Privacy Policy

Introduction

This Privacy Policy explains how Liste Art Fair Basel (“we”, “us”, or “our”) collects, uses, and protects personal data. We process personal data in accordance with the Swiss Federal Data Protection Act (DSG) and, where applicable, the EU General Data Protection Regulation (GDPR). This policy applies to all individuals who interact with us, including visitors to our website, exhibitors, partners, and patrons of the art fair. Please note that this general policy may be supplemented by additional privacy notices or terms for specific services or events.

Who We Are and How to Contact Us

The data controller responsible for your personal data is Stiftung Liste Basel (Liste Art Fair Basel), located at Mühlenberg 12, 4052 Basel, Switzerland. If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at data@liste.ch. You can also send correspondence to the postal address above or reach us by phone at +41 61 692 20 21 (please ask for the person responsible for data protection).

Personal Data We Collect

We collect personal data that you provide to us, that is collected automatically through your use of our website, or that we obtain from third-party sources, as permitted by law. This includes:

Data You Provide: When you interact with us (for example, by applying as an exhibitor, purchasing a ticket, signing up for our newsletter, or contacting us via email/phone), you may provide personal data. This may include your name, contact details (such as email address, postal address, phone number), company or affiliation, job title, and any other information you choose to share. If you provide the personal data of others (e.g. colleagues or guests), please ensure you have their permission and direct them to this Privacy Policy.

Data Collected Automatically: When you visit our website, our systems automatically record certain information about your device and usage. This may include your IP address, date and time of access, pages or content viewed, browser type and version, device type, and operating system. We also use cookies and similar tracking technologies (explained in detail below) that collect information about your interactions with our site (such as which pages you visit and how you navigate our content). This data helps us understand how our website is used, enables certain website features, and assists us in improving performance and security.

Data from Third Parties: We may receive personal data from third-party sources and public platforms. For example, if you engage with us on social media platforms (such as Instagram or Facebook), we might receive your public profile information via those services. We might also obtain updated contact information from partners, sponsors, or public directories, or receive data from event co-organisers. We only collect such data if those third parties are legally permitted to share it with us, and we will treat any such information in accordance with this policy and applicable laws.

Purposes and Legal Bases for Processing

We only process your personal data for the purposes described below. For each of these purposes, we ensure that there is a valid legal basis under the DSG and/or GDPR:

Providing Our Services and Organising the Fair: We use personal data to plan and operate Liste Art Fair Basel and related events, to review and process exhibitor applications, to manage ticket sales and visitor registrations, and to communicate with you about event logistics. We also use data to provide any services or information you request from us. The legal basis for these activities is the performance of a contract or steps taken at your request prior to entering a contract. If you are acting on behalf of a business or organisation (e.g. as an employee of an exhibitor or partner), our legitimate interests in effectively organising the fair and managing our business may also be a basis for processing your data in that context.

Communication and Responding to Inquiries: If you contact us with questions, requests, or feedback, we will use your contact information and any details you provide to respond to you. This is in our legitimate interest (to communicate with you and address your inquiries) and, in some cases, may be necessary in order to take measures at your request prior to entering a contract or to fulfil a contract with you.

Informing You About Our Activities: With your consent, we use your email address and other contact details to send you our newsletter and other marketing communications about Liste Art Fair Basel, including information about upcoming fairs, participating galleries and artists, or related events. We may also send invitations or updates to individuals who have an existing relationship with us (for example, past exhibitors, visitors, or friends of the fair), where permitted by law. You can unsubscribe from our newsletter and/or marketing emails at any time by using the unsubscribe link in the email or by contacting us. The legal basis for these communications is your consent or, in certain cases, our legitimate interest in promoting our events (in compliance with applicable ePrivacy and anti-spam laws). Where consent is required, we will only send you marketing communications if you have opted in to receiving them.

Operation of Our Website and Improvements: We analyse how visitors use our website in order to troubleshoot issues, maintain security, and improve the site’s design, content, and user experience. For instance, we may process data about your website visits to compile anonymous analytics (e.g. to see which pages are most popular) or to detect technical problems (such as broken links or errors). When we use analytics tools (as described in the Cookies and Tracking Technologies section), we do so only with your consent for these non-essential cookies. In other cases, these processing activities are based on our legitimate interest in understanding and improving our services and ensuring the security of our website and IT systems.

Compliance with Legal Obligations: We process personal data as needed to comply with our legal obligations under Swiss law and other applicable regulations. This includes keeping records required by law (for example, for tax, auditing, or accounting purposes), verifying identity where required in financial transactions, responding to lawful requests by public authorities, or other legal compliance measures. In such cases, the legal basis for processing is compliance with a legal obligation to which we are subject.

