Privacy Notice

This Privacy Policy describes how Thomann GmbH (also called "Musikhaus Thomann" or "we") processes and protects the data you provide us with when using our website, according to the General Data Protection Regulation (GDPR) and the relevant German data protection laws, in particular the German Telecommunications Digital Services Data Protection Act (TDDDG) and the German Federal Data Protection Act (BDSG).

The security of personal data such as name, address, telephone number or email, is a serious and important concern for our company. Therefore, we conduct our online activities in compliance with the respective statutory provisions relating to data protection and data security. The following sets out the data and information we process as well as the purposes and legal bases for this processing.

Responsible authority, contact person for queries or exercising your rights as a data subject, contact

The responsible authority within the meaning of the data protection regulations for all data processing through our website is:

Thomann GmbH, Hans-Thomann-Straße 1, 96138 Burgebrach, Germany

In the event of any questions, comments, complaints or to exercise your rights as a data subject in connection with our Privacy Notice and the processing of your personal data by our websites, you can contact our Data Protection Officer directly by email: privacy@thomann.de. They will gladly take care of your data protection concerns.

Personal data / types of use

As a principle, the protection of your personal data is of highest priority for us. You decide whether or not you wish to make such data known to us, for example in the course of any registration, survey or the like. Such information on your part is relevant for your enquiry, but you provide it on a voluntary basis. An exception to this rule is when prior consent cannot be obtained for practical reasons and the processing of data is permitted by law.

Legal basis for the processing of personal data

If we obtain the consent of the data subject to process their personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing of personal data.
When processing personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR shall serve as the legal basis. This also applies to any processing required to perform pre-contractual measures.
If processing of personal data is necessary for compliance with a legal obligation to which we are subject, Article 6(1)(c) GDPR shall serve as the legal basis.
In the event that the vital interests of the data subject or of another natural person necessitate the processing of personal data, Article 6 (1)(d) GDPR shall serve as the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR shall serve as the legal basis for processing.
Should we access your device and the information stored there or should we save information on your device as part of our processing (e.g. by using cookies), the primary legal basis is § 25(1)(1) TDDDG if we require your consent for this access, or § 25(2)(2) TDDDG if the access concerns processing that is strictly necessary.

Data automatically collected on our website / usage data

We welcome everybody to visit and use our website free of charge and to look at the products on offer. When you visit our websites, we record the following general usage data in order to assess which page or parts of our website you visit and how long you stay there:

• Information about language, version and type of browser software used
• The user’s operating system and interface
• The user’s IP address
• Date and time of access
• Websites from which the user’s system reaches our website
• The services and functions used on our website
• Time zone difference from Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status / HTTP status code
• Relevant volume of data transferred

Such data will be combined with the usage data of all visitors to our website in order to measure the number of visitors, the average time of the visits, pages visited, etc. The data we collect is combined and used for internal purposes only.
The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.
We use this combined data to evaluate our products and the news we make available via our website, as well as for monitoring use of our website and generally improving its content.
The temporary storage of IP addresses by the system is required in order to enable the delivery of the respective webpage to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.
Data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. These purposes are also the basis for our legitimate interests in data processing pursuant to Article 6(1)(f) GDPR.
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. If data is stored in log files, this is the case after no more than seven days. Further storage is possible. In this case, the users’ IP addresses are deleted or distorted, so that it is no longer possible to associate them with the calling client.
The collection of data in order to provide the website and the storage of the data in log files is essential for the operation of the website.

Exchange of data / contractual relationships with partners / third parties

In addition to the types of use described above, we will transfer your data to third parties that are involved in the processing of your order or that participate in contracts. For example, if you place an order via our website, we will transmit your order information to our partner companies and contractors who process and deliver your order to you; these include, in particular, shipping companies and payment service providers whose services and technical systems we use in the context of contract processing and fulfilment. Data will only be transmitted to the extent required in order to fulfil or deliver your order or to process an enquiry. The legal basis for this is the fulfilment of the contract concluded with you (e.g. for orders) or the initiation of a contract (Article 6(1)(b) GDPR).

We will also transmit personal data to third parties where we are required to do so by law (Article 6(1)(c) GDPR).

