GDPR Guide for Galleries

The General Data Protection Regulation (GDPR) (EU) came into effect on 25.05.2018. However, there is still uncertainty in many areas regarding what is permitted or prohibited when handling personal data, and which specific measures must be implemented. This also affects the art market. Our GDPR Guide for Galleries will help you to understand which measures to consider and implement.


The content of this article is not legal advice. We expressly note that this list does not purport to be complete. Having prepared all information with the utmost accuracy, we do not, however, be held responsible regarding its accuracy, relevance, actuality, reliability, and completeness, and for any legal consequences deriving from its implementation.



1 Does the GDP affect me?

2 May I process personal data?

3 Records of processing activities: what must I state?

4 Record of processing activities and ARTBUTLER

5 Order processing agreement – what is it and why do I need it?

6 What happens if someone asks for information about their data?

7 Data protection on your website – what you need to do

7a Step 1: Privacy statement

7b Step 2: Legal notice

7c Step 3: Newsletter

8 GDPR Checklist


Does the GDPR affect me? / © StunningArt


Yes, you are! All entrepreneurs, gallerists, or website operators in the EU or with business dealings in the EU collecting personal data are affected by the Data Protection Regulation.

Personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). This can refer to you clients who wish to inform themselves of you artists’ newest works, or to your website visitors who enter their email address to sign up to your newsletter.

You’re always processing personal data when you dispatch newsletters to your contacts, keep a client file (like in ARTBUTLER), or analyse user behaviour on your website with Google Analytics.

May I process personal data?

This is where it gets complicated. The GDPR states that processing personal data is only allowed when at least one of the following applies:

  • processing is necessary for the performance of a contract (e.g. deliver sold art works)
  • you have consent for processing (e.g. dispatching newsletters)
  • tbc

Records of processing activities: what must I state?

According to Art. 30 GDPR you’ll need to record processing activities. This will give you an overview of all processes and activities when handling personal data. Put simply: when do you and your team handle personal data? The record is intended for internal usage and must be made available to the relevant data protection authority upon request.

The following information must be included in your record:

  • Name and contact data of the person in charge (either the manager or a data protection officer*)
  • Processing purpose – state the reason
  • Concerned parties (e.g. clients, employees, suppliers, etc.)
  • Concerned parties’ data (name, address, phone number, etc.)
  • Who has access to this data (internal and external access, also third countries!)
  • How is transfer to third parties safeguarded?
  • When will data be deleted (deletion periods)?
  • Specification of technical means to secure data

Creating this record is the most time consuming measure when complying to the GDPR. Once you have drafted the record, you can base all other tasks on it and work faster. There are a number of templates you can use to create your record.

* Find out when you’ll need to appoint a data protection officer in this article.

Record of processing activities and ARTBUTLER

If you use ARTBUTLER CLASSIC, the following information will be important for your record:

  • Who has access to data?

In ARTBUTLER CLASSIC you can assign user roles that limit access to certain areas. This allows you to give access to sensitive data, for example invoices, to individual team members and not to others. You can indicate this information in your record.

Only you and your team have access to your data stored in ARTBUTLER CLASSIC, as this is stored on your local server and not in a cloud. This ensures that the data you store in ARTBUTLER CLASSIC is GDPR-compliant!

We also offer our customers the online works archive and what is known as ARTBUTLER database hosting, which gives you access to your database irrespective of your location. In order to be able to provide this service, we need to store your data on our secure servers. Without your express permission and instruction, we have no access to this data. We further secure our service for you by way of an order processing agreement.

Order processing agreement – what is it and why do I need it? / © edar von CCO

If, for certain tasks, you require assistance from external service providers who will process your customers’ data on your behalf, they will most likely be considered an order processor. In such cases, as the data controller, you will specify the purpose and means of processing the data and your service provider will have no decision-making power over this data.

Classic examples of data processors include:

  • Advertising agencies
  • External newsletter providers (e.g. Mailchimp, Rapidmail, Newsletter2Go, etc.)
  • Web hosting services (the technical provider of your website)
  • Cloud systems for HR and customer administration
  • Shredding, destruction of data media

With these service providers you should conclude a contract which stipulates the purpose and means of processing the data. If you have already created your record of procedures, you will be able to quickly identify the people with whom you need to conclude this kind of contract. You can use this record to check when a service provider is not an order processor.

The GDPR also contains a new provision for order processors in third countries, i.e. nations outside of the EU. According to Art. 44 GDPR, transferring data to these countries is not without restrictions and must comply with special requirements.