Protection of Rights and Prevention of Misuse: We may process personal data to protect our rights, property, and safety, as well as the rights, property, and safety of our participants, visitors, partners, or the public. For example, we might use data to prevent fraud, investigate suspicious activities (such as violations of our terms of use), improve the security of our website, or enforce our contracts and legal claims. This processing is based on our legitimate interests in safeguarding our operations, enforcing our rights, and preventing misuse of our services, and in some cases may be necessary for the establishment, exercise, or defence of legal claims.

If we ask for your consent to process personal data for a specific purpose not covered by another legal basis, we will only use your data for that purpose. You have the right to withdraw your consent at any time (see the Your Rights section below), and we will stop further processing of your data for this purpose. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Where we rely on legitimate interests as a basis, we make sure to consider and weigh up any potential impact on you (both positive and negative) and your rights under data protection laws. We will not process your personal data on the basis of our interests if we determine that your interests or rights outweigh ours (unless we have another lawful basis for processing your data, such as your consent or a legal obligation).

Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your experience and collect information about how you use our site. We follow an opt-in approach for any cookies that are not strictly necessary, meaning we will ask for your permission before storing these cookies on your device.

Cookie Consent and Control

When you first visit our website, you will see a cookie banner asking you to choose your preferences for cookies. You can opt to accept or reject cookies. Your choice will be remembered on subsequent visits. However, you can change your preferences at any time by accessing the cookie settings on our site (for example, via a “Cookie Settings” link) or by clearing your browser’s cookies to reset the consent options. In addition to using our site’s tools, you can manage cookies through your web browser settings: most browsers allow you to block or delete cookies, or to be notified before a cookie is set. Please be aware that disabling certain cookies may affect the functionality of our website; for instance, some preferences might not be saved if cookies are blocked.

Tracking in Newsletters and Emails

If you have opted in to receive our newsletter or other marketing emails, we may use tracking technologies within these communications to measure engagement. These can include small image files (tracking pixels) or specialised links that let us know if you opened an email or clicked on a particular link. We use this information to understand which content is most interesting to our audience and to improve our offerings. You can prevent this kind of email tracking by adjusting your email settings to block external images or by simply not clicking on tracked links. Of course, you can also unsubscribe from our emails at any time if you prefer not to receive them or be subject to this type of tracking. We do not use such tracking in emails unless you are subscribed to our communications.

Social Media Plug-Ins

Our website includes plug-ins from social media platforms like Facebook, Instagram, and YouTube (for example, “Like” or “Share” buttons, or embedded media players). For your privacy, these plug-ins remain inactive until you click on them. If you choose to activate a social media plug-in, your browser will connect directly to the servers of the respective platform. This means that the platform (e.g. Facebook or Google/YouTube) will receive certain data such as your IP address, the page and time of your visit, and possibly cookie information. If you are logged into that social media platform, it might associate your visit to our site with your social media account. We do not control how these third parties handle the data they collect via plug-ins; any such interaction is governed by the privacy policy of the respective social media platform. If you do not want these platforms to collect data about you via our site, please do not click on social media plug-in icons or embedded content.

Sharing of Personal Data with Third Parties

We treat your personal data as confidential and do not sell it to anyone. However, we may share your data with selected third parties when it is necessary for the purposes described in this policy, when we have a legal obligation to do so, or when we have another legitimate interest in doing so. In all cases, we only share the minimum information required and ensure appropriate safeguards are in place. The types of third-party recipients of your data may include:

Service Providers (Processors): We share data with trusted third-party companies that perform services on our behalf and under our instructions. For example, this includes providers of services such as website hosting, cloud storage, email distribution (for newsletters), payment processing, customer relationship management, analytics, and IT support. These service providers are contractually obligated to protect your data (through Data Processing Agreements) and are not allowed to use your personal data for any purpose other than providing the services we have requested.

Exhibitors and Event Partners: In the context of organising our art fair and events, we may share relevant information with exhibitors, co-organisers, sponsors, or other partners. For example, if you sign up for a special event or VIP programme co-hosted with a partner, we might share your registration details with that partner (with your consent, where required). Similarly, if you are an exhibitor or artist, we may include your name and affiliation in fair-related materials or on our website. We will inform you about such disclosures when you provide your data, and we will ask for your consent when required by law.