Data deletion and storage duration

Your personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Data may be stored beyond this if provisions have been made for this by the European or national legislator in union regulations, laws or other rules to which we as the controller are subject. Data will also be blocked or deleted if a storage period prescribed by the standards mentioned above expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract with the data subject.

Data subject rights

If your personal data is processed, you are a data subject as defined in the GDPR and you have the following rights with regard to the controller:

Information, rectification, restriction and deletion

You have the right to access the data stored about you and information concerning its origin, recipient and the purpose of data processing free of charge at any time. In addition, you have the right to rectify, delete or restrict the processing of your personal data, provided the legal requirements to do so are met.
Details can be found in the relevant statutory provisions, Articles 15 to 19 GDPR.

Right to data portability

You have the right to receive the personal data concerning you that you have provided to us as the controller, in a structured, commonly used and machine-readable format. We can comply with this right by providing a csv export of the customer data processed about you.

Right to information

If you have exercised your right to rectification, deletion or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or deletion of data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the controller.

Revocability of declarations of consent under data protection law

You may also revoke your consent with regard to us at any time with effect for the future using the contact details below, or with regard to cookie-based processing, via our cookie pop-up.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

Cookies

General information about cookies

Cookies are used as part of our website services. Cookies are text files that are stored in the Internet browser or come from the Internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive string that allows the browser to be uniquely identified when the website is visited again. Cookies and other similar identifiers (e.g. web beacons) enable us to provide the information on our websites better and more efficiently, and to optimise your user experience on our websites.

Most cookies do not save a user’s personal data.

When you use our website, cookies are placed in your Internet browser, without which our websites would not operate or be displayed properly (“strictly necessary cookies”). Non-essential cookies are also used and which are mainly set by third parties to compile statistics on the use of our website or to adapt the information delivered to your individual needs and interests (“analysis and marketing cookies”).

The specific tools and applications used that store cookies on your device can be found in the relevant sections of this Privacy Policy and the application descriptions in our cookie pop-up.

Purposes of and legal basis for the use of cookies and other identifiers

The legal basis for processing personal data using technically necessary cookies is § 25(2)(2) TTDSG for the setting of such cookies on your device, as well as Article 6(1)(1)(f) GDPR, e.g. for any subsequently necessary processing on our systems.

The purpose of using technically essential cookies is to facilitate the use of websites for users. Some features of our website cannot be provided without the use of cookies. For these features, the browser must be recognised, even after moving to a different page; the same applies to individual settings you have made in your browser (e.g. language selection, volume). The usage data collected through technically necessary cookies is not used to create user profiles.

Analysis and marketing cookies are used to improve the quality of our website and its contents. Analysis cookies allow us to ascertain how the website is used and thus constantly optimise our service. To perform processing functions on your end device that are based on cookies or other identifiers (e.g. browser fingerprints, pixels) and are not technically necessary for our website to function, we first require your consent, which you can give using the cookie pop-up that appears when you access our website. The legal basis for this cookie-based processing is § 25(1)(1) TTDSG for the setting of cookies on your device, and Article 6(1)(a) GDPR for the subsequent processing outside of your device on our systems or the systems of our technology partners. These types of cookies are not necessary for our website to function and will not be placed until you give your consent.

Applications

Our website may contain forms that you can use to apply online for job vacancies we have advertised. You can either use the application form to provide the relevant application data, or upload your application documents and send them to us if this is provided for at the respective contact point. You can also send your application electronically by email or by conventional mail if these options are indicated in the respective published job advertisement.

Purposes of processing and type of applicant data

We process the data you have sent us with your application to check your suitability for the position (or other open positions in our company, if applicable) and to conduct the application process. We only process information that is essential for the specific application and its completion.

The categories of personal data processed include the data you voluntarily provide to us with your application, such as your first name and surname, and your contact details (address, phone number and email address). Special categories of personal data, such as religious affiliation, may also be relevant for processing if you have indicated this, for example, in your curriculum vitae.

Legal bases for processing

The processing of the aforementioned data categories is carried out primarily for the purpose of handling the application process and initiating an employment relationship, although this does not result in any right to the conclusion of such an employment relationship. The primary legal basis for the processing is Article 6(1)(b) GDPR in conjunction with § 26(1) BDSG.

