Privacy Notice

This Privacy Notice describes how Thomann Bits & Beats GmbH (hereinafter referred to as “we” or “us”) processes and protects the data you provide us with when using our website in accordance with the General Data Protection Regulation (GDPR) and the relevant German data protection laws, in particular the German Federal Data Protection Act (BDSG).

The security of personal data such as name, address, telephone number or email, is a serious and important concern for our company. Therefore, we conduct our online activities in compliance with the respective statutory provisions relating to data protection and data security. Below, you can find the information we process.

Responsible authority, contact person for queries or exercising your rights as a data subject, contact

The responsible authority within the meaning of the data protection regulations for all data processing through our website is:

Thomann Bits & Beats GmbH, Nägelsbachstraße 33, 91052 Erlangen, Deutschland

In the event of any questions, comments, complaints or to exercise your rights as a data subject in connection with our Privacy Notice and the processing of your personal data by our websites, you can contact our Data Protection Officer directly by email (privacy@thomann.de). They will gladly take care of your data protection concerns.

Personal data / types of use

As a principle, the protection of your personal data is of highest priority for us. You decide whether or not you wish to make such data known to us, for example when using our application form or making an email enquiry. Such information on your part is relevant for your enquiry, but you provide it on a voluntary basis. An exception to this rule is when prior consent cannot be obtained for practical reasons and the processing of data is permitted by law.

If we obtain the consent of the data subject to process their personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing of personal data.

When processing personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR shall serve as the legal basis. This also applies to any processing required to perform pre-contractual measures.

If processing of personal data is necessary for compliance with a legal obligation to which we are subject, Article 6(1)(c) GDPR shall serve as the legal basis.

In the event that the vital interests of the data subject or of another natural person necessitate the processing of personal data, Article 6 (1)(d) GDPR shall serve as the legal basis.

If processing is necessary to safeguard the legitimate interests of our company or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR shall serve as the legal basis for processing.

Should we access your device and the information stored there or should we save information on your device as part of our processing (e.g. by using cookies), the primary legal basis is § 25(1)(1) TTDSG if we require your consent for this access, or § 25(2)(2) TTDSG if the access concerns processing that is technically absolutely necessary.

Data deletion and storage duration

The data subject’s personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Data may be stored beyond this if provisions have been made for this by the European or national legislator in Union regulations, laws or other rules to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the standards mentioned above expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

Exchange of data / contractual relationships with partners / third parties

In addition to the types of use described above, we will transfer your data to third parties that are involved in the processing of contracts or orders. Data will only be transmitted to the extent required in order to fulfil an existing contract with you or to process an enquiry. The legal basis for this is the fulfilment of the contract concluded with you or the initiation of a contract (Article 6(1)(b) GDPR).

We will also transmit personal data to third parties where we are required to do so by law. The legal basis in this instance is Article 6(1)(c) GDPR.

Data automatically collected on our website / usage data

We welcome everybody to visit and use our website free of charge. When you visit our website, we record the following general usage data in order to assess which parts of our website you visit and how long you stay there:

  1. Information about the browser type and version used
  2. The user’s operating system
  3. The user’s IP address
  4. Date and time of access
  5. Websites from which the user’s system reaches our website
  6. The services and functions used on our website

This data is stored in log files for technical and administrative purposes as well as for IT security purposes.

The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.

The temporary storage of IP addresses by the system is required in order to enable the delivery of the website to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.

Data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. These purposes are also the basis for our legitimate interests in data processing pursuant to Article 6(1)(f) GDPR.

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. If data is stored in log files, this is the case after no more than thirty days. Further storage is possible. In this case, the users’ IP addresses are deleted or distorted, so that it is no longer possible to associate them with the calling client.

The collection of data in order to provide the website and the storage of the data in log files is essential for the operation of the website. Therefore the user cannot opt out.

Cookies

Like many other commercial websites, we use the technology known as “cookies” to ensure your visit runs smoothly and so that you can use our website with all the technically necessary functions.

Technical description of cookies and usage context

Cookies are text files that are stored in the Internet browser or come from the Internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive string that allows the browser to be uniquely identified when the website is visited again.

Cookies cannot read any information from your computer or interact with other cookies on your hard disk. However, cookies enable us to recognise you when you revisit our website.

Only so-called transient cookies are used on our website. These are essential for technical reasons in order to be able to deliver and display the website and to provide you with essential functions for its use.

Transient cookies are automatically erased when you close your browser. In particular, these include session cookies. These store a “session ID” with which various requests from your browser can be assigned to the joint session. This enables our website to recognise your computer when you return. Sessions cookies are erased when you close your browser.

