Effective May 25, 2018

SCOPE Welcome to the Sotheby’s group of companies (“Sotheby’s” or “we”). From its beginnings in 1744, Sotheby’s has built its business on the trust of its customers, clients and visitors. We endeavor to understand their interests in art and design and, at the same time, protect their privacy. Those values remain essential to us even as we have grown into a global network of offices in approximately 40 countries. Sotheby’s publishes this Privacy Policy to let you know how we will continue to collect, use, and protect personal information about you. It also describes your rights in relation to this information.

This Policy covers information that you give us when you bid on an item, purchase something from us, consign art work or other goods to us, register for or attend any of our live events around the world, visit or register for any of our Sotheby’s branded websites or apps, request a catalog, sign up for any of our print or online publications or newsletters, or publish information on Sotheby’s pages on social media platforms. We will publish a link to the Policy at the bottom of online properties to which it applies and as often as possible, will include its URL, https://www.sothebys.com/en/privacy-policy on paper forms to which it is applicable.

Please note that we may offer you online auction opportunities in two ways: first, you may bid on Sotheby’s own auction platform. Data about you will be collected and used according to this Policy and our Cookie Policy as published on those sites or apps. Second, we may also arrange for other companies’ auction sites to allow you to participate in our auctions/bid for Sotheby’s items from their sites. The other companies may collect data about you and your participation according to their respective privacy policies. Those other companies will transfer data about you to us to fulfill successful bids and we may also use that data in any manner consistent with this Policy. We recommend that you take a moment to ascertain whether you are on another company’s auction site and review the posted privacy policy applicable to that site.

HOW SOTHEBY’S COLLECT INFORMATION ABOUT YOU Personal information is information, or a combination of pieces of information that could reasonably allow you to be identified. We will collect personal information about you from a variety of sources, including information we collect from you directly (e.g. when you contact us), information we collect about you from other sources and information we collect automatically from you, as described below:

Information We Collect Directly From You
The categories of information that we collect directly from you are: personal details (e.g., name, date of birth), contact details (e.g., phone number, email address, postal address), transaction information (e.g., bidding or purchase records, shipping details, information about items you purchase or wish to consign), limited financial information (e.g., tokenized payment information in connection with your purchases, wire instructions) information about your property in our possession or storage, username and password, and identification information.

We rely on the information you provide to us or that we collect or observe about your individual interactions with us, for example, if you attend a live event, participate in one of our auctions, become a client, or register online. If you have registered with us online, we use data collection technologies to collect information that indicates your individual interests in our websites, online platforms and apps, and your response to our emails and marketing campaigns.

Information We Collect From Other Sources
We may add public information about you from external sources, including social media sites. The categories of info we collect about you from other sources are your public profile information, family relationships, and organizational affiliations. We may work to expand our customer base by acquiring names, contact data, financial information, affiliations, and demographic information from other sources such as private companies, public registers, and social media sites. We may also generate information such as appraisals, profiles, and a history of our relationships with you based on the information you have provided or that we have obtained from other sources.

We may make video recordings of our auctions, gallery spaces, and certain live events.

Information We Collect Automatically
We may use common data collection technologies as you visit our websites or apps or interact with our emails:

– Our logs gather date, time, information about your browser and system or device configuration, information about how you interact with our digital properties, and an IP address for all visitors to our sites. We use this information for our internal security purposes, for trend analysis and system administration, and to gather general information about our audiences and their geographic locations.

– Cookies can also read and collect data about your browsers as you visit our websites: please read our Cookie Policy for more detailed information about what cookies are, what kinds are used on our sites, and what choices you have.

– In general, our app will funnel data you provide about yourself, for example, registration, purchase or bidding data, back to our data bases and systems. An app may however, rely on other data collection technologies to recognize the device you use for viewing and personalize your experience. If our app relies on additional data collection technologies that collect or use data about individual users, we will include additional notice either within the app or in a policy that accompanies it.

– We also use and allow certain other companies to use technologies that are similar to cookies (for example pixels and gifs) when we send you emails. This helps support the delivery of Internet-based content and advertisements to you.

