Data Policy

Data Privacy Statement

Grabarz & Partner Werbeagentur GmbH, Schaartor 1, 20459 Hamburg (hereinafter referred to as “G&P” or “we”) takes the security and protection of your data very seriously. We operate our websites in accordance with applicable regarding the protection of personal data protection law, in particular the provisions of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG)).

By means of this Data Privacy Statement, we would like to inform you of the nature, scope, and purpose of the personal data we collect, use and process in connection with the use of our websites, the legal basis for the processing as well as of the rights to which you are entitled in this regard.


Applicability, Name and Address of the Controller

Operator and controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in member states of the European Union and other provisions related to data protection of the website (“WebSite”).

Grabarz & Partner Werbeagentur GmbH 
Schaartor 1 
20459 Hamburg 
Amtsgericht Hamburg, HRB 52097


General information on data processing

Generally, we only collect and use your personal data to the extent necessary to provide our services. Apart from that we only process that personal data which you actively provide to us, e.g. within the course of a registration, by sending e-mails or other inquiries to us, or by ordering services.

We solely use the personal information provided by you for the purpose of processing your participation in one of the online auctions taking place on the WebSite and processing any enquiries. For other purposes, such as e.g. consulting, advertising and market analysis, we only use your personal data after having obtained your prior consent or if we are entitled or obliged to do so pursuant to applicable law.


Provision of the WebSite and creation of log files

When the WebSite is used for informational purposes only (i.e. without registration), we only collect the personal data that your browser transfers to our server. When you access the WebSite, we collect the following data which is technically necessary in order to enable you to visit the WebSite and to ensure the stability and security (the legal basis is article 6 para. 1, sentence 1 of the GDPR):

  • Websites from which you accessed our website
  • Date and time of the access
  • Name of the Internet access provider
  • Browser type/version and language
  • The operating system used
  • Access status/HTTP status code
  • The quantity of data transferred
  • Device (PC, tablet PC or smartphone)
  • Our pages visited including visit time
  • The last website you visited

This data is analysed for statistical purposes only. There is no person-based analysis. The temporary storage of your IP address is necessary to enable your terminal device to access the WebSite. This requires the IP address of the user to be saved for the duration of the session.



We use cookies to optimise the functionality and usability of the WebSite. Cookies are small text files that are stored on your hard drive by your browser and through which the site that sets the cookie (us, in this case) collects certain information. Cookies cannot be used to execute programs or deliver viruses to your terminal device.

You can configure your browser so that you are informed about the use of cookies and to allow cookies only on a case-by-case basis, to accept cookies for certain cases or generally exclude them and also to automatically delete the cookies when you close the browser. If you do not want us to recognise your device again then configure your browser so that it deletes cookies from your terminal device, blocks all cookies or warns you before a cookie is saved. However, you may not be able to make full use of all of the features of the WebSite.

For our WebSite, we use the following types of cookies (the legal basis for the processing of personal data using cookies is article 6 para. 1 of the GDPR):

Session cookies or functional cookies (for example, to keep open navigation elements and for help texts). Session cookies are deleted automatically when you close your browser. These save a session ID, which enables various requests to be allocated to your browser during the shared session. This enables your device to be recognised when you visit the WebSite again. In addition, further cookies are set by Shopify, Webkul and, as the case may be, the payment providers in the course of the order process. For more information see sections "Shopify Analytics" and “Web-shop” below. The session cookies are automatically deleted when the browser is closed. The remaining cookies are automatically deleted after a specified duration, which can vary in length depending on the cookie. You can delete the cookies set by us via the security settings of your browser at any time.


Data security

We deploy technical and organizational security measures to protect your personal data from being manipulated unintentionally or intentionally, lost, destroyed or accessed by unauthorized persons. Our technical and organizational measures are continuously reviewed and revised in line with the latest state of technology.


Shopify Analytics

Our WebSite uses Shopify Analytics, an analysis service provided by Shopify Inc., 126 York Street, Suite 200, Ottawa, ON, Canada, K1N 5T5; +1-888-329-0139 and its subsidiary Shopify Ireland. The legal basis for the use of Shopify Analytics is Sec. 15 para. 3 TMG respectively Art. 6 para. 1 lit. f GDPR. The data can be used to create pseudonymised user profiles. For this purpose, the IP address of the user can be recorded and cookies can be set. Cookies are small text files that are stored locally in the cache of your Internet browser. The data collected via Shopify Analytics will not be used to personally identify users of the WebSite. The shopify cookies remain on your end device until you delete them. Shopify Ireland may also transfer personal data to its parent company Shopify Inc. outside the European Economic Area, namely to Canada and the USA. Shopify's participation in the EU-U.S. Privacy Shield and PIPEDA (Canadian Data Protection Regulations) ensures an appropriate level of data protection. We have also entered into an agreement on commissioned data processing with Shopify pursuant to Art. 28 GDPR. You can prevent the data collection via Shopify Analytics by configuring your browser so that it deletes cookies from your device, blocks all cookies or warns you before a cookie is saved. However, If cookies are deactivated, the functionality of the WebSite may be restricted. For more information, see Shopify's privacy policy at


Social plugins for social networks

Our WebSite includes links to the external social network Facebook, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) as well as to, which is operated by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (“Twitter”). The links on our WebSite are identified by the Facebook logo or the Twitter logo (no plugins are used). If these links are followed by clicking on them, your browser will establish a direct connection with the servers of Facebook or Twitter. If you follow the links during your visit to our WebSite and are logged in using your personal user account with Facebook or Twitter, the information that you have visited our WebSite will be forwarded to Facebook or Twitter. In this case, Facebook or Twitter can link the visit to the WebSite to your account.