We use transient cookies to make our websites more user-friendly. Some elements on our website require the browser to be identified even after you have moved to a different page. The following transient cookies are used:

  1. thomannio_session – technically necessary session cookie
  2. XSFR-Token – technically necessary cookie for a security mechanism to protect the user from cross-site request forgery
  3. Load-balancing hash – technically necessary cookie to keep the user on our load-balancing infrastructure on the same server

The legal basis for processing personal data using technically necessary cookies is § 25(2)(2) TTDSG for the setting of such cookies on your device, as well as Article 6(1)(1)(f) GDPR, e.g. for any subsequently necessary processing on our systems.

The right to object is excluded for technically essential cookies as these are required to display the website and its contents and to make the functionalities of the website available to you.

The user data collected through technically necessary cookies is not used to create user profiles.

Contact via email

You can contact us via the email address provided on our website. In this case, we will process your personal data transmitted in the email.

No data is passed on to third parties in this context. The data is used exclusively for processing the conversation.

The legal basis for processing the data transmitted in the course of sending an email is Article 6 (1)(f) GDPR. If the purpose of the email is to conclude a contract, the additional legal basis for the processing shall be Article 6(1)(b) GDPR.

The personal data is only processed so that we can process the contact. This is also the basis for the required legitimate interest in the processing of data.

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data sent by email, this is the case if the respective conversation with the user has ended. The conversation is deemed to be ended if it can be inferred from the circumstances that the relevant facts have been conclusively clarified.

Simple Analytics

Our website utilises Simple Analytics, a web analytics tool by Simple Analytics, Hooftlaan 4, 1401ED Bussum (“Simple Analytics”). We use Simple Analytics for the purposes of reach assessment and web analytics in order to statistically analyse usage behaviour on our website and to make our service even more attractive on the basis of these analyses. Simple Analytics gives us an overview of the extent to which our website is used in general, but not of the specific visitors to our website with individual reference to their person. Visitors to our website are neither “tracked” nor do we store any personal data about them.

Simple Analytics is used without us having to access any personal data or even your device. We also do not use cookies, fingerprinting or other technologies for which an “identifier” would have to be stored on your device or which would require access to information stored on your device. Simple Analytics thus functions completely “cookieless” and therefore does not require your consent. In order for us to use Simple Analytics as a web analytics tool in a meaningful way and to enable us to generate non-personal analyses, we rely entirely upon data that the web server reports back to us anyway each time our website is accessed and that we store in log files, e.g. for reasons of IT security. The data that is relevant to and processed by Simple Analytics can be found at https://docs.simpleanalytics.com/data-points.

Your IP address, which is usually processed by most common web analytics tools, is also not processed, collected or stored by Simple Analytics. Although the IP address is also relevant to each visit to our website and is also processed by us, we have implemented the appropriate code from Simple Analytics on our website that “separates out” the IP address before the data relevant to reach assessment and web analytics is transmitted to Simple Analytics. This form of IP address anonymisation is performed in our and your legitimate interest in order to be able to carry out web analytics via Simple Analytics completely without reference to persons and without access to your device. The legal basis for the anonymisation of website visitors’ IP addresses is Article 6(1)(f) GDPR. The further processing of non-personal analytics data is carried out in a way that does not affect data protection.

More detailed information about the function of Simple Analytics and the privacy policy relevant to this service can be found under https://docs.simpleanalytics.com/gdpr, https://docs.simpleanalytics.com/what-we-collect and https://simpleanalytics.com/privacy-policy.

Applications

We have included an application form on our website that you can use to apply online for vacancies advertised by us. You can also use the application form to upload your application documents and send them to us, specifying the data relevant to your application.

Purposes of processing

We process the data you provide to us when you submit the application form in order to check your suitability for the position and to conduct the application process.

We only process information that is essential for the specific application and its completion.

Categories of data in the application process

The categories of personal data processed include the data you voluntarily provide to us with your application, such as first name and surname, as well as your contact details (private address, (mobile) phone number and email address). This may also include special categories of personal data such as your religious affiliation if you have indicated this, for example, in your curriculum vitae.

The processing is carried out primarily for the purpose of handling the application process and initiating an employment relationship, although this does not result in any right to the conclusion of such an employment relationship. The primary legal basis for the processing is Article 6(1)(b) GDPR in conjunction with § 26(1) BDSG.

If special categories of personal data are processed in accordance with Article 9(1) GDPR, this is done exclusively in order to process your application and for the subsequent selection procedure within the scope of the application process. The legal basis for this is Article 9(2)(b) GDPR.

If we wish to process your personal data for a purpose not mentioned above, we will inform you of this in advance.

Recipients of the data

Once you have applied for an advertised position, only the HR department and the department that advertised the position will have access to your data, unless you have expressly consented to your data being passed on to other recipients. If you have submitted a speculative application, your details will be made available to the departments whose vacancies clearly match your applicant profile.