Automatic Decision-Making
The way we analyse personal information for advertising and marketing purposes and for client development, risk assessment, or fraud prevention may involve profiling, which means that we may process your personal information using software that is able to evaluate your personal aspects and predict risks or outcomes. For example, we may use the information we collect (e.g., bidding and purchase information, browsing history, and consignment history) to infer your interests. And we may use those inferences to support automated decisions about the content, recommendations, and offers we present to you on our digital properties. We may use automated tools to flag for further review suspicious activities associated with our digital services (e.g., multiple logins from different locations within a short period of time or activities associated with suspicious IP addresses). These automated activities will not, in themselves, have legal or similar effects for you.

Sotheby’s uses data about you for the following purposes:

– To manage and assure the integrity of our auctions.

– To fulfill your orders and purchases, facilitate consignments, provide the services, publications, catalogs, and information you request, and manage your account, enquiries and requests and to manage your relationship with us.

– To send you information about upcoming events and content that you may be interested in.

– To improve and personalize based on your inferred interests our website and services.

– To match online ads to your interests, arrange for Sotheby’s and other companies’ ads to reach you after you have left our sites, and help advertisers show you ads that are more relevant to your interests.

– To expand our online audiences.

– To provide, maintain, and protect our digital offerings.

– To protect against risk of fraud by clients.

– To protect and defend our rights and property, you, or third parties.

– To comply with legal obligations to which we are subject and cooperate with regulators and law enforcement bodies.

– For any other purpose that we tell you about specifically when you register or provide data about yourself to us.

Sotheby’s may disclose or transfer data that identifies you to other companies or entities only as follows:

– To business partners and vendors that work on our behalf to provide services such as item shipments, mailings, customer account and technology support, secure payment processing, fraud prevention, digital marketing management, and data storage.

– To our online auction partners in association with auctions.

– To consigners and others as needed to facilitate a consignment or purchase.

– To organizations we partner with to host events.

– To other companies within the Sotheby’s group of companies (including Sotheby’s Home) for marketing, business development purposes and internal reporting.

– To law enforcement or other entities that present valid legal process or in our discretion, unless otherwise prohibited by law, to protect human safety, our rights, or the rights of others.

– To meet certain legal compliance requirements for example, under AML (anti-money laundering) laws, or customs laws and regulations.

– As part of a sale, merger, liquidation, or transfer of our business assets.

– We disclose information about you to Sotheby’s International Realty, a company not affiliated with Sotheby’s.

– We may transfer information about you to ad technology firms so that they may recognize your devices and deliver interest-based content and advertisements to you. The information may include your name, postal address, email, device ID, or other identifier. The ad technology firm may process the information in hashed or de-identified form. These firms may collect additional information from you, such as your IP address and information about your browser or operating system; may combine information about you with information from other companies in data sharing cooperatives in which we participate; and may place or recognize their own unique cookie on your browser. To opt out of third-party cookies, please refer to your browser settings or follow the instructions in our Cookie Policy .

You have a choice about and control over:

– Receiving marketing messages from us. We may contact you by email, text, or SMS messaging.

– We encourage you to visit Sotheby’s Preference Pages to let us know what information you would like us to send to you and your preferred means of delivery.

– You may also stop email marketing by using the “opt out,” or “unsubscribe” mechanism at the bottom of our email marketing messages. In most cases, we will give you a choice about stopping just one kind of email or opting out of all email marketing from us.

– If you have provided data about yourself to a member of the Sotheby’s group and reside in the European Union (“EU”) you have the legal right to ask us not to process that personal data about you for marketing purposes and to revoke your consent at any time. To make such a request, please contact enquiries@sothebys.com .

– Whether cookies can be set or read on your browser. You can learn more about controlling cookies placed on your device as you visit our sites in our Cookie Policy .

– Whether your account is up to date. You may review and edit the Personal Information that is stored in your user account on our website (e.g., your passwords and other contact information) by visiting the “Profile” area of your account on our website or by contacting Sotheby’s via the email address at the end of this policy. We will endeavor to respond to your request as soon as practicable. Before we are able to provide you with any information, correct any inaccuracies, or delete any information, however, we may ask you to verify your identity and to provide other details to help us to respond to your request.

