Article 1
Data Controller
For the purposes of the GDPR, the data controller is
Société Millon, operating under the trade name
Millon & Associés.
- Controller
- Société Millon · RCS Paris 442 936 092
- Registered office
- 19 rue de la Grange-Batelière
75009 Paris · France
- Data Protection contact
- dpo@millon.com
Article 2
Data Collected
We only collect data that is necessary for the services we provide.
Depending on your interactions with us, the categories of data
processed may include:
- Identification data — first name, last name, title, date of birth where required by anti-money-laundering law.
- Contact data — postal address, email address, telephone number.
- Transactional data — bidder number, lots consigned or purchased, hammer prices, payment references.
- Compliance data — copy of identification document, proof of address, beneficial-owner information.
- Browsing data — IP address, device type, browser, pages viewed, technical logs (see our Cookie Policy).
Sensitive categories of data within the meaning of Article 9 GDPR are
never collected through this website.
Article 3
Purposes & Legal Basis
Personal data is processed only for the following purposes, each
supported by a specific legal basis under Article 6 GDPR:
- Managing appraisals, consignments and sales — performance of a contract or pre-contractual measures.
- Identity verification & anti-money-laundering checks — compliance with French and European legal obligations applicable to auction operators.
- Accounting, invoicing and tax obligations — legal obligation.
- Sending the newsletter and sale alerts — consent, freely given when subscribing and revocable at any time.
- Improving our services and securing the website — legitimate interest of Société Millon, balanced against your rights.
- Responding to your requests — legitimate interest in providing a courteous and timely reply.
Article 4
Recipients of Your Data
Personal data is only shared with parties who need it to deliver our
services or to comply with the law:
- Authorised employees and experts of the Millon Auction Group;
- Our group entities (Millon, PB&A, Vanderkindere, De Vuyst, Il Ponte, Millon Riviera, Millon Vietnam) where a sale or consignment involves them;
- Carefully selected processors (hosting, payment, shipping, accounting, IT maintenance) bound by written processing agreements;
- Public authorities and courts when required by a legal obligation or by a duly notified judicial request.
We never sell personal data to third parties.
Article 5
Retention Periods
- Client & bidder records
- 10 years after the last sale, in line with French commercial-code obligations.
- AML / KYC documents
- 5 years after the end of the business relationship (Article L.561-12 of the French Monetary and Financial Code).
- Accounting records
- 10 years (Article L.123-22 of the French Commercial Code).
- Newsletter subscribers
- 3 years after the last interaction, or until you unsubscribe.
- Web logs & cookies
- 13 months maximum.
Article 6
International Transfers
Personal data is hosted within the European Union (Amazon Web
Services, eu-west-3, Paris). Some of our processors may operate
outside the EU; in that case, transfers are framed by appropriate
safeguards under Articles 44 et seq. GDPR — typically the
European Commission's Standard Contractual Clauses, complemented
where necessary by additional technical and contractual measures.
Article 7
Your Rights
Subject to the conditions set out in Articles 15 to 22 GDPR, you may
at any time exercise your rights:
- Access — obtain a copy of the personal data we hold about you.
- Rectification — correct any inaccurate or incomplete data.
- Erasure — request the deletion of your data, subject to our legal-retention duties.
- Restriction — pause the processing while a request is being examined.
- Portability — receive your data in a structured, machine-readable format.
- Objection — oppose processing based on our legitimate interest, in particular for prospecting purposes.
- Withdraw consent — revoke consent at any time, without affecting the lawfulness of prior processing.
- Define directives on the fate of your data after death, in accordance with Article 85 of the French Data Protection Act.
Requests should be sent to
dpo@millon.com or by post to the
registered office above. Where reasonable doubt exists as to your
identity, we may ask for a copy of an identification document.
Article 8
Security & Confidentiality
Société Millon implements appropriate technical and organisational
measures designed to ensure a level of security appropriate to the
risk: encrypted connections (TLS), access controls, role-based
permissions, audit trails, segregation of duties, regular backups,
and ongoing staff training on data-protection obligations.
In the unlikely event of a personal-data breach likely to result in a
risk to your rights, Société Millon will notify the
Commission Nationale de l'Informatique et des Libertés
(CNIL) within 72 hours and, where required, inform the data subjects
concerned without undue delay.
Article 9
Contact & Complaints
For any question about this policy or about the processing of your
personal data, please contact our Data Protection contact at
dpo@millon.com.
If you believe that the processing of your personal data infringes
applicable law, you may also lodge a complaint with the French
supervisory authority:
- Authority
- Commission Nationale de l'Informatique et des Libertés (CNIL)
- Address
- 3 place de Fontenoy · TSA 80715
75334 Paris Cedex 07 · France
- Web
- www.cnil.fr
Last updated: May 2026.