmen/ueber-computop/ and https://www.computop.com/de/datenschutz.

The purpose of the processing of data is to complete the registration process. The legal basis for the processing of data as part of the registration process is our legitimate interest. Our legitimate interest is to check whether a registration on our website is genuine and to speed up the payment process. 

We will only store the data as long as it is necessary to complete the registration process, implement and process your auction and to comply with statutory retention periods.

 

Right to object

You have the right to object to the data processing. You can send us or communicate to us your objection at any time (e.g. by email to Service@WhiskyAuction.Com).

 

The provision of personal data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. While you are not under any obligation to provide us with your personal data, if you do not do so you may not be able to use all the features of the website fully and the display of the website may change.

 

b)    Registration form

In the second step, we offer you the option to use an application form to register with us. As part of the registration process, we process the data entered in the input fields.

This covers the following mandatory information:

·First name

·Surname

·Street

·House number

·Postcode

·Location

·Country

·E-mail address

·Password

·Shipment type

·Private collector or business entity

You can also add more data on a voluntary basis. The following data may come into question here:

·Address 2

·Address 3

·Telephone number

·Already a member

We treat mandatory and voluntary information equally. The mandatory information is necessary to create a user account.

When you submit your registration, we also process the following data:

·Your IP address

·Date and time of submitting the request

We use the so-called double opt-in process for registrations. After registration, we shall send you an activation link to the email address you specified to confirm or activate your registration. We use this process to ensure that the email address you specified on our website is yours. If you fail to confirm or activate your registration within 30 days, the registration will not be completed and the confirmation or activation link will no longer work. You will then be asked to go through the registration process again. If your email address is not confirmed within the above period, we shall erase the registration data.

 

If you click on the activation link, we shall process the following data as part of the double opt-in process: 

·Your IP address

·Date and time of submitting the request 

The purpose of the processing of personal data is to provide the user with a personal user account. Another purpose is to deliver the purchased product or products to the user who has placed the highest bid in an auction. We may transmit the data you provide in the registration form to the contracted delivery company to the extent necessary for the performance of the contract. The purpose of processing the double opt-in data is in particular to prevent misuse of the registration.

The legal basis for the processing of personal data described herein is Article 6 (1) point (f) of the GDPR. We have a legitimate interest in providing you with a user account. We have a legitimate interest in the processing of double-opt-in data to prevent misuse.

 

Right to object

You have the right to object to the data processing. You have the right to deactivate or delete your account at any time.

You can send us or communicate to us your objection at any time (e.g. by email to Service@WhiskyAuction.Com).

We only store processed data for as long as necessary for the intended purpose or as required by law.

The recipient of the data is our server host, who works on our behalf under the terms of a data processing agreement.

The provision of personal data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. While you are not under any obligation to provide us with your personal data, without the necessary information, we shall not be able to provide you with a user account.

 

10) Participation in an auction

Our website offers you the opportunity to take part in auctions. When you take part in an auction, we will process, in particular, the following data:

·Bid placement

·Highest bid

·BidderID

·Password

We also collect data from the entry form.

The purpose of the processing of personal data is to process the placement of your bid in an auction. Another purpose is to record the highest bid and to perform a contract with the highest bidder.

The legal basis for the processing of data as described herein is Article 6 (1) point (b) of the GDPR.

In addition, we also process your IP address and the date and time of the order to verify the data in the event of suspected misuse.

The legal basis for this is Article 6 (1) point (f) of the GDPR. We have a legitimate interest in detecting misuse when bids are placed on our website and taking necessary action.

If you have placed the highest bid in an auction, your pseudonymised credit card number will be transmitted together with the invoice amount and invoice number for the auction to Computop, which will debit the invoice amount from the credit card you have specified during the registration process. For more information, please refer to Section "9) Registration process a) Computop". In addition, the data is processed by our server host as part of data processing performed on our behalf and exclusively under our instructions.

The legal basis for the processing of data as described herein is Article 6 (1) point (b) of the GDPR.

Furthermore, we have to take into account the statutory retention requirements under which we are obliged to keep certain documents for up to 10 years (in particular under Article 257 of the Commercial Code (HGB), Article 147 of the Tax Code (AO), Articles 14, 14b of the Value Tax Act (UstG)). As soon as the contract has been completed, the contract data will be blocked and erased at the end of the retention period. The legal basis for this is Article 6 (1) point (c) of the GDPR.

The other data (in particular, the IP address) will be erased as soon as it is no longer required for the purpose for which it was originally collected. The data will be erased after 90 days.

Where your personal data are processed on the basis of our legitimate interest, you will have the right object.

Right to object

You can send us or communicate to us your objection at any time (e.g. by email to Service@WhiskyAuction.Com).

While the provision of personal data is not a statutory or contractual requirement, it is required to place an order in our online store. While you are not under any obligation to provide us with your personal data, if you do not do so, you will not be able to place an order with us.

11) Data security

We use technical and organisational measures to protect our website and other systems against loss, destruction, access, modification, or dissemination of your data by unauthorised persons. Notwithstanding our best efforts, data security and protection against all risks cannot be fully guaranteed.

12) Amendment of the privacy policy

We may have to amend our privacy policy to reflect changes in the law or changes in our internal processes.

If we have to amend our privacy policy on this basis, we shall state this at the beginning of the privacy policy.

13) Withdrawal

You have the right to withdraw your consent with future effect at any time, without affecting the legality of processing based on consent before its withdrawal.

14) Rights of data subjects

As a data subject, you have the following rights:

·Right of access to information (Article 15 of the GDPR)

·Right to rectification (Article 16 of the GDPR)

·Right to object (Article 21 of the GDPR)

·Right to erasure of data (Article 17 of the GDPR)

·Right to restriction of processing (Article 18 et seq. of the GDPR)

·Right to data portability (Article 20 of the GDPR)

If you have any questions relating to your rights, please contact Service@WhiskyAuction.Com. Please note that we have to ensure in this case that we are dealing with the actual data subject.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority.

We do not use automated decision-making on our website. 

 

Version: 22/06//2018