This Privacy Policy describes how die Thomann GmbH (also called “Musikhaus Thomann” or “we”) processes and protects the data you provide us with when using our website, according to the General Data Protection Regulation (GDPR) and the relevant German data protection laws, in particular the German Telecommunications Digital Services Data Protection Act (TDDDG) and the German Federal Data Protection Act (BDSG).
The security of personal data such as name, address, telephone number or email, is a serious and important concern for our company. Therefore, we conduct our online activities in compliance with the respective statutory provisions relating to data protection and data security. The following sets out the data and information we process as well as the purposes and legal bases for this processing.
The responsible authority within the meaning of the data protection regulations for all data processing through our website is:
Thomann GmbH, Hans-Thomann-Straße 1, 96138 Burgebrach, Germany
In the event of any questions, comments, complaints or to exercise your rights as a data subject in connection with our Privacy Notice and the processing of your personal data by our websites, you can contact our Data Protection Officer directly by email: privacy@thomann.de. They will gladly take care of your data protection concerns.
As a principle, the protection of your personal data is of highest priority for us. You decide whether or not you wish to make such data known to us, for example in the course of any registration, survey or the like. Such information on your part is relevant for your enquiry, but you provide it on a voluntary basis. An exception to this rule is when prior consent cannot be obtained for practical reasons and the processing of data is permitted by law.
If we obtain the consent of the data subject to process their personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing of personal data. When processing personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR shall serve as the legal basis. This also applies to any processing required to perform pre-contractual measures. If processing of personal data is necessary for compliance with a legal obligation to which we are subject, Article 6(1)(c) GDPR shall serve as the legal basis. In the event that the vital interests of the data subject or of another natural person necessitate the processing of personal data, Article 6 (1)(d) GDPR shall serve as the legal basis. If processing is necessary to safeguard the legitimate interests of our company or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR shall serve as the legal basis for processing. Should we access your device and the information stored there or should we save information on your device as part of our processing (e.g. by using cookies), the primary legal basis is § 25(1)(1) TDDDG if we require your consent for this access, or § 25(2)(2) TDDDG if the access concerns processing that is strictly necessary.
We welcome everybody to visit and use our website free of charge and to look at the products on offer. When you visit our websites, we record the following general usage data in order to assess which page or parts of our website you visit and how long you stay there:
Such data will be combined with the usage data of all visitors to our website in order to measure the number of visitors, the average time of the visits, pages visited, etc. The data we collect is combined and used for internal purposes only. The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR. We use this combined data to evaluate our products and the news we make available via our website, as well as for monitoring use of our website and generally improving its content. The temporary storage of IP addresses by the system is required in order to enable the delivery of the respective webpage to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session. Data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. These purposes are also the basis for our legitimate interests in data processing pursuant to Article 6(1)(f) GDPR. The data will be deleted as soon as it is no longer necessary for the purpose of its collection. If data is stored in log files, this is the case after no more than seven days. Further storage is possible. In this case, the users’ IP addresses are deleted or distorted, so that it is no longer possible to associate them with the calling client. The collection of data in order to provide the website and the storage of the data in log files is essential for the operation of the website.
In addition to the types of use described above, we will transfer your data to third parties that are involved in the processing of your order or that participate in contracts. For example, if you place an order via our website, we will transmit your order information to our partner companies and contractors who process and deliver your order to you; these include, in particular, shipping companies and payment service providers whose services and technical systems we use in the context of contract processing and fulfilment. Data will only be transmitted to the extent required in order to fulfil or deliver your order or to process an enquiry. The legal basis for this is the fulfilment of the contract concluded with you (e.g. for orders) or the initiation of a contract (Article 6(1)(b) GDPR).
We will also transmit personal data to third parties where we are required to do so by law (Article 6(1)(c) GDPR).
Your personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Data may be stored beyond this if provisions have been made for this by the European or national legislator in union regulations, laws or other rules to which we as the controller are subject. Data will also be blocked or deleted if a storage period prescribed by the standards mentioned above expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract with the data subject.