If special categories of personal data are concerned, in accordance with Article 9(1) GDPR, this is done exclusively in order to process your application and for the subsequent selection procedure within the scope of the application process. The legal basis for this is Article 9(2)(b) GDPR.

Any processing of your personal data for purposes other than those stated above requires that we inform you beforehand and, where necessary, obtain your consent.

Recipients of the data

Once you have applied for an advertised position, only the HR department and the department that advertised the position will have access to your data, unless you have expressly consented to your data being passed on to other recipients. If you have submitted a speculative application, your details will be made available to the departments whose vacancies clearly match your applicant profile.

For the application process, we use the services of our technology partner, rexx systems GmbH, Süderstraße 75–79, 20097 Hamburg ("rexx systems"), who provides the online form for integration into our websites and electronically supports the internal administration of applications. We have separately contractually obligated the technology partner to comply with data protection requirements.

Storage period and deletion

In the event of employment, all data will be transferred to your personnel file or to our personnel information system. If your application is unsuccessful, your data will be completely deleted after six months from our last communication with you, or stored in our applicant pool for a period of two years if you have separately agreed to this.

Job alert (job newsletter via email)

If this is provided for on the relevant website, you can also subscribe to our job alert (email newsletter) to be informed about new, interesting job offers. For this purpose, only your email address will be processed via the registration form; the other information is voluntary. This data is used to address you personally.
To register for the job alert, we use a double opt-in procedure. This means that upon registration we send an email to the email address provided, in which we ask for confirmation that you wish to receive the job alert. If you do not confirm your registration, your information will be automatically deleted after seven days. Following your confirmation, we will store your email address for the purpose of sending you the newsletter until you revoke your consent. If you unsubscribe from the job alert subscription, the deletion period specified in the subsection “Storage period and deletion” will apply accordingly to your data.
We also store your current IP address at the time of registration, the time of registration and the confirmation within the stated storage period. The purpose of this procedure is to be able to prove your registration in case of doubt and, if necessary, to clarify any misuse of your personal data.
The legal basis for logging the registration is our legal obligation to set up technical and organisational measures, especially in the context of data security in accordance with Article 6(1)(c) GDPR, in addition to our legitimate interest in accordance with Article 6(1)(f) GDPR in proving previously given consent, see also Article 7(1) GDPR.

Contact information

Our website offers options to give feedback, to use live support and to leave notes/comments for orders. If a user takes advantage of one of these options, the data entered on the input screen will be transmitted to us and stored. This data includes:

• "Give feedback": your message (if it contains voluntary information from you containing personal data), and email address (optional)
• Live support and notes/comments on orders: only data that is required for your individual support request or that you voluntarily provide in your note/comment

Alternatively, you can contact us via the email addresses provided on our website. In this case, the user’s personal data transmitted by email will be stored.

No data is passed on to third parties in this context. The data is used exclusively for processing the conversation.

The legal basis for processing the data transmitted via the contact form or in the course of sending an email is Article 6 (1)(f) GDPR. If the purpose of the contact is to conclude a contract, the additional legal basis for the processing shall be Article 6(1)(b) GDPR.

The personal data from the input screen is only processed in order for us to process the contact. In the event of contact via email, this is also the basis for the required legitimate interest in the processing of data.

Any other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the contact form input screen and the data sent by email, this is the case if the respective conversation with the user has ended. The conversation is deemed to be ended if it can be inferred from the circumstances that the relevant facts have been conclusively clarified.

Userlike Chat

We use a Userlike chat widget on our website. As our technology partner, we have contractually obligated Userlike to comply with data protection requirements when processing personal data on our behalf via a corresponding data protection agreement.

Userlike allows you to start a live chat and contact us via the widget embedded on our website. In this case, we will process the following data:

• Communication content of the chat
• Date and time of chat
• Name of our employee with whom the chat is conducted
• Chat language
• Duration
• Starting URL from where the chat was started
• Destination URL where the chat ended
• IP address

The data will be processed exclusively for the purpose of chat communication.

