We, Sonoton Music GmbH & Co. KG, Schleibingerstraße 10, 81669 Munich, telephone +49 89 447782-0, e-mail: sonoton@sonoton.com (hereinafter „Sonoton“), inform you here about how we process personal data.
You can reach our data protection officer at sonoton@activemind.de or by post at:
Datenschutzbeauftragter der Sonoton GmbH & Co. KG
c/o activeMind AG
Potsdamer Str. 3
80802 München
Below we have compiled the most important information on the typical data processing operations separated into groups of data subjects. For certain data processing operations that concern only specific groups the duty to provide information is complied with separately.
As far as the term “data” is used in the text, it refers merely to personal data as defined in the GDPR (General Data Protection Regulation).
1. Website visitors
1.1 Our web server processes a range of data for each request, which your browser automatically transmits to our web server. This includes the IP address allocated to your device, the date and time of the request, the time zone, the specific page or file accessed, the http status code and the amount of data transmitted as well as the website from which your request originated, the browser used, the operating system of your device and the language used. The web server uses these data to make the contents of this website available on your device in the best possible way.
1.2 We use Google Analytics, a web analytics service of Google Inc. (“Google”). Google Analytics uses so-called “cookies“, i.e. text files, which are stored on your device and enable us to analyse your website behaviour. Information about your website behaviour generated in such cookies is usually transferred to a web server of Google in the USA and is stored there. For this website, IP anonymisation has been activated, therefore Google anonymises your IP address prior to the transfer of data to the USA if access to the website originated from within the European Union or another country of the European Economic Area. In rare cases, full IP addresses may be transferred to a Google server in the USA and is then anonymised there.
Google uses this information as a processor pursuant to Art. 28 GDPR to analyse your visitor behaviour, to provide reports about website activities and to provide further services in relation to website use and Internet use to the website operator. The IP address transferred by your browser within Google Analytics is not combined with other data of Google.
You may prevent the storage of cookies by using appropriate settings in your browser software. You may prevent the recording of data generated by the cookie and associated with your use of the website (including your IP address) and the processing of these data by Google by downloading and installing the available browser plugin. Alternatively, you may also store a so-called “opt-out cookie” to prevent future analysis of your visitor behaviour.
1.3 The purpose of the data processing is the presentation of Sonoton on the Internet, the provision of information about activities and offerings, the licensing of music as well as communication with interested parties. The purpose of analysing the user behaviour on the website is the needs-oriented design of the website.
1.4 The legal basis for the processing is Article 6 (1) lit. f) GDPR, specifically our legitimate interest in the presentation of Sonoton, the offerings of music, the provision of information to website visitors, communication with interested parties as well as our interest in the needs-oriented design of the website and safeguarding of IT security.
1.5 Log and communications data are not passed on to third parties except under special circumstances. If there is suspicion of a crime or in investigation proceedings, data may be transmitted to the police and the department of public prosecution. For processing, we use processors to perform services, in particular to provide, maintain and support IT systems and to host our websites.
1.6 IP addresses are anonymised after 24 hours at the latest. Pseudonymous usage data are deleted in each case after three months. Communication content is deleted after six calendar years.
1.7 Without disclosure of personal data, e.g. the IP address, use of the website is not possible. Communication via the website without providing data is not possible. Use of the website is also possible if the user has objected to pseudonymous usage analysis.
2. Customers, contact persons at customers, interested parties
2.1 We process your data for the purpose of establishing and performing the contractual relationship as well as for management of your licences and fulfilment of legal requirements. Directly before concluding the contract we carry out a credit investigation. There are no plans to change these purposes.
2.2 In the case of contracts with natural persons the legal basis for processing is Article 6 (1) lit. b) GDPR (preparation and performance of the contract), in the case of contracts with legal entities it is Article 6 (1) lit. f) GDPR (legitimate interest, specifically communication with contact persons relevant to the contract), as well as always Article 6 (1) lit. c) GDPR (legal obligations, in particular tax and commercial law regulations). For the examination, enforcement or rejection of claims the legal basis is Article 6 (1) lit. f) GDPR (legitimate interest, specifically enforcing or defending claims). As far as data are processed when using online systems, the legal basis is additionally Article 6 (1) lit. f) GDPR (legitimate interest, specifically safeguarding of IT security). The credit investigation is performed on the basis of Article 6 (1) lit. f) GDPR (legitimate interest, specifically investigation of the financial standing of contractual partners).
2.3 Recipients of data may include banks for the processing of payments. Public authorities and offices may receive data within the scope of their duties, insofar as we are obliged or entitled to transmit data. Moreover, in specific cases, data may be transmitted to collection service providers, lawyers and courts. When moving into a new house, tenant data (name, address) are disclosed to the local public utility once only. If there is suspicion of a crime or in investigation proceedings, data may be transmitted to the police and the department of public prosecution. In the event of a credit investigation Schufa Holding AG receives your identification data (name, date of birth and current address). Furthermore, for processing, we use processors to perform services, in particular to provide, maintain and support IT systems.