If your personal data is processed, you are a data subject as defined in the GDPR and you have the following rights with regard to the controller:
You have the right to access the data stored about you and information concerning its origin, recipient and the purpose of data processing free of charge at any time. In addition, you have the right to rectify, delete or restrict the processing of your personal data, provided the legal requirements to do so are met. Details can be found in the relevant statutory provisions, Articles 15 to 19 GDPR.
You have the right to receive the personal data concerning you that you have provided to us as the controller, in a structured, commonly used and machine-readable format. We can comply with this right by providing a csv export of the customer data processed about you.
If you have exercised your right to rectification, deletion or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or deletion of data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.
You have the right to be informed about these recipients by the controller.
You may also revoke your consent with regard to us at any time with effect for the future using the contact details below, or with regard to cookie-based processing, via our cookie pop-up.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
Cookies are used as part of our website services. Cookies are text files that are stored in the Internet browser or come from the Internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive string that allows the browser to be uniquely identified when the website is visited again. Cookies and other similar identifiers (e.g. web beacons) enable us to provide the information on our websites better and more efficiently, and to optimise your user experience on our websites.
Most cookies do not save a user’s personal data.
When you use our website, cookies are placed in your Internet browser, without which our websites would not operate or be displayed properly (“strictly necessary cookies”). Non-essential cookies are also used and which are mainly set by third parties to compile statistics on the use of our website or to adapt the information delivered to your individual needs and interests (“analysis and marketing cookies”).
The specific tools and applications used that store cookies on your device can be found in the relevant sections of this Privacy Policy and the application descriptions in our cookie pop-up.
The legal basis for processing personal data using technically necessary cookies is § 25(2)(2) TDDDG for the setting of such cookies on your device, as well as Article 6(1)(1)(f) GDPR, e.g. for any subsequently necessary processing on our systems.
The purpose of using technically essential cookies is to facilitate the use of websites for users. Some features of our website cannot be provided without the use of cookies. For these features, the browser must be recognised, even after moving to a different page; the same applies to individual settings you have made in your browser (e.g. language selection, volume). The usage data collected through technically necessary cookies is not used to create user profiles.
Analysis and marketing cookies are used to improve the quality of our website and its contents. Analysis cookies allow us to ascertain how the website is used and thus constantly optimise our service. To perform processing functions on your end device that are based on cookies or other identifiers (e.g. browser fingerprints, pixels) and are not technically necessary for our website to function, we first require your consent, which you can give using the cookie pop-up that appears when you access our website. The legal basis for this cookie-based processing is § 25(1)(1) TDDDG for the setting of cookies on your device, and Article 6(1)(a) GDPR for the subsequent processing outside of your device on our systems or the systems of our technology partners. These types of cookies are not necessary for our website to function and will not be placed until you give your consent.
On our websites, you have the option of contacting us via various communication channels. In this case, the personal data relevant to the respective communication channel and to be provided by you will be processed by us. For information on the type and scope of processing and the individual personal data concerned, please refer to the section on the communication channels relevant to this website.
It is possible to contact us via the email addresses provided on our website. In this case, the user’s personal data transmitted by email will be stored.
No data is passed on to third parties in this context. The data is used exclusively for processing the conversation.
The legal basis for processing the data transmitted via the contact form or in the course of sending an email is Article 6 (1)(f) GDPR. If the purpose of the contact is to conclude a contract, the additional legal basis for the processing shall be Article 6(1)(b) GDPR.
The processing of the personal data transmitted in the course of making contact serves us solely to process the contact. This also constitutes the necessary legitimate interest in processing the data.
We process the personal data transmitted by email solely for establishing contact with you. This is also the basis for the required legitimate interest in the processing of data.
Any other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data sent by email, this is the case if the respective conversation with the user has ended. The conversation is deemed to be ended if it can be inferred from the circumstances that the relevant facts have been conclusively clarified.
We use Google Tag Manager to manage “website tags”. Tags are small code elements on our website that run upon certain interactions with the website and send measured data to the third party programs used (e.g. Google Analytics). The Tag Manager itself does not use cookies and does not collect any personal data. The Tag Manager triggers other tags that collect data and place cookies under certain circumstances (e.g. the third party programs used). The Tag Manager does not access this data.