The legal basis for processing data if the user’s consent is given is Article 6(1)(a) GDPR. You can give and revoke your consent via our cookie layer. If you revoke your consent during an ongoing chat, we will not be able to continue the chat and will terminate it.

We use the technical usage data we process during a live chat to prevent misuse of the chat and to ensure the security of our IT systems. This is in our legitimate interest in accordance with Article 6(1)(f) GDPR.

More information about Userlike and its privacy policy can be found by visiting the links above.

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. The data we process during the live chat will be deleted after one month at the latest.

Google Tag Manager

We use Google Tag Manager to manage “website tags”. Tags are small code elements on our website that run upon certain interactions with the website and send measured data to the third party programs used (e.g. Google Analytics). The Tag Manager itself does not use cookies and does not collect any personal data. The Tag Manager triggers other tags that collect data and place cookies under certain circumstances (e.g. the third party programs used). The Tag Manager does not access this data.

Further information about Google Tag Manager, the details of data processing through these services and Google’s privacy policy can be found by visiting the links above.

Use of services for marketing and analysis purposes

The services described below are used for marketing, analysis and reach measurement purposes with the aim of making our offering more attractive. The legal basis for the data processing operations via these services is your consent given via our cookie pop-up (see above in the section Purposes and legal bases for the use of cookies and other identifiers), unless another legal basis is expressly stated in the following sections.

Google Analytics

Auf unseren Websites verwenden wir Google Analytics, einen Webanalysedienst von Google. Google Analytics verwendet sog. "Cookies", Textdateien, die auf Ihrem Computer gespeichert werden und die eine Analyse der Benutzung der Website durch Sie ermöglichen. Die durch den Cookie erzeugten Informationen über Ihre Benutzung dieser Website werden in der Regel an einen Server von Google in den USA übertragen und dort gespeichert.

In unserem Auftrag wird Google diese Informationen benutzen, um Ihre Nutzung der Website auszuwerten, um Reports über die Websiteaktivitäten zusammenzustellen und um weitere mit der Websitenutzung und der Internetnutzung verbundene Dienstleistungen uns gegenüber als Websitebetreiber zu erbringen. Die im Rahmen von Google Analytics von Ihrem Browser übermittelte IP-Adresse wird Google nicht mit anderen Daten von Google zusammenführen. Wir möchten Sie außerdem darauf hinweisen, dass auf unseren Websites Google Analytics mit der Erweiterung anonymizeIP verwendet wird und daher IP-Adressen nur gekürzt weiterverarbeitet werden, um einen Personenbezug auszuschließen.

Sie können die Speicherung der Cookies durch eine entsprechende Einstellung Ihrer Browser-Software verhindern; wir weisen Sie jedoch darauf hin, dass Sie in diesem Fall gegebenenfalls nicht sämtliche Funktionen dieser Website vollumfänglich werden nutzen können. Sie können darüber hinaus die Erfassung und Übermittlung der durch das Cookie erzeugten und auf Ihre Nutzung der Website bezogenen Daten (inkl. Ihrer IP-Adresse) an Google sowie die Verarbeitung dieser Daten durch Google verhindern, indem sie das unter dem folgenden Link verfügbare Browser-Plug-in herunterladen und installieren: https://tools.google.com/dlpage/gaoptout/eula.html?hl=de.

Nähere Informationen zur Funktionsweise von Google Analytics und zu den für diesen Dienst einschlägigen Nutzungsbedingungen und Datenschutzbestimmungen finden Sie anhand der oben in diesem Abschnitt angegebenen Links.

Die Google Ireland Ltd. ist ein Tochterunternehmen der Google LLC mit Sitz in den USA. Es ist nicht ausgeschlossen, dass Ihre durch Google erhobenen Daten auch in die USA übermittelt werden.

Embedded Content and use of links to social media (Facebook, Instagram et al.)

Third-party multimedia content (e.g. videos, music tracks as streams, posts on social media, maps) may be integrated on our websites using technical processes (usually as iFrame or JavaScript). For greater data protection, we have opted for the so-called 2-click procedure for the integration of such content; this means that the content is only loaded onto the website interface after a first click and your consent and is only then available to you. With a second click, you can access and consume the content, e.g. play an integrated music track or video. Possible data processing via our servers or those of the third-party provider is only triggered after the first click. For each embedded content, we also point out any additional data processing by the third-party provider that may take place when the content is accessed by linking to their relevant data protection information.