If you do not want social networks to be able to link your visit to our WebSite to your respective user account, you will need to log out of these social networks before you visit our WebSite.

The link to the privacy policy of Facebook is available here:

The link to the privacy policy of Twitter is available here:

If you do not want social networks to collect information about you using social plugins, you can configure “Block third-party cookies” function in your browser settings. The browser then does not send any cookies to the server in the case of embedded content from other providers. However, this setting may also disable cross page functions in addition to the social plugins under certain circumstances.



A web-shop is embedded on the website. For the web-shop we use the platform Shopify. Provider of the platform is Shopify Inc., 126 York Street, Suite 200, Ottawa, ON, Canada, K1N 5T5; +1-888-329-0139. If you take part in an online auction via the web-shop, you agree to the storage and processing of your personal data by Shopify. Your personal data will be transferred to the Shopify data centre in the United States and processed for this purpose. The legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. This storage and processing of data is for the purpose of supporting and processing your orders, authentication, payment processing and improving Shopify's services. Further information on Shopify's terms of use and privacy policy can be found at
For the implementation of the online-auction function we use the extension “Product Auction”. Provider of such extension is Webkul Software Pvt Ltd. ( A session cookie is set by Webkul for the purpose of enabling the online-auction function. However, all data collected via the web-shop is solely processed by Shopify; Webkul has no access to the data.

We do not store or process your payment data ourselves, they are processed and stored via one of the third-party payment service providers (see “Payment Processing” below):

Collection and use of personal data 
Personal data is only collected via the web-shop if you voluntarily provide us with it, in particular during the registration process and your participation in an online-auction. For taking part in an online-auction you must (via Shopify) provide the following personal data:

  • name
  • address
  • email address
  • telephone number

If you choose to use Shopify Pay, Apple Pay or Google Pay for an accelerated checkout, the data stored there will be automatically used for the checkout in our web-shop.

We store this data in the Shopify account and use it exclusively for individual communication with you and to process the sales contract if you purchase one of the records in an online auction. Legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. The data will only be stored until the contract is completely processed. Insofar as storage periods under commercial and tax law exist, the storage period can be up to 10 years.

Transmission of personal data 
Your data collected via the web-shop will only be passed on to third parties if this is necessary for the execution of the contract. A passing on of the data takes place in particular in the following cases:

  • Encrypted transmission of payment data to the processing payment service providers (see section “Payment processing” below) for the purpose of debiting the purchase price,
  • Name and address to the shipping company commissioned by us for the delivery of the goods as well as
  • to our tax advisers for the fulfilment of our tax obligations.


Payment processing

Depending on the chosen payment method, payment processing for orders may be effected through the involvement of a payment service provider.

The personal data forwarded to the payment service provider normally consists of the first name, surname, address, telephone number, IP address, e-mail address or other data that is required to process the order as well as data that is connected to the order, such as item number, invoice amount, invoice information etc. This data must be transmitted so your order can be processed using your selected payment method, particularly to confirm your identity and manage your payment. However, please note that the payment service provider may also transmit personal data to service providers, subcontractors or other affiliated companies, insofar as this is required to fulfil the contractual obligations from your order, or if the personal data is supposed to be processed on contract.

The legal basis for payment processing is Article 6 para. 1 lit. b) GDPR. The processing of your personal data is necessary for the fulfilment of the contract with you, whereby you are free to choose the method of payment. The data will be stored by us for as long as it is necessary to fulfil the contract. Furthermore, we store this data for the legally prescribed period for the fulfilment of post-contractual obligations and due to commercial and tax retention periods. In general, this retention period is 10 years from the end of the respective calendar year.

If you select credit card (VISA, Mastercard, American Express) as the mode of payment, you will submit your credit card details together with the order, which however will not be processed by us, but passed on directly to the credit card company. We will (via Shopify) subsequently send a request to the credit card company to initiate the payment transaction. The payment transaction will be carried out automatically by the credit card company and debited to your card. In the process, certain data will be transmitted to the respective credit card company and processed by the same. We shall not transmit any personal data to the credit card company that go beyond that specific payment transaction; for the processing of data by the credit card company in general, please also note the latter’s privacy policy and GTC.