Further information about Google Tag Manager, the details of data processing through these services and Google’s privacy policy can be found by visiting the links above.
The services described below are used for marketing, analysis and reach measurement purposes with the aim of making our offering more attractive. The legal basis for the data processing operations via these services is your consent given via our cookie pop-up (see above in the section Purposes and legal bases for the use of cookies and other identifiers), unless another legal basis is expressly stated in the following sections.
Our website utilises Google Analytics, a web analytics tool from Google. Google Analytics uses “cookies”, text files stored on your computer that enable analysis of how you use the website. The cookie-generated information about your use of this website is usually transmitted to and stored on a Google server in the United States.
Google will use this information on our behalf for the purposes of analysing how you use the website, compiling reports on website activity and providing further services related to website and internet use to the website operator. Google will not combine the IP address transmitted by your browser via Google Analytics with other Google data. We would also like to point out that our website uses Google Analytics with the anonymizeIP extension so that IP addresses are only processed further in an abbreviated form to prevent them being directly linked to a particular individual.
You can disable cookies by setting your browser accordingly; however, if you do this you may not be able to use the full functionality of this website. Furthermore, you can prevent collection and transfer of the data generated by cookies and relating to your use of the website (including your IP address) to Google, as well as the processing of such data by Google, by downloading and installing the browser plug-in available from the following link: https://tools.google.com/dlpage/gaoptout/eula.html?hl.
More detailed information about how Google Analytics works and the terms of use and privacy policy relevant to this service can be found in the links provided above in this section.
Google Ireland Ltd. is a subsidiary of Google LLC, based in the USA. It cannot be excluded that the data collected by Google will also be sent to the USA.
We use Microsoft Clarity (“Clarity”) on our website. Clarity is a comprehensive analysis and evaluation tool that helps us record and evaluate user activities on our website. Through clarity, for example, we can create “heat maps” of the webpages and view and analyse them via dashboards to identify and optimise content and product offers in less frequently visited areas. In addition, by recording user actions, particularly during the checkout process, we can determine the areas in which users may have difficulties getting to the next order step or performing certain actions to successfully complete the checkout process. Other purposes are listed in the table below. Your personal account data will not be processed, nor will this data be linked to the data processed via Clarity. Any other relevant personal information will be masked using appropriate settings. Clarity uses an ID (Clarity ID) to target users of our website, but no personal data is processed via this ID.
The following data is processed via the service:
Further information on the data processed can be found at https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-data.
| Processing purposes | Process |
|---|---|
| Tracking using Clarity ID | ID-related analysis of user behaviour based upon the usage data mentioned above |
| Analysis | Evaluating user behaviour and user interaction primarily with content on our website and the products in our webshop by processing predominantly technical user data, interaction data (e.g. device, browser, OS, IP addresses) |
| Heat mapping | Aggregation of usage data to determine the areas of our websites that are used and visited particularly frequently or rarely |
| Recording of user behaviour on specific areas of our websites, in particular the checkout process | Recording of user behaviour on our webpages (e.g. clicks, scrolls, mouse movements) in pseudonymised sessions while masking numerical shop data (such as prices) and personal form fields. |
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. Data on Clarity servers, including backups, is deleted after the retention period expires and cannot be recovered. Below is an overview of the retention periods (storage duration) of the different data types:
| Clarity data type | Retention period |
|---|---|
| Click data (data on the Clarity portal or aggregated data per page such as URL, user ID and pointer distance) | 13 months |
| Playback data (recording playback data) | 30 days |
| Sessions that have been marked or favoured | 13 months |
It cannot be excluded that Microsoft, as our technology partner, also operates via server locations in the USA in order to make its cloud services available to Clarity. Microsoft Ireland Operations Limited is a subsidiary of the Microsoft Corporation, based in the USA. Therefore, it also cannot be excluded that the data collected by Microsoft will also be sent to the USA. Data transfers to the USA are secured in accordance with Article 45 GDPR via the EU-US Data Privacy Framework (DPF). For further information on Clarity, please see https://learn.microsoft.com/en-us/clarity/setup-and-installation/about-clarity.