2.4 All contractual data and data relevant for accounting are stored for ten years after the end of the contract in accordance with the retention periods under tax and commercial law. Enforcement titles of the court are stored for 30 calendar years unless the claim is settled before.
2.5 The provision of data is obligatory for customers both by law and by contract. Without the provision of data the contractual relationship cannot be established and performed.
3. Recipients of newsletters, invited persons and participants in events
3.1 We process your data for the purpose of sending the newsletter, the invitation for events and for the purpose of performing the event.
3.2 The legal basis for the processing of data for newsletters and invitations is Article 6 (1) lit. f) GDPR (legitimate interest, specifically communication with the customer) if you are customer or contact partner of a customer, otherwise it is your consent (Article 6 (1) lit. a) GDPR). If you have registered for an event, the legal bases are Article 6 (1) lit. b) GDPR (contract for the performance of the event) as well as Article 6 (1) lit. c) GDPR (legal obligations, in particular tax and commercial law regulations).
3.3 For processing, we use processors to perform services, in particular to provide, maintain and support IT systems.
3.4 All contractual data and data relevant for accounting are stored for ten years after the end of the contract in accordance with the retention periods under tax and commercial law. Data regarding newsletters are deleted when unsubscribing from the newsletter.
3.5 The provision of data is contractually obligatory to receive newsletters and invitations as well as to participate in events. Without the provision of data newsletters and invitations cannot be sent out and participation in events is not possible.
4. Candidates for employment
4.1 The purpose of the processing is the selection of candidates for employment. There are no plans to change these purposes.
4.2 The legal basis is section 26 BDSG ?Federal Data Protection Act? in connection with Article 6 (1) lit. b) (initiation of the employment contract) and Article 88 GDPR.
4.3 Candidate data are transmitted internally to the competent and decision-taking employees. Furthermore, for processing, we use processors to perform services, in particular to provide, maintain and support IT systems.
4.4 The data are deleted three months after the end of the application procedure. If a candidate is interested also in other positions, the data remain stored for up to 12 months.
4.5 The provision of personal data is required for review of the application and, possibly, subsequent conclusion of an employment contract. Without the provision of personal data an application cannot be considered.
5. Service providers, suppliers and their employees
5.1 The purpose of the processing is the preparation and performance of the respective contracts with the service providers or suppliers. There are no plans to change these purposes.
5.2 In the case of contacts with natural persons the legal basis for processing is Article 6 (1) lit. b) GDPR (preparation and performance of the contract), in the case of contracts with legal entities it is Article 6 (1) lit. f) GDPR (legitimate interest, specifically communication with contact persons relevant to the contract), as well as always Article 6 (1) lit. c) GDPR (legal obligations, specifically tax and commercial law regulations). For the examination, enforcement or rejection of claims the legal basis is Article 6 (1) lit. f) GDPR (legitimate interest, specifically enforcing or defending claims).
5.3 Contact and contract data may be transmitted to other service providers and suppliers as well as offices and public authorities, as far as this is required in order to perform the contract or order. Furthermore, for processing, we use processors to perform services, in particular to provide, maintain and support IT systems.
5.4 Data of contractual partners, service providers and customers are deleted 10 calendar years after the end of the contract or order.
5.5 Processing of the contact data of service providers, business partners and customers is required in order to perform the contract or order. If the data are not provided, communication in the course of performance may be considerably disturbed.
1. Data are not transmitted to third countries.
2. We do not use any processes for automated individual decision-making.
3. You have the right at any time to request access to your personal data processed by us.
4. If your personal data are inaccurate or incomplete, you have the right to have them rectified and amended.
5. You may at any time request erasure of your personal data unless we are legally obliged or entitled to further process your data.
6. Upon compliance with statutory requirements you may request restriction of processing of your personal data.
7. You have the right to object to processing, as far as processing is done for the purpose of direct mailing or profiling. If processing is done on the basis of balancing different interests, you may object to processing on grounds relating to your specific situation.
8. If data processing takes place on the basis of your consent or within the framework of a contract, you have the right to portability of the data you provided unless this affects the rights and freedoms of other persons.
9. As far as we process your data on the basis of your consent, you have the right at any time to withdraw such consent with effect for the future. Processing carried out prior to withdrawal of consent shall remain unaffected by such withdrawal.
10. Moreover, you may at any time lodge a complaint with a supervisory authority for data protection if you feel that your data have been processed in violation of applicable law.
As at May 2018