This Privacy Policy describes how we, Thomann GmbH (hereinafter referred to as “Musikhaus Thomann”) process and protect according to the General Data Protection Regulation (GDPR) and the relevant German data protection laws, in particular the German Federal Data Protection Act (BDSG), the data you provide us with when using our website.
The security of personal data such as name, address, telephone number or email, is a serious and important concern for our company. Therefore, we conduct our online activities in compliance with the respective statutory provisions relating to data protection and data security. Below, you can find the information we process.
Personal data / types of use
As a principle, the protection of your personal data is of highest priority for Musikhaus Thomann. You decide whether or not you wish to make such data known to us, for example in the course of any registration, survey or the like. Such information on your part is relevant for your enquiry, but you provide it on a voluntary basis. An exception to this rule is when prior consent cannot be obtained for practical reasons and the processing of data is permitted by law.
Legal basis for the processing of personal data
If we obtain the consent of the data subject to process their personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing of personal data.
When processing personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR shall serve as the legal basis. This also applies to any processing required to perform pre-contractual measures.
If processing of personal data is necessary for compliance with a legal obligation to which Musikhaus Thomann is subject, Article 6(1)(c) GDPR shall serve as the legal basis.
In the event that the vital interests of the data subject or of another natural person necessitate the processing of personal data, Article 6 (1)(d) GDPR shall serve as the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR shall serve as the legal basis for processing.
Data deletion and storage duration
The data subject’s personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Data may be stored beyond this if provisions have been made for this by the European or national legislator in Union regulations, laws or other rules to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the standards mentioned above expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
Exchange of data / contractual relationships with partners / third parties
In addition to the types of use described above, Musikhaus Thomann will transfer your data to third parties that are involved in the processing of your order or that participate in contracts. For example, if you place an order via our website, we will transmit your order information to Musikhaus Thomann’s partner companies and contractors who process and deliver your order to you. Data will only be transmitted to the extent required in order to fulfil or deliver your order or to process an enquiry. We will also transmit personal data to third parties where we are required to do so by law.
Data automatically collected on our website / usage data
We welcome anybody to visit and use our website free of charge and to look at the products on offer. When you visit our website, we record the following general usage data in order to assess which parts of our website you visit and how long you stay there:
- Information about the browser type and version used
- The user’s operating system
- The user’s IP address
- Date and time of access
- Websites from which the user’ system reaches our website
- The services and functions used on our website
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status / HTTP status code
- Relevant volume of data transferred
- Language and version of the browser software.
Such data will be combined with the usage data of all visitors to our website in order to measure the number of visitors, the average time of the visits, pages visited, etc. The data we collect is combined and used for internal purposes only.
The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.
We use this combined data for evaluating our products, services and the news we make available via our website, as well as for monitoring use of our website and generally improving its content.
The temporary storage of IP addresses by the system is required in order to allow the website to be delivered to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.
Data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. These purposes are also the basis for our legitimate interests in data processing pursuant to Article 6(1)(f) GDPR.
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. If data is stored in log files, this is the case after no more than seven days. Further storage is possible. In this case, the users’ IP addresses are deleted or distorted, so that it is no longer possible to associate them with the calling client.
The collection of data in order to provide the website and the storage of the data in log files is essential for the operation of the website. Therefore the user cannot opt out.
Third party advertisements or links to other websites displayed on our website may collect user data if you click on them or otherwise follow their instructions. We have no control over the data collected either voluntarily or involuntarily via advertisements or websites of third parties. We recommend that you read the privacy policies of the promoted websites if you have any concerns regarding the collection and use of your data.
Cookies
Like many other commercial websites, Musikhaus Thomann sometimes uses the technology known as “cookies” to collect information on how you use the website, and to ensure your visit runs smoothly.
Cookies are text files that are stored in the Internet browser or come from the Internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive string that allows the browser to be uniquely identified when the website is visited again.
Cookies cannot read any information from your computer or interact with other cookies on your hard disk. However, cookies enable us to recognize you when you revisit our website.
You can find the data that has been stored in cookies in the cookie settings.
Our website makes use of transient cookies, persistent cookies, tracking/web bugs and local storage.