To conduct the application process, we use the application tool provided by our technology partner Recruitee B.V., Keizersgracht 313, 1016 EE Amsterdam, Netherlands (“Recruitee”). Recruitee provides the application form for integration into our website and electronically supports the online application process and the internal management of applications. We have contractually obligated Recruitee to comply with data protection requirements via a corresponding data protection agreement on commissioned data processing.

Storage period and deletion

In the event of employment, all data will be transferred to your personnel file or to our personnel information system. If your application is unsuccessful, your data will be completely deleted after six months or stored in our applicant pool for a period of two years if you have separately agreed to this.

Rights as a data subject

If your personal data is processed, you are a data subject as defined in the GDPR and you have the following rights with regard to the controller:

  1. Information, rectification, restriction and deletion You have the right to access the data stored about you and information concerning its origin, recipient and the purpose of data processing by our website free of charge at any time. In addition, you have the right to rectify, delete or restrict the processing of your personal data, provided the legal requirements to do so are met. Details can be found in the relevant statutory provisions, Articles 15 to 19 GDPR.

  2. Right to data portability You have the right to receive the personal data concerning you that you have provided to us as the controller, in a structured, commonly used and machine-readable format. We can comply with this right by providing a csv export of the customer data processed about you.

  3. Right to information If you have exercised your right to rectification, deletion or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or deletion of data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort. You have the right to be informed about these recipients by the controller.

  4. Right to object You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based upon point (e) or (f) of Article 6(1) GDPR, including profiling based upon those provisions. The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

  5. Revocability of declarations of consent under data protection law You may also revoke your consent with regard to us at any time with effect for the future using the contact details below.

  6. Right to lodge a complaint with a supervisory authority Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time. Any changes will be displayed on the website. If you have any comments or questions regarding this Privacy Notice or any other guidelines on this website, please contact us in writing.

Our offices

Remote. Distributed. Together.

Work from home or any of our offices. Our team is 100% remote and will stay this way. You need a stable internet connection and your laptop.

Treppendorf

Our Thomann headquarters. Just a few minutes drive outside of Bamberg. Come by to visit our shop or meet with colleagues apart from tech & data.

Berlin

Our thomann.io office in the heart of Berlin. Easily reachable at Rosenthaler Platz. Perfect for workshops and team building.

Erlangen

Our thomann.io office in Nuremberg's metropolitan area. Just a few minutes by foot from Erlangen station. Nice, quiet location to do some deep work.

Our thomann.io Blog

May 13, 2022 - Ralph Cibis

Thomann.io goes Cyberpunk

We went fully cyberpunk! Our branding community's last side and heart project.

Jan 3, 2022 - David Beuchert

DIY software: Why it's the one and only way to do it and everyone else is wrong

My provoking approach wooing for more in-house development.

Dec 8, 2021 - Nadine

Going fully responsive

Why we redesigned our shop - and why purple's the new blue.

Oct 18, 2021 - Julia Manger

Open Space 2021

Summer 2021 - Home office, lockdown, a fourth wave and: huh?! An Open Space!

Aug 6, 2021 - Stefan Stammler

Bits, Beats, Ops-Team

Someone needs to bring our shop online. This is our mission.

Jul 7, 2021 - Ralph Cibis

Hello, Webteam

We are the Thomann Web Team. We create thomann.de and the Thomann App.

Jan 27, 2021 - Nadine

What Kan Kanban do

The idea behind moving cards - with a crispy epilogue.

Oct 11, 2020 - Julian Kern

ThomannUI: Der Beginn einer Component Library

Ein Einblick in die Component Library auf Basis von React von Julian Kern

Sep 7, 2020 - Francesco

Guitars to Oslo or: The Art of Offering the Right Shipping Methods

Our developer Francesco provides you with behind the scenes insights

Jul 14, 2020 - Thomas Tischner

How Thomann is mastering the move to Kubernetes

Our Sysadmin Thomas tells you from his day-to-day work

Dec 9, 2019 - Julian Kern

thomann.io v2

Frisch aus dem Kühlregal: Hier ist das neue Frontend!

Nov 4, 2019 - Domi

Thomann Dev Camp 2k19

This year under the Slogan "ready for our collective take-off".

Aug 24, 2018 - Julia Manger

Das Thomann Dev Camp

Wir wissen, was das Dev Team letzten Sommer gemacht hat. Ein Einblick.

Severe case of I-wanna-work-with-you?

...or any questions to us? Give Anni a call!

Welcome to Treppendorf, welcome to Thomann Music

We're inspiring and enabling people to speak music, everywhere. 24/7.