Bidding platforms, albeit with the bidders’ permission, can then share this information with multiple auction houses.
The data is, we are assured, ‘stored securely’.
My question for your legal adviser is this. If any of these supposedly secure databases are hacked and our information compromised, will the auction houses be liable for any losses incurred because of it?
Due to the dissemination of our data, presumably it will only be as secure as the weakest link. All systems are not equal. Some barely in place at all.
I ask this question as a victim of ID fraud some years ago, losing a substantial amount and, therefore, now very wary to whom I give my details.
Richard Lewis, chief operating officer of Auction Technology Group (parent of Antiques Trade Gazette and bidding platforms including thesaleroom.com) replies:
Thank you for your email. To assist auctioneers with anti-money laundering (AML) compliance, thesaleroom.com will be asking bidders who want to spend more than €10,000 (£9000) at a specific auction to upload their photo ID and allow thesaleroom.com to conduct an AML check.
To address the points in the order in which you made them:
1.We at ATG take data security very seriously and follow best practice for online businesses. We are fully GDPR compliant. We proactively monitor all inbound requests to thesaleroom.com and our other marketplaces to ensure that we detect and prevent suspicious or fraudulent behaviour.
2. We regularly commission independent experts who are tasked with attempting to gain unauthorised access to test accounts on our platforms. By doing this, we can be sure that we identify any potential vulnerabilities and address them. To be clear, these experts do not have access to actual bidder data.
3. We do not share a bidder’s personal information with an auctioneer without the bidder’s consent.
4. Our agreements with auctioneers clearly state who is responsible for data security. ATG is responsible for maintaining the security of our systems and auctioneers are responsible for using the data to which they have access in a GDPR compliant manner.
I hope this addresses your concerns. Please contact us directly if you have questions.