Affiliated Organisations: Liste Art Fair Basel is operated by Stiftung Liste Basel. We may share data within our organisation and with closely affiliated entities (such as related foundations or committees that help run the fair) on a need-to-know basis. Any internal sharing of data is carried out in accordance with this Privacy Policy and for the same purposes outlined here.

The Media and the Public: We may share or publish certain information for publicity and informational purposes. For instance, we might publish the names of participating galleries, artists, or award recipients on our website, social media accounts, or in press releases. We might also share photos or videos taken at our events, which could incidentally include images of visitors or participants. We take care to do this in a manner that is respectful of individuals’ privacy (for example, we avoid or seek permission for close-up images of individuals unless it is in a public context or a newsworthy event). If you do not want to be featured in our event photographs or publicity materials, please inform us and we will make reasonable efforts to accommodate your request.

Authorities and Legal Compliance: If we are required by law or legal process to disclose your personal data, we will comply with such obligations. This may involve sharing data with courts, regulatory authorities, law enforcement agencies, or other government bodies. For example, we might need to disclose information to comply with tax reporting requirements or to respond to a lawful subpoena or court order. We will only disclose what is necessary and will inform you of such requests when we are legally permitted to do so.

Business Transfers: In the unlikely event that our organisation undergoes a significant business transaction such as a merger, acquisition, reorganisation, or transfer of assets, personal data may be transferred to the parties involved in the transaction. We would only do this under appropriate confidentiality agreements and we would also ensure that your data remains protected. If such a change in ownership or control occurs, we will notify you and inform you of any choices you may have regarding your personal data.

Whenever we share your data with third parties, we require that they handle the data securely and lawfully. If a third party needs to use your personal data for their own purposes (not as our service provider and outside of our instructions), we will only allow this with your prior consent, unless the law permits or requires us to make that disclosure (as in the case of authorities).

International Data Transfers

Switzerland is our home base and is recognised as providing an adequate level of data protection. We may also work with partners or service providers in the European Union, which means your data may be transferred to or accessed from EU countries (the GDPR applies to these data flows). However, some of our service providers or other recipients of personal data may be located in countries outside of Switzerland or the EU/EEA. For example, if we use a cloud service or an analytics provider based in the United States, or if we collaborate with an international partner, your data might be transferred to or accessed from that country.

When we transfer personal data to a country that does not have laws deemed adequate by Swiss or EU standards, we take steps to ensure your data is protected. These safeguards include:

Standard Contractual Clauses (SCCs): We enter into contracts based on the European Commission’s approved Standard Contractual Clauses with the party receiving the data. SCCs impose strict data protection obligations on the recipient and provide legal remedies for data subjects to ensure your rights remain protected along with your data.

Additional Safeguards: Along with SCCs or other transfer mechanisms, we implement additional technical and organisational measures as needed. This can include encryption of data in transit and at rest, pseudonymisation of data (so that individuals are not readily identifiable), and limiting further transfer of the data. These measures help protect your information from unauthorised access or misuse, even when it is stored or processed in another country.

Derogations (Exceptions): In some cases, we may rely on specific exceptions allowed by law for international transfers. For example, if you explicitly consent to the transfer after being informed of the possible risks, we are permitted to transfer your data. Other exceptions include situations where the transfer is necessary for the performance of a contract with you (or for pre-contractual measures at your request), for the conclusion or performance of a contract in your interest, for the establishment, exercise, or defence of legal claims, or if the transfer is required for important reasons of public interest. We will only rely on these exceptions in compliance with Article 49 of the GDPR (and the relevant provisions of the DSG), and typically only if other safeguards are not available or feasible.

Data Retention

We keep your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law or legitimate business needs. Retention periods vary depending on the type of data and the context in which it was collected. Below are some general categories of data and our retention practices for each:

Newsletter and Marketing Subscription Data: If you have subscribed to our newsletter or given consent to receive marketing communications, we will retain your contact information and preferences until you unsubscribe or withdraw your consent. Once you opt out, we will remove you from our active mailing list promptly. We may, however, keep a record of your email address (and the fact that you have opted out) to ensure we respect your opt-out in the future. This suppression record is kept as long as necessary to comply with our legal obligations (for example, to prove when and how we obtained your consent) or to prevent accidentally resubscribing you without consent.

Event Participation and Contractual Data: If you participate in our art fair or other events (for example, as an exhibitor, artist, VIP guest, or partner), or if you enter into a contract with us, we will retain the personal data related to that engagement for the duration of our relationship and for a period thereafter. Typically, we keep contract-related data for up to 10 years after the end of the contract or event, in line with Swiss statutory retention periods for business records (for example, for tax and accounting documentation). We may retain data beyond this period if necessary, for instance if legal claims are made in connection with the contract or event, or if we have another legitimate reason to retain certain records (but we will either delete or anonymise data when it is no longer needed for any legal or business purposes).