In addition, some of our embedding content can only be accessed if you have given your consent via our cookie layer. Information on the relevant services can be found in the information available via our cookie layer.

You give your consent either via our cookie layer or directly at the point on our websites where the respective content can be accessed. The legal basis is your consent in accordance with Section 25 (1) sentence 1 TTDSG if information (e.g. cookies) must be stored on your end device by activating the integrated content or if information stored on your end device must be accessed. The relevant legal basis for subsequent processing via our servers is Art. 6 para. 1 lit. a GDPR; subsequent processing by the third-party provider, which no longer takes place under our responsibility, is subject to the purposes and legal bases that the respective third-party provider specifies in its data protection information.

Translated with DeepL.com (free version)

The following content ("embeds") is integrated on our website under the responsibility of the respective companies named as third-party providers:

• Facebook: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; https://www.facebook.com/privacy/policy/

• Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland; https://privacycenter.instagram.com/policy

• Spotify: Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Schweden; https://www.spotify.com/de-en/legal/privacy-policy/

• Vimeo: Vimeo.com, Inc., 330 West 34th Street, 10th Floor, New York, New York 10001, USA;; https://vimeo.com/privacy

Unter den genannten Links finden Sie unter anderem auch Informationen über Einstellungsmöglichkeiten zum Schutz Ihrer Privatsphäre und über Ihre weitergehenden Rechte bezüglich der Verarbeitung Ihrer Daten durch den jeweiligen Drittanbieter.anbieter.

YouTube videos on our website

We have embedded YouTube videos on some of our web pages to make our services more visually attractive.

YouTube videos are primarily embedded as placeholders and in such a way that there is no connection to Google’s servers and the transmission of data is prevented (2-click integration). For integration, we also use extended data protection mode (noCookie variant). This means that videos are embedded without cookies being set to record usage behaviour. Therefore, usage behaviour is not monitored in order to personalise the video delivery. However, technically necessary cookies are set, without which playing the videos on our websites would not be possible. These cookies do not collect any personal data, they only process the technical data that is necessary to provide the videos.

You can decide whether you want to watch YouTube videos on our website. Your consent is always required for this. You can either give your general consent by activating the YouTube service via our cookie pop-up, or you can (even if you have not given your consent via our cookie pop-up) unlock the content of the respective video separately where the video is embedded on our website and give your consent. Cookies will only be used if you have agreed to one of the options mentioned above.

More detailed information about YouTube and the terms of use and privacy policy relevant to this service can be found in the links provided above in this section.

Google Ireland Ltd. is a subsidiary of Google LLC, based in the USA. It cannot be excluded that the data collected by Google will also be sent to the USA. Another possible recipient is YouTube LLC, also based in the USA.

Meta pixel

We use Meta Pixel on our website. With the help of this service, we can reach our customers directly via the social media platforms in the Meta network (particularly Facebook and Instagram) by showing ads to visitors to our websites when they visit one of the Meta platforms.

Meta Pixel implemented on our websites is a code snippet that is able to identify your browser via the browser ID – your browser’s individual fingerprint – and detect that you visited our website and what exactly you viewed there. A direct connection to the Meta servers is made when you visit our website. Meta can identify you by your browser ID because it is linked to other data about you stored by the Meta platform on your user account. Meta then delivers custom ads from us, tailored to your needs, on the timeline of your Meta platform or elsewhere on the respective Meta platform.

We cannot personally identify you via Meta Pixel, because we do not save personal data other than your browser ID using Meta Pixel.

Further information about Meta Pixel, the details of data processing through this service and Meta’s privacy policy can be found by visiting the links above.

Meta Platforms Ireland Ltd. is a subsidiary of Meta Platforms, Inc., based in the USA. It cannot be excluded that the data collected by Meta will also be sent to the USA.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time. Please check our websites regularly for our current Privacy Notice.

If you have any comments or questions regarding this Privacy Notice or any other directives on this website, please contact us using the contact channels available on our website.

Last updated: 08/2024