Transient and persistent cookies
Transient cookies are automatically erased when you close your browser. These include in particular the session cookie. These store a so-called session ID, with which various requests from your browser can be assigned to the joined session. This enables our website to recognise your computer when you return. Session cookies are erased when you close your browser.
We use transient cookies to make our websites more user-friendly. Some elements on our website require the browser to be identified even after you have moved to a different page.
Our website also uses persistent cookies that enable analysis of the browsing behaviour of our users. Persistent cookies are automatically erased after a prescribed period, which may vary depending on the cookie. They enable transmission of, for example, IP addresses and search terms entered, as well as the use of certain website functions.
Most cookies do not save a user’s personal data. However, the user’s email address and customer ID could be stored on the server in addition to the cookie ID.
Tracking/web bugs
Some of our services also use “tracking bugs”, “web bugs” or “tracking pixels”. This involves code snippets that are usually only 1×1 pixel in size and can identify and detect your browser via the browser ID – your browser’s individual “fingerprint”. These enable the service provider to see how many users have accessed the pixel and if and when an email has been opened or a website has been visited.
You can use tools such as webwasher, bugnosys and AdBlock to prevent web bugs on our website. We will not use web bugs to secretly collect your personal data or share such data with third parties and marketing platforms without your express consent.
Purposes of and legal basis for the use of cookies and other identifiers
The legal basis for processing personal data using technically necessary cookies is Article 6(1)(1)(f) GDPR.
The purpose of using technically essential cookies is to facilitate the use of websites for users. Some features of our website cannot be provided without the use of cookies. For these features, it is necessary to recognise the browser, even after moving to a different page.
The right to object is excluded for technically essential cookies as these are required to display the website and its contents and to make the functionalities of the website available to you.
The user data collected through technically necessary cookies is not used to create user profiles.
Analysis and marketing cookies are used to improve the quality of our website and its contents. Analysis cookies allow us to ascertain how the website is used and thus constantly optimise our service. To perform processing functions on your end device that are based on cookies or other identifiers (e.g. browser fingerprints, pixels) and are not technically necessary for our website to function, we first require your consent, which you can give using the cookie pop-up that appears when you access our website. The legal basis for this cookie-based processing is § 25 (1) (1) TDDDG. These types of cookies are not necessary for our website to function and will not be placed until you give your consent.
Withdrawal of consent to the use of cookies and other identifiers/tags
You can at any time withdraw your consent to the use of cookies to collect data by deactivating cookies here. You can also deactivate cookies in the cookie settings under “statistics” and “marketing” or “external media”.
If you do not want your browser to accept cookies, you can also deactivate or restrict cookies. Cookies that have already been saved can be deleted or deactivated at any time in your web browser. Deactivation of cookies may prevent this website from functioning properly. You may not be able to access all the options and information on this website. Please remember that cookies must be deactivated separately in each of the browsers you use.
For more information about how to manage or delete cookies using the settings in your browser, please visit the help page for that browser.
Contact form and email contact
Our website provides a convenient opportunity to get in contact with us using the contact form. If a user takes advantage of one of these options, the data entered on the input screen will be transmitted to us and stored. This data includes:
- Name
- Email address
- Your message (if it contains voluntary information from you containing personal data)
Alternatively, you can contact us via the email addresses provided on our website. In this case, the user’s personal data transmitted by email will be stored.
No data is passed on to third parties in this context. The data is used exclusively for processing the conversation.
The legal basis for processing the data transmitted in the course of sending an email is Article 6 (1)(f) GDPR. If the purpose of the email is to conclude a contract, the additional legal basis for the processing shall be Article 6(1)(b) GDPR.
The personal data from the input screen is only processed in order for us to process the contact. In the event of contact via email, this is also the basis for the required legitimate interest in the processing of data.
Any other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the contact form input screen and the data sent by email, this is the case if the respective conversation with the user has ended. The conversation is deemed to be ended if it can be inferred from the circumstances that the relevant facts have been conclusively clarified.
Use of services for marketing and analysis purposes
The services described below are used for advertising and marketing purposes with the aim of making our offering more attractive. The legal basis for the data processing through these services is your consent given by you via our Cookie-Layer (see in section Purposes of and legal basis for the use of cookies and other identifiers above), unless another legal basis is mentioned in the sections below.
