Data Privacy Statement
Grabarz & Partner Werbeagentur GmbH, Schaartor 1, 20459 Hamburg (hereinafter referred to as “G&P” or “we”) takes the security and protection of your data very seriously. We operate our websites in accordance with applicable regarding the protection of personal data protection law, in particular the provisions of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG)).
By means of this Data Privacy Statement, we would like to inform you of the nature, scope, and purpose of the personal data we collect, use and process in connection with the use of our websites, the legal basis for the processing as well as of the rights to which you are entitled in this regard.
Applicability, Name and Address of the Controller
Operator and controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in member states of the European Union and other provisions related to data protection of the website
Grabarz & Partner Werbeagentur GmbH
Amtsgericht Hamburg, HRB 52097
General information on data processing
Generally, we only collect and use your personal data to the extent necessary to provide our services. Apart from that we only process that personal data which you actively provide to us, e.g. within the course of a registration, by sending e-mails or other inquiries to us, or by ordering services.
We solely use the personal information provided by you for the purpose of processing your participation in one of the online auctions taking place on the WebSite and processing any enquiries. For other purposes, such as e.g. consulting, advertising and market analysis, we only use your personal data after having obtained your prior consent or if we are entitled or obliged to do so pursuant to applicable law.
Provision of the WebSite and creation of log files
When the WebSite is used for informational purposes only (i.e. without registration), we only collect the personal data that your browser transfers to our server. When you access the WebSite, we collect the following data which is technically necessary in order to enable you to visit the WebSite and to ensure the stability and security (the legal basis is article 6 para. 1, sentence 1 of the GDPR):
- Websites from which you accessed our website
- Date and time of the access
- Name of the Internet access provider
- Browser type/version and language
- The operating system used
- Access status/HTTP status code
- The quantity of data transferred
- Device (PC, tablet PC or smartphone)
- Our pages visited including visit time
- The last website you visited
This data is analysed for statistical purposes only. There is no person-based analysis. The temporary storage of your IP address is necessary to enable your terminal device to access the WebSite. This requires the IP address of the user to be saved for the duration of the session.
For our WebSite, we use the following types of cookies (the legal basis for the processing of personal data using cookies is article 6 para. 1 of the GDPR):
Session cookies or functional cookies (for example, to keep open navigation elements and for help texts). Session cookies are deleted automatically when you close your browser. These save a session ID, which enables various requests to be allocated to your browser during the shared session. This enables your device to be recognised when you visit the WebSite again. In addition, further cookies are set by Shopify, Webkul and, as the case may be, the payment providers in the course of the order process. For more information see sections "Shopify Analytics" and “Web-shop” below. The session cookies are automatically deleted when the browser is closed. The remaining cookies are automatically deleted after a specified duration, which can vary in length depending on the cookie. You can delete the cookies set by us via the security settings of your browser at any time.
We deploy technical and organizational security measures to protect your personal data from being manipulated unintentionally or intentionally, lost, destroyed or accessed by unauthorized persons. Our technical and organizational measures are continuously reviewed and revised in line with the latest state of technology.
Social plugins for social networks
Our WebSite includes links to the external social network Facebook, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) as well as to twitter.com, which is operated by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (“Twitter”). The links on our WebSite are identified by the Facebook logo or the Twitter logo (no plugins are used). If these links are followed by clicking on them, your browser will establish a direct connection with the servers of Facebook or Twitter. If you follow the links during your visit to our WebSite and are logged in using your personal user account with Facebook or Twitter, the information that you have visited our WebSite will be forwarded to Facebook or Twitter. In this case, Facebook or Twitter can link the visit to the WebSite to your account.
If you do not want social networks to be able to link your visit to our WebSite to your respective user account, you will need to log out of these social networks before you visit our WebSite.
If you do not want social networks to collect information about you using social plugins, you can configure “Block third-party cookies” function in your browser settings. The browser then does not send any cookies to the server in the case of embedded content from other providers. However, this setting may also disable cross page functions in addition to the social plugins under certain circumstances.
For the implementation of the online-auction function we use the extension “Product Auction”. Provider of such extension is Webkul Software Pvt Ltd. (https://webkul.com/). A session cookie is set by Webkul for the purpose of enabling the online-auction function. However, all data collected via the web-shop is solely processed by Shopify; Webkul has no access to the data.
We do not store or process your payment data ourselves, they are processed and stored via one of the third-party payment service providers (see “Payment Processing” below):
Collection and use of personal data
Personal data is only collected via the web-shop if you voluntarily provide us with it, in particular during the registration process and your participation in an online-auction. For taking part in an online-auction you must (via Shopify) provide the following personal data:
- email address
- telephone number
If you choose to use Shopify Pay, Apple Pay or Google Pay for an accelerated checkout, the data stored there will be automatically used for the checkout in our web-shop.