Legal basis: consent, § 25(1)(1) TDDDG and Article 6(1)(a) GDPR
Provider’s data protection regulations: https://policies.google.com/privacy
Further information about the service: https://www.google.com/policies/technologies/ads/
Our website utilises Google’s DoubleClick Remarketing pixel and Google Ads Remarketing or “Similar Audiences” services. Using these services, we can show you advertisements associated with our online shop (e.g. interesting product offers) on the websites of other service providers that also use these Google services (“partners” in the Google Display network). Furthermore, we can use Google Ads Remarketing to place a message on the websites of other providers in the Google Display Network reminding you to complete your order if you have recently abandoned an order on our online shop. This requires the use of cookie technology.
To this end, Google stores a small file containing a sequence of numbers (“cookie ID”) in your browser to identify you as a visitor to our website and collect other anonymous data about the use of our website. The cookie ID is stored by us and used only to explicitly identify your browser and not to identify you as a person. These services are not used to collect or store your personal data.
We use Google Remarketing across multiple devices. This means, for example, that if you begin making a purchase from our online shop using your smartphone and complete it on your laptop, we can reach you with the above-mentioned personalised advertisements on the other device you use. However, this will only happen if you have given Google your consent for Google to link your web and app browsing history with your Google account, and for information from your Google account to be used to personalise the advertisements you see online. In this instance, Google uses the data of this logged-in user together with Google Analytics data to define and create audience lists for remarketing across multiple devices. Google Analytics collects this user’s Google-authenticated IDs to support this function. This data from Google is temporarily linked with our Google Analytics data to create our audiences.
Please check the privacy settings in your Google account to prevent Google linking your web and app browsing history with your Google account.
No personal data will be transmitted to Google for the purpose of displaying a message reminding you of an abandoned order on our online shop. Only the fact that you wanted to place an order on our online shop under the collected cookie ID and abandoned this order, as well as the total price of the intended order, will be transmitted to Google for this purpose (“shopping cart transfer”).
Google Ireland Ltd. is a subsidiary of Google LLC, based in the USA. It cannot be excluded that the data collected by Google will also be sent to the USA.
Further information about Google’s remarketing services, the details of data processing through these services and Google’s privacy policy can be found under https://www.google.com/policies/technologies/ads/.
Multimedia content from third parties (e.g. videos, music as streams, social media posts, maps) may be integrated into our website using technical processes (usually iFrame or JavaScript). To ensure greater data protection, we have opted for a 2-click procedure for integrating this content; this means that the content is only reloaded on the web page after a first click with your consent and is only then available to you. With a second click, you can access the content, for example, play an embedded music track or a video. Only after the first click will any data processing be triggered via our servers or those of the third-party provider. For each item of integrated content, we also point out any additional data processing that may take place by the third-party provider when the content is accessed by linking to their respective relevant data protection notices.
In addition, some of our embedded content is only available once you have given your consent via our cookie pop-up. Information about the relevant services can be found in the information provided in our cookie pop-up.
You give your consent either via our cookie dialog or directly where the respective content is accessed on our website. The legal basis is your consent in accordance with § 25(1)(1) TDDDG, if activating the embedded content requires information (e.g. cookies) to be stored on your device or if information stored on your device needs to be accessed. The relevant legal basis for subsequent processing via our servers is Article 6(1)(a) GDPR; subsequent processing by the third-party provider, which we are not responsible for, is subject to the purposes and legal bases specified by the respective third-party provider in its privacy notice.
The following content (“embeds”) is integrated on our website under the responsibility of the respective companies named as third-party providers:
Under the links mentioned above, you will also find information regarding settings for the protection of your privacy and regarding your further rights concerning the processing of your data by the respective third-party provider.
We may update this Privacy Notice from time to time. Please check our websites regularly for our current Privacy Notice.
If you have any comments or questions regarding this Privacy Notice or any other directives on this website, please contact us using the contact channels available on our website.
Last updated: 12/2024