Google Analytics
Our website utilises Google Analytics, a web analytics tool by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses “cookies”, text files stored on your computer that enable analysis of how you use the website. The cookie-generated information about your use of this website is usually transmitted to and stored on a Google server in the United States. However, if you are in a country that is a member state of the European Union or a contracting party to the Agreement on the European Economic Area, and if IP address anonymization has been activated on this website, Google will first truncate your IP address. Only by way of exception will the full IP address be transmitted to a Google server in the United States and truncated there. Google will use this information on our behalf for the purposes of analysing how you use the website, compiling reports on website activity and providing further services related to website and internet use to the website operator. Google will not combine the IP address transmitted by your browser via Google Analytics with other Google data. You can disable cookies by setting your browser accordingly; however, if you do this you may not be able to use the full functionality of this website. Furthermore, you can prevent collection and transfer of the data generated by cookies and relating to your use of the website (including your IP address) to Google, as well as the processing of such data by Google, by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout/eula.html?hl=en.
Statutory right of withdrawal
You can find out how to withdraw your consent given using our cookie pop-up in the section Withdrawal of consent to the use of cookies and other identifiers/tags.
We would also like to point out that our website uses Google Analytics with the anonymizeIP extension so that IP addresses are only processed further in an abbreviated form to prevent them being directly linked to a particular individual.
More detailed information about the function of Google Analytics and the terms of use and privacy policy relevant to this service can be found under http://www.google.com/analytics/terms/gb.html and http://www.google.com/intl/en/policies/privacy/.
Google Tag Manager
We use Google Tag Manager to manage “website tags”. Tags are small code elements on our website that run upon certain interactions with the website and send measured data to the third party programs used (e.g. Google Analytics). The Tag Manager itself does not use cookies and does not collect any personal data. The Tag Manager triggers other tags that collect data and place cookies under certain circumstances (e.g. the third party programs used). The Tag Manager does not access this data.
Embedding and use of links to social media (Facebook, Instagram, et al.)
Links to external social network services such as Facebook and YouTube are embedded on our website, in particular in the areas displaying our products. The responsibility for the internet services of these social network services lies solely with their operators. Below you will find further information, categorised according to the corresponding social network service.
None of your data is transferred to social media services as a result of our links to these services. These are normal hyperlinks, through which no regular data transmission takes place. If you click on the link, you will be taken directly to our social media page on the respective social media service. Data is only transmitted if you are logged into your user account of the corresponding social media service. You can then link to or share content from our websites directly using the social media service, or you can watch YouTube videos on our YouTube channel. Under certain circumstances, the social media service may thus ascertain which content you have viewed on our website.
The responsibility for the social media services linked to by Musikhaus Thomann lies exclusively with:
- Meta Platforms Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, for Facebook and its website;
- Instagram, LLC, 1601 Willow Rd. Menlo Park, CA 94025, USA, for Instagram and its website;
- YouTube, LLC, 901 Cherry Ave., St. Bruno, CA 94066, USA, for YouTube and its website;
For further information regarding the purpose and scope of data collection, and regarding the further processing and use of your data by the respective social media service, see the privacy rules of the relevant service. These are available online:
- Facebook: https://www.facebook.com/about/privacy/
- Instagram: https://www.instagram.com/about/legal/privacy
- YouTube: https://www.google.de/intl/de/policies/privacy/
Under the above-mentioned links you will also find information regarding settings for the protection of your privacy and regarding your further rights concerning the processing of your data by the respective social network service.
All services are used for advertising and marketing purposes with the aim of making Musikhaus Thomann’s offering more attractive. As described above for each of the individual services, we take your right to privacy seriously by allowing you to object to the use of all services and informing you in advance about this Privacy Notice. The legal basis for the aforementioned data processing is Article 6(1)(f) GDPR. The information in this Privacy Notice and the right of objection granted to you sufficiently protects your right to privacy.
Facebook remarketing
On our websites, we use the “Vanilla Custom Audiences Pixel”, a service provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook”). With the help of this service we can reach our customers directly through the Facebook network by showing “Facebook ads” to visitors of our website when they visit the social network Facebook.