Visitor Inquiries and Correspondence: If you contact us with an inquiry, support request, or other correspondence (and you are not otherwise in a contract with us), we will retain these communications and our responses for as long as needed to address your inquiry and for a reasonable period thereafter. Generally, routine inquiries are kept for up to 12 months for reference purposes (in case you contact us again or in order to improve our services based on feedback). If your correspondence relates to a contractual matter or legal issue, we may retain it for longer as part of these records.

Website Usage Data: We retain web server logs, which may include visitors’ IP addresses and browsing timestamps, for a short duration – typically no more than 12 months – for security monitoring, debugging, and analysis purposes. Analytics data collected via cookies is retained according to the settings of our analytics provider; for example, Google Analytics data might be retained for 12 months or another duration specified by us, and we review these settings to ensure they are appropriate. Any data collected via cookies will also adhere to the expiration of those cookies (many cookies expire after a set time or when you clear your browser). We aggregate or anonymise usage data wherever feasible, and may retain aggregated data (which no longer identifies individuals) for longer periods to study trends over time.

Legal Compliance and Disputes: In certain cases, we may need to retain data for longer periods if required by law or if we need the data to establish, exercise, or defend legal claims. For example, if we are involved in a dispute or if an incident occurs at one of our events, we will retain relevant information until the matter is resolved and no further claims are expected. Also, some information may be kept to comply with specific legal requirements beyond the standard retention periods (such as records of any opt-in/opt-out requests or consents, which we might need to keep for as long as those consents are relevant, typically up to 5 yearsor more in some jurisdictions).

Once the applicable retention period for a set of personal data expires, or if we determine that we no longer need the data, we will either securely delete the personal data or anonymise it (so that it can no longer be associated with you). For example, we might remove identifying details from a dataset so that it can be used for statistical analysis without referencing any specific individual. Please note that in some cases we may anonymise data (instead of deleting it) for specific legitimate purposes – for example, to keep historical statistics about fair attendance – but in such cases, the anonymised data will not identify you personally.

Data Security

We take the security of your personal data very seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration, or disclosure. These measures are designed with consideration for the sensitivity of the personal data and the level of risk associated with processing your data. Examples of our data security measures include:

Encryption: We use encryption technology to protect sensitive personal data during transmission (e.g. data you enter on our website is sent over HTTPS) and in our databases and storage, where feasible. Encryption helps ensure that even if data is intercepted or accessed without authorisation, it remains unreadable and secure.

Access Controls: We limit access to personal data to those staff and service providers who need it to perform their duties. Our internal policies prevent unauthorised access – for example, by using role-based access controls, strong authentication methods (like robust passwords and two-factor authentication), and regularly reviewing user permissions. All employees and contractors with access to personal data are bound by confidentiality obligations.

Physical and IT Security: We protect our physical offices and IT systems against intrusion. This includes using secure facilities, alarm systems, and other controls to prevent unauthorised physical access to computers or files. We also maintain up-to-date security software, firewalls, and intrusion detection systems to guard against cyber threats. Regular backups are performed to prevent data loss, and we apply security patches and updates to our software in a timely manner.

Training and Policies: We ensure that our team is trained in the best practices for data protection. We have internal policies and conduct regular training sessions so that everyone handling personal data understands how to keep it safe and respect privacy. We also have procedures in place to respond to data security incidents, should they occur.

Vendor Due Diligence: When we engage third-party service providers who may handle personal data on our behalf, we vet them to ensure they have strong security practices. We also include data protection and security requirements in our contracts with them to make sure they maintain a high standard of security.

While we strive to protect your personal data with these measures, it is important to note that no method of transmission over the internet or method of electronic storage is 100 per cent secure. We continuously monitor our systems for potential vulnerabilities and attacks to mitigate risks. In the unlikely event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant authorities as required by law. If you have reason to believe that your interaction with us is no longer secure (for example, if you suspect that your data may have been compromised), please contact us immediately so we can investigate and resolve the issue.

Your Rights

You have certain rights regarding your personal data under applicable data protection laws. These rights allow you to understand and control how your personal data is being used. Your rights include:

Right to Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to receive a copy of that data along with information about how we use it. This allows you to know what personal data we have about you. Upon request, we will provide you with a copy of the personal data we hold about you in our records, as well as an explanation of the purposes for which we use your data and with whom it has been shared, in accordance with legal requirements.