Sotheby’s is a global company. We receive data collected locally by members of the Sotheby’s group and collect data online directly from individuals in countries around the world. We may process that data on servers globally. We have put recognized protections in place for the transfer of data from members of the Sotheby’s group in the EU to our servers in the United States (“US”).

We protect your information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure, and alteration. Please be aware, though, that no security measures are perfect or impenetrable. You remain responsible for protecting your username and password and for the security of information you transmit to us over the Internet.

We will keep your personal information for as long as we have a relationship with you. Once our relationship with you has come to an end, we will retain your personal information for a period of time that enables us to:

– Maintain business records for analysis and/or audit purposes.

– Comply with record retention requirements under the law or other relevant legal or regulatory requirements.

– Defend or bring any existing or potential legal claims.

– Deal with any complaints regarding the services.

– Preserve historical records of transactions and property.

We will delete your personal information when it is no longer required for these purposes.

Our websites are directed to adults, including young adults. They are not directed to children, particularly under those under the age of thirteen. We do not accept them as clients or knowingly collect data about them.

Our websites may contain links to other websites not owned or controlled by Sotheby’s. Those websites may collect information about you. Sotheby’s is not responsible for their practices or content.

For questions about this Privacy Policy please email us at privacycompliance@sothebys.com or contact:

Attn: Global Compliance Department
1334 York Avenue
New York, NY 10021

In order to meet privacy regulations in the European Economic Area (“EEA”) and Switzerland, Sotheby’s provides additional information to its EEA based customers, website visitors, and users of its apps.

Who is responsible for your data?
If you transact in an auction or private sale in a Sotheby’s office in the EEA or Switzerland, then the Sotheby’s entity running the auction will be the data controller for that data. The name and contact details for this entity will be set out in your consignment agreement, private sale agreement, invoice, or Conditions of Business for the auction.

If you visit Sothebys.com, another Sotheby’s website or use a Sotheby’s app, then the data controller will be Sotheby’s, a US entity, and this Policy contains our contact details. Sotheby’s representative in the EU is Sotheby’s London.

What is the legal basis on which Sotheby’s relies to process your data?
On some occasions, Sotheby’s processes your data with your consent (e.g., when you agree that we may place cookies, or if you ask Sotheby’s to send you information about upcoming events).

On other occasions, Sotheby’s processes your data when we need to do this to fulfill a contract with you (e.g., for billing purposes) or where we are required to do this by law (e.g., where we have to fulfill anti-money laundering requirements). If it is mandatory for you to provide data for these purposes, we will make this clear at the time and will also explain what will happen if you do not provide the data (e.g., that we will not be able to process a bid at auction).

Sotheby’s also processes your data when it is our legitimate interests to do this and when these interests are not overridden by your data protection rights. For example, Sotheby’s has a legitimate interest in ensuring the security and integrity of our auctions, in learning about the interests and preferences of our current and prospective clients, in developing new business opportunities, in maintaining accurate business and provenance records, and in ensuring that our websites and apps operate effectively. When we process personal information to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected and to ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms.

Data transfers
Sotheby’s may transfer personal data to countries outside the EEA, including to countries which have different data protection standards to those which apply in the EEA. Sotheby’s has put in place European Commission approved standard contractual clauses to protect this data. For more information on the appropriate safeguards in place, please contact us at the details above.

Your rights
You may ask Sotheby’s for a copy of your personal information, to correct it, erase it, restrict our use of it, or to transfer it to other organizations at your request subject to local law. You also have rights to object to some processing and, where we have asked for your consent to process your data, to withdraw this consent. In particular, you have rights to object to direct marketing at any time. Where we process your data because we have a legitimate interest in doing so (as explained above), you also have a right to object to this. These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your data.

If you would like to discuss or exercise such rights, please contact us at the details above. We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate. We will contact you if we need additional information from you in order to honor your requests.

We hope that we can satisfy queries you may have about the way we process your data. We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. However, if you have unresolved concerns and believe that we have not been able to assist with your complaint or concern, you also have the right to complain to data protection authorities.

Changes to this Policy
You may request a copy of this Policy from us using the contact details set out above. We may modify or update this Policy from time to time.

If we change this Policy, we will notify you of the changes by updating this Policy on our website. Where changes to this Policy notice will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights (e.g., to object to the processing if you are located in the EEA or Switzerland).