To this end we have implemented the Facebook “remarketing pixel”. This involves code snippets that are able to identify your browser via the browser ID – your browser’s individual fingerprint – and detect that you visited our website and what exactly you viewed there. A direct connection to the Facebook servers is made when you visit our website. Facebook is able to identify you using your browser-ID, as this is linked to other data saved to your Facebook user account. Facebook then shows customised advertisements that are matched to your needs on your Facebook timeline or in another place on Facebook.
We at Thomann are not able to personally identify you via the Facebook pixel, because we do not save any personal data other than your browser ID using the Facebook remarketing pixel.
More information about Facebook Custom Audiences, the particulars of data processing using this service and Facebook’s data policy can be found at https://www.facebook.com/about/privacy/.
DoubleClick and Google Ads Remarketing or “Similar Audiences”
Our website utilises the DoubleClick Remarketing Pixel and Google Ads Remarketing or “Similar Audiences”. The provider of both services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Using these services, we can show you advertisements associated with our online shop (e.g. interesting product offers) on the websites of other service providers that also use these Google services (“partners” in the Google Display network). Furthermore, we can use Google Ads Remarketing to place a message on the websites of other providers in the Google Display Network reminding you to complete your order if you have recently abandoned an order on our online shop. This requires the use of cookie technology.
To this end, Google stores a small file containing a sequence of numbers (“cookie ID”) in your browser to identify you as a visitor to our website and collect other anonymous data about the use of our website. The cookie ID is stored by us and used only to explicitly identify your browser and not to identify you as a person. These services are not used to collect or store your personal data.
We use Google Remarketing across multiple devices. This means, for example, that if you begin making a purchase from our online shop using your smartphone and complete it on your laptop, we can reach you with the abovementioned personalised advertisements on the other device you use. However, this will only happen if you have given Google your consent for Google to link your web and app browsing history with your Google account, and for information from your Google account to be used to personalise the advertisements you see online. In this instance, Google uses the data of this logged-in user together with Google analytics data to define and create audience lists for Remarketing across multiple devices. Google Analytics collects this user’s Google-authenticated IDs to support this function. This data from Google is temporarily linked with our Google Analytics data to create our audiences.
Please check the privacy settings in your Google account to prevent Google linking your web and app browsing history with your Google account.
No personal data will be transmitted to Google for the purpose of displaying a message reminding you of an abandoned order on our online shop. Only the fact that you wanted to place an order on our online shop under the collected cookie ID and abandoned this order, as well as the total price of the intended order, will be transmitted to Google for this purpose (“shopping cart transfer”).
Microsoft Clarity
Provider information: Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (“Microsoft”)
Legal basis: Consent, § 25(1) TDDDG and Article 6(1)(a) GDPR
Provider’s data protection regulations: https://www.microsoft.com/en-gb/privacy/privacystatement
Additional information from the provider: https://learn.microsoft.com/en-us/clarity/setup-and-installation/about-clarity
We use Microsoft Clarity (“Clarity”) on our website. Clarity is a comprehensive analysis and evaluation tool that helps us record and evaluate user activities on our website. Through clarity, for example, we can create “heat maps” of the webpages and view and analyse them via dashboards to identify and optimise content and product offers in less frequently visited areas. In addition, by recording user actions, particularly during the checkout process, we can determine the areas in which users may have difficulties getting to the next order step or performing certain actions to successfully complete the checkout process. Other purposes are listed in the table below. Your personal account data will not be processed, nor will this data be linked to the data processed via Clarity. Any other relevant personal information will be masked using appropriate settings. Clarity uses an ID (Clarity ID) to target users of our website, but no personal data is processed via this ID.
The following data is processed via the service:
- IP address
- Time information (e.g. event time)
- Location information (country and region only)
- Behavioural data (e.g. browsing, clicking and scrolling behaviour)
- Browser information (e.g. browser version)
- Device information (e.g. operating system)
- Product data on webshop page
Further information on the data processed can be found at https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-data.