Right to Rectification: If you believe that any personal data we have about you is incorrect or incomplete, you have the right to request that we correct or update it. We encourage you to contact us to keep your information accurate. For example, if you change your email address or notice that we misspelled your name, you can ask us to fix it, and we will do so.

Right to Erasure: This is also known as the “right to be forgotten”. You may ask us to delete or remove your personal data if it is no longer necessary for the purposes for which it was collected or if you have withdrawn your consent (where the processing was based on consent) or successfully exercised your right to object (see below). We will honour valid deletion requests, but please note that we may need to retain certain information when required by law or if we have other valid reasons – for example, we might retain data to comply with a legal obligation or to establish or defend legal claims, despite your request for erasure.

Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain circumstances. This means we would store your data but temporarily stop any other processing. You might exercise this right if, for instance, you contest the accuracy of the data (allowing us time to verify or correct it), or if you object to our processing (while we assess whether our legitimate grounds override yours). You can also request restriction if you need us to preserve your data for a legal claim after we would normally delete it, or if our processing is unlawful and you prefer restriction over deletion.

Right to Data Portability: Under the Swiss DSG (and similarly under the principles of the GDPR where applicable), you have the right to receive certain personal data you have provided to us in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller where technically feasible. This right applies when your personal data is processed by us with your consent or for the performance of a contract, and the processing is carried out by automated means. For example, if you have provided us with certain information and wish to reuse it for services with another organisation, data portability facilitates that.

Right to Object: You have the right to object to our processing of your personal data when such processing is based on our legitimate interests or on the grounds of public interest. If you file an objection, we will consider your request and will no longer process the data in question unless we have compelling legitimate grounds to continue that override your interests, rights, and freedoms, or it is needed for legal claims. Importantly, you have an unconditional right to object to your data being used for direct marketing purposes. If you object to marketing, we will stop using your data for that purpose immediately.

Right to Withdraw Consent: If we are processing any of your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to the withdrawal of consent, and it will not affect processing of your personal data conducted under other legal bases. If you withdraw consent for a specific purpose (for example, for marketing emails or for certain cookies), we will stop processing your data for that purpose. There is no penalty or negative consequence for withdrawing consent – it is your right to do so.

Right to Lodge a Complaint: If you believe that we have not complied with applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. In Switzerland, you can contact the Federal Data Protection and Information Commissioner (FDPIC). If you are in the European Union or the GDPR otherwise applies to your data, you may contact the data protection authority in the country where you reside or work, or where you believe the infringement may have occurred. We would, however, appreciate the chance to address your concerns directly before you do this, so we invite you to contact us with any complaint and we will do our best to resolve it.

To exercise any of your rights, please contact us at data@liste.ch. We may need to verify your identity before fulfilling your request, to ensure that we do not disclose your data to someone else. For example, we might ask you to provide certain information to confirm that the request is coming from you (such as sending the request from the email address associated with your data, or providing identification). We will respond to your request as soon as possible and within the timeframes set by law (generally within 30 days under GDPR, with the possibility to extend that period if necessary, in which case we will inform you of the reason for the delay).

Please note that these rights are not absolute. Certain legal exceptions may apply. For instance, if you request deletion, we may retain data that we are required by law to keep (such as transaction records), or if you request access, we may not be able to disclose information that would violate the rights of others. If we refuse any part of your request, we will explain the reasons for our refusal. Also, please note that in some cases (especially in the event of repetitive or excessive requests) we are permitted to charge a reasonable fee or even refuse to act on the request, but we would inform you beforehand if that were the case.

Changes to this Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our data practices or to address new legal requirements. If we make changes, we will post the updated policy on our website and update the “Last updated” date at the top. For significant changes, we will take additional steps to notify you: for example, we might display a prominent notice on our website or notify you via email (if you have provided your email to us) that our Privacy Policy has been updated.

Any changes to the Privacy Policy will become effective when the updated version is posted on our website, unless stated otherwise. If we make a material change that affects how we handle personal data that we collected from you under an earlier version of the policy, we will, if required by law, obtain your consent for the new practices or give you the opportunity to opt out. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.

Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or about how we handle your personal data, please do not hesitate to contact us:

Stiftung Liste Basel (Liste Art Fair Basel)
Kaufhausgasse 5
4051 Basel

Postal address: Mühlenberg 12, 4052 Basel, Switzerland

Email: data@liste.ch

Phone: +41 61 692 20 21

 

Last updated in March 2025