If you pay via PayPal, you will be redirected to the PayPal website via a link. In the course of this form of payment, your personal data will be processed. This data includes your name, your address, your email address, any telephone number and account or credit card information. Please refer to the general terms and conditions, terms of use and data privacy statement of PayPal (Europe) S.à r.l. et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg on the website

If you pay by Sofortüberweisung (Sofort), you will be redirected to the internet site of Sofortüberweisung, a service of Sofort GmbH, which belongs to Klarna Bank AB (publ), Sveavägen 46111 34 Stockholm, Sweden. In the course of this form of payment, your personal data will be processed. This data includes your name, your address, your email address, any telephone number and account or credit card information. Please refer to the general terms and conditions, terms of use and data privacy statement of Klarna, which are listed under

When selecting a Klarna payment service, the payment will be processed by Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter referred to as "Klarna"). Klarna offers various payment options (e.g. instalment payments). In order to enable payment to be processed, your personal data (first and last name, street, house number, postcode, town, gender, e-mail address, telephone number and IP address) as well as data in connection with the order (e.g. invoice amount, article, type of delivery etc.) will be passed on to Klarna for the purpose of identity and creditworthiness checks, provided that you have expressly consented to this in accordance with Art. 6 para. 1 lit. a) GDPR as part of the ordering process. To which credit agencies your data can be forwarded, you can see here: The creditworthiness information can contain probability values (score values). If score values are included in the result of the credit rating information, they are based on a scientifically recognized mathematical-statistical procedure. Address data, among other things but not exclusively, is included in the calculation of the score values. Klarna uses the information received on the statistical probability of a default in payment for a balanced decision on the establishment, execution or termination of the contractual relationship. Further information can be found in the Klarna privacy policy:


Your rights

To the extent we process any personal data related to you, you are entitled to the following rights:

Right to Information
You have the right to request a confirmation from us whether we process personal data related to you.

If this is the case, you are entitled to request the following information from us:

  1. the purposes of the processing;
  2. the categories of personal data that are processed;
  3. the recipients or categories of recipients to whom the personal data has been disclosed or is still being disclosed;
  4. where possible, the intended period for which the personal data is stored or, if not possible, the criteria for the establishment of this period;
  5. the existence of the right to rectify or delete personal data of the data subject or the right to limit the processing by the controller or a right of objection against this processing;
  6. the existence of a right of repeal with a regulatory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source.

Furthermore, you are entitled to a right of access to information about whether your personal data have been sent to a third country or an international organisation. Insofar as this is the case, you also have the right to receive information about the appropriate guarantees in connection to the transfer of the data pursuant to Art. 46 GDPR.

Right to Object 
If and to the extent we rely on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR when processing your personal data, you have the right to object to the processing of your personal data on grounds relating to your particular situation. In this case we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests or the processing is necessary for the establishment or defence of legal claims.

Right to Rectify 
You have the right to request from us the immediate rectification of any inaccurate personal data as well as the completion of any incomplete personal data relating to you. In this case, we will immediately rectify your personal data.

Right to Limit the Processing 
You have the right to request from us the limitation of your personal data if one of the following requirements is given:

  1. You have challenged the accuracy of your personal data, and this is for a period that enables the us to verify the accuracy of your personal data.
  2. The processing is illegal and you decline the deletion of your personal data and instead request limiting its use.
  3. We no longer require your personal data for the purposes of the processing, you, however, require the data for the assertion, exercise or defence of legal claims, or
  4. You have filed an objection to the processing in accordance to article 21 para. 1 GDPR, and it is still undetermined whether our legitimate reasons as controller outweigh yours as the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the processing of your personal data has been restricted in accordance with the above requirements, we will immediately notify you before the restriction is lifted.

Right to Deletion 
You have the right to request from us that your personal data is promptly deleted provided one of the following reasons pertains and if the processing is not necessary:

  1. Your personal data is recorded for such purposes or processed in another manner for which it is no longer necessary.
  2. In case the processing of the personal data is based on Art. 6 para. 1 lit. a GDPR, you revoke your consent on which the processing is based.
  3. You file an objection against the processing in accordance with article 21 section 1 of the GDPR, and there are no predominant legitimate reasons for the processing, or you file an objection against the processing in accordance with article 21 section 2 of the GDPR.
  4. Your personal data was unlawfully processed.
  5. The deletion of your personal data is necessary for the fulfilment of a legal obligation.


A right to deletion does not exist, if the processing is necessary

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by law or for the performance of a task carried out in the public interest or in the exercise;
  3. for the establishment, exercise or defence of legal claims.

Right of appeal to a supervisory authority 
Without prejudice to any other remedy, you have the right of appeal to a competent supervisory authority if you believe that the processing of your personal data violates applicable data protection law.


Withdrawal of consent

To the extent that the processing of personal data is based on your consent in accordance with article 6 paragraph 1 of the DS-GVO, you may withdraw your consent at any time effective for the future by sending an e-mail to



You can send all inquiries, explanations and questions relating to the usage of the data to our Privacy Officer via e-mail to

or by regular mail to

Grabarz & Partner Werbeagentur GmbH, 
Schaartor 1, 20459 Hamburg


February 2019