What happens if someone asks for information about their data?

One of the major extensions which the GDPR brought into force is the right of the data subject to be informed (Art. 15 GDPR). This means that your customers have the right to be informed about the data you have stored about them and the right to additional information about processing of their data.

If you receive such a request you must provide this information within one month. We therefore recommend that you take appropriate steps to be able to provide this information rapidly.

For our ARTBUTLER CLASSIC customers, an exportable template is available in the Support area which allows you to be able to export as a written reply all the information you have stored in ARTBUTLER about a contact. Data that you store outside of ARTBUTLER just needs to be added to this document, allowing you to respond rapidly to requests for

Data protection on your website – what you need to do / © Stokkete


Step 1: Privacy statement

Your gallery website is one of the first points of contact for potential customers and collectors. At the same time, however, your website is also an easily accessible source for formal warnings. This is why, as a first step, you should update the privacy statement and notes on data processing on your website. The most important additions should be information on the rights of the data subject:

  • the right to be informed, to erasure, blocking, data portability and the general right to object

Information regarding processes of data collection and processing, i.e. where on your website data is collected, also belong in your privacy statement. This may take the shape of a contact form or newsletter subscription. The use of cookies and the analysis of user behaviour on your website (e.g. with Google Analytics or Matomo/Piwik) must also be specified. You can have your privacy statement prepared by your lawyer or use a data privacy generator to generate one.

Step 2: Legal notice

Another frequent reason for formal warnings is the lack of a legal notice on your website. If you do not have a legal notice, now is the time to create one. Both the legal notice and privacy statement need to be accessible from every page of your website. We therefore recommend, as far as possible, to link to both pages in the footer.

On our ARTBUTLER Websites these two pages are already provided for you. You just need to enter your information!

Step 3: Newsletter / ©

The GDPR has set higher standards with respect to sending a newsletter in a legally-compliant manner. If you want to send a newsletter to your contacts, and use and store email addresses and other applicable personal data such as someone’s name for this purpose, you require prior consent from your potential newsletter recipients (Art. 6 GDPR). As well as mentioning sending the newsletter in your privacy statement, Art. 13 GDPR specifies that you must also inform your website visitors prior to their newsletter subscription about how you plan to process their data (email address, name, etc.). The easiest way to achieve this is to include a checkbox on your newsletter subscription form, which allows you to request confirmation of approval of the nature of the data processing from the data subject. This checkbox must not be pre-selected!

Your recipients must therefore give their express consent prior to receiving a newsletter!

Consequently, all newsletter providers offer a so-called double opt-in whereby an email with a confirmation link is sent to your recipients after they have subscribed. Only when they have clicked on this link to confirm their subscription is their consent GDPR-compliant. Consents are stored in your mailing list with date and timestamp and in the newsletter program (privacy by design) only. It must be possible for documented consents to be presented on request, e.g. to the recipient themselves or to the relevant supervisory authority.

Under Art. 7 Para. 3 GDPR, your contacts must always have the option of subscribing from the newsletter (right to withdraw). This works best by including an unsubscribe link in the newsletter itself.

The good news is: You may continue to send newsletters to your existing customers without prior consent. Consents already given, provided they are documented, do not lose their validity. Simply note that “not responding to an email” is in no way valid proof of consent. If you are unsure whether you have documented all consents correctly, it may be useful to seek consent again through your newsletter mailout.

To summarise below, we have compiled the most important points in a checklist for you:

  • Create a record of processing activities
  • Conclude order processing contracts
  • Establish processes for processing requests for information
  • Website: Create privacy statement and legal notice
  • Newsletter subscription: Obtain consents & check old consents/collect again as necessary

Implementing all of the provisions of the GDPR takes time and the numerous specifications can appear overwhelming at first glance. We hope our GDPR guide helps you out a little and takes the fear out of it for you.

Here at ARTBUTLER we take the issue of data privacy very seriously and our customers too are aware that the security of their data is our utmost priority. This is why all of our products can be used without hesitation and in compliance with the GDPR:

  • Log consents
  • Information management
  • Processing requests for erasure
  • ARTBUTLER CLASSIC: complete control of your data with no disclosure to third parties
  • GDPR-compliant newsletter integration for Websites
  • Safe handling of your data with ARTBUTLER Hosting, CLOUD and Websites

Still have questions about data privacy and ARTBUTLER? We’d be happy to answer your questions. Simply send us an email or give us a call!