We store this data in the Shopify account and use it exclusively for individual communication with you and to process the sales contract if you purchase one of the records in an online auction. Legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. The data will only be stored until the contract is completely processed. Insofar as storage periods under commercial and tax law exist, the storage period can be up to 10 years.
Transmission of personal data
Your data collected via the web-shop will only be passed on to third parties if this is necessary for the execution of the contract. A passing on of the data takes place in particular in the following cases:
- Encrypted transmission of payment data to the processing payment service providers (see section “Payment processing” below) for the purpose of debiting the purchase price,
- Name and address to the shipping company commissioned by us for the delivery of the goods as well as
- to our tax advisers for the fulfilment of our tax obligations.
Depending on the chosen payment method, payment processing for orders may be effected through the involvement of a payment service provider.
The personal data forwarded to the payment service provider normally consists of the first name, surname, address, telephone number, IP address, e-mail address or other data that is required to process the order as well as data that is connected to the order, such as item number, invoice amount, invoice information etc. This data must be transmitted so your order can be processed using your selected payment method, particularly to confirm your identity and manage your payment. However, please note that the payment service provider may also transmit personal data to service providers, subcontractors or other affiliated companies, insofar as this is required to fulfil the contractual obligations from your order, or if the personal data is supposed to be processed on contract.
The legal basis for payment processing is Article 6 para. 1 lit. b) GDPR. The processing of your personal data is necessary for the fulfilment of the contract with you, whereby you are free to choose the method of payment. The data will be stored by us for as long as it is necessary to fulfil the contract. Furthermore, we store this data for the legally prescribed period for the fulfilment of post-contractual obligations and due to commercial and tax retention periods. In general, this retention period is 10 years from the end of the respective calendar year.
To the extent we process any personal data related to you, you are entitled to the following rights:
Right to Information
You have the right to request a confirmation from us whether we process personal data related to you.
If this is the case, you are entitled to request the following information from us:
- the purposes of the processing;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data has been disclosed or is still being disclosed;
- where possible, the intended period for which the personal data is stored or, if not possible, the criteria for the establishment of this period;
- the existence of the right to rectify or delete personal data of the data subject or the right to limit the processing by the controller or a right of objection against this processing;
- the existence of a right of repeal with a regulatory authority;
- where the personal data are not collected from the data subject, any available information as to their source.
Furthermore, you are entitled to a right of access to information about whether your personal data have been sent to a third country or an international organisation. Insofar as this is the case, you also have the right to receive information about the appropriate guarantees in connection to the transfer of the data pursuant to Art. 46 GDPR.
Right to Object
If and to the extent we rely on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR when processing your personal data, you have the right to object to the processing of your personal data on grounds relating to your particular situation. In this case we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests or the processing is necessary for the establishment or defence of legal claims.
Right to Rectify
You have the right to request from us the immediate rectification of any inaccurate personal data as well as the completion of any incomplete personal data relating to you. In this case, we will immediately rectify your personal data.
Right to Limit the Processing
You have the right to request from us the limitation of your personal data if one of the following requirements is given:
- You have challenged the accuracy of your personal data, and this is for a period that enables the us to verify the accuracy of your personal data.
- The processing is illegal and you decline the deletion of your personal data and instead request limiting its use.
- We no longer require your personal data for the purposes of the processing, you, however, require the data for the assertion, exercise or defence of legal claims, or
- You have filed an objection to the processing in accordance to article 21 para. 1 GDPR, and it is still undetermined whether our legitimate reasons as controller outweigh yours as the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the processing of your personal data has been restricted in accordance with the above requirements, we will immediately notify you before the restriction is lifted.
Right to Deletion
You have the right to request from us that your personal data is promptly deleted provided one of the following reasons pertains and if the processing is not necessary:
- Your personal data is recorded for such purposes or processed in another manner for which it is no longer necessary.
- In case the processing of the personal data is based on Art. 6 para. 1 lit. a GDPR, you revoke your consent on which the processing is based.
- You file an objection against the processing in accordance with article 21 section 1 of the GDPR, and there are no predominant legitimate reasons for the processing, or you file an objection against the processing in accordance with article 21 section 2 of the GDPR.
- Your personal data was unlawfully processed.
- The deletion of your personal data is necessary for the fulfilment of a legal obligation.
A right to deletion does not exist, if the processing is necessary
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by law or for the performance of a task carried out in the public interest or in the exercise;
- for the establishment, exercise or defence of legal claims.
Right of appeal to a supervisory authority
Without prejudice to any other remedy, you have the right of appeal to a competent supervisory authority if you believe that the processing of your personal data violates applicable data protection law.
Withdrawal of consent
To the extent that the processing of personal data is based on your consent in accordance with article 6 paragraph 1 of the DS-GVO, you may withdraw your consent at any time effective for the future by sending an e-mail to email@example.com.
You can send all inquiries, explanations and questions relating to the usage of the data to our Privacy Officer via e-mail to
or by regular mail to
Grabarz & Partner Werbeagentur GmbH,
Schaartor 1, 20459 Hamburg