Processing purposes | Process |
---|---|
Tracking using Clarity ID | ID-related analysis of user behaviour based upon the usage data mentioned above |
Analysis | Evaluating user behaviour and user interaction primarily with content on our website and the products in our webshop by processing predominantly technical user data, interaction data (e.g. device, browser, OS, IP addresses) |
Heat mapping | Aggregation of usage data to determine the areas of our websites that are used and visited particularly frequently or rarely |
Recording of user behaviour on specific areas of our websites, in particular the checkout process | Recording of user behaviour on our webpages (e.g. clicks, scrolls, mouse movements) in pseudonymised sessions while masking numerical shop data (such as prices) and personal form fields. |
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. Data on Clarity servers, including backups, is deleted after the retention period expires and cannot be recovered. Below is an overview of the retention periods (storage duration) of the different data types:
Clarity data type | Retention period |
---|---|
Click data (data on the Clarity portal or aggregated data per page such as URL, user ID and pointer distance) | 13 months |
Playback data (recording playback data) | 30 days |
Sessions that have been marked or favoured | 13 months |
It cannot be excluded that Microsoft, as our technology partner, also operates via server locations in the USA in order to make its cloud services available to Clarity. Microsoft Ireland Operations Limited is a subsidiary of the Microsoft Corporation, based in the USA. Therefore, it also cannot be excluded that the data collected by Microsoft will also be sent to the USA. Data transfers to the USA are secured in accordance with Article 45 GDPR via the EU-US Data Privacy Framework (DPF). For further information on Clarity, please see https://learn.microsoft.com/en-us/clarity/setup-and-installation/about-clarity.
Right of withdrawal
You can find out how to withdraw your consent given using our cookie pop-up in the section Withdrawal of consent to the use of cookies and other identifiers/tags.
Security
Musikhaus Thomann takes precautions to ensure the security of your personal data. Your data will be diligently protected against loss, destruction, manipulation and unauthorized access or unauthorized disclosure and transmission.
Musikhaus Thomann protects collected customer data by saving it on servers protected by passwords and “firewalls” that use encryption technologies to prevent unauthorised access.
Musikhaus Thomann does its utmost and implements state-of-the-art technology to provide you with a secure environment for the completion of your order; however, we cannot guarantee absolute security of your data.
We ask you to take every available precaution to protect your personal data when online. We encourage you to at least change your passwords on a regular basis, to use a combination of letters and numbers, and to ensure you use a secure browser when surfing the internet.
Rights as a data subject
If your personal data is processed, you are a data subject as defined in the GDPR and you have the following rights with regard to the controller:
1. Information, rectification, restriction and deletion
You have the right to access the data stored about you by Musikhaus Thomann and information concerning its origin and recipient and the purpose of data processing by Thomann’s websites free of charge at any time. In addition, you have the right to rectify, delete or restrict the processing of your personal data, provided the legal requirements to do so are met.
Details can be found in the relevant statutory provisions, Article 15 to 19 GDPR.
2. Right to data portability
You have the right to receive the personal data concerning you that you have provided to Musikhaus Thomann as the controller, in a structured, commonly used and machine-readable format. Musikhaus Thomann can comply with this right by providing a csv export of the customer data processed about you.
3. Right to information
If you have exercised your right of rectification, deletion or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or deletion of data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.
You have the right to be informed about these recipients by the controller.
4. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based upon point (e) or (f) of Article 6(1) GDPR, including profiling based upon those provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
5. Revocability of declarations of consent under data protection law
You may also revoke your consent with regard to Musikhaus Thomann at any time with effect for the future using the contact details given below.
6. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely upon automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the controller,
(2) is authorised by Union or Member State law to which the controller is subject and that also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
(3) is based upon your explicit consent.
However, these decisions shall not be based upon special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the data controller will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
7. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
Responsible authority, contact person for queries or exercising your rights as a data subject, contact
The responsible authority within the meaning of the data protection regulations for all data processing through the Musikhaus Thomann website is:
Thomann GmbH, Hans-Thomann-Strasse 1, 96138 Burgebrach, Germany
In the event of any questions, comments, complaints or to exercise your rights as a data subject in connection with our Privacy Notice and the processing of your personal data by Musikhaus Thomann’s websites, you can contact Musikhaus Thomann’s data protection officer directly by email (privacy@thomann.de). He will gladly take care of your data protection concerns.
Update of the Privacy Policy
Musikhaus Thomann may update this Privacy Policy from time to time. Any such change will be displayed on the website. If you have any comments or questions regarding this Privacy Policy or any other guidelines on this website, please contact us in writing.