Privacy policy (GDPR)

 

All data that you submit to us are of course treated in the strictest confidence. We do not generally pass on your data to others for processing unless you have agreed to this or we are required to do so due to a court or government order. We have set up our website so that the minimum possible personal data is collected, processed and used.

I.             Name and contact details of the data controller

The data controller in terms of GDPR, other member states’ national data protection laws and other data protection regulations is:

Peermusic Classical GmbH

Sierichstraße 39

22301 Hamburg

Germany

Tel.: +49 40 278 379-0

Fax: +49 40 278 379-40

Email: info@peermusic-classical.de

Website: https://www.peermusic-classical.de

 

II.            Name and contact details of the data protection officer

A data protection officer has not been assigned or appointed - Article 37 of GDPR specifies that this is not strictly necessary.

If you have questions or comments about data protection or wish to withdraw consent or request information, the following contact is available at any time:

Judith Coley

General Manager

Sierichstraße 39

22301 Hamburg

Germany

Tel.: +49 40 278 379-19

Fax: +49 40 278 379-40

Email: jcoley@peermusic.com

 

III.           Data processing

1.            Scope of personal data processing

We generally only process our users’ personal data if this is required to provide a fully functional website, content or services. We usually process our users’ personal data with their consent. Exceptions to this are cases where it is not possible to obtain previous consent for practical reasons, processing data is authorised by legal provisions or another reason in accordance with Article 6 of GDPR is given.

2.            Legal basis for processing personal data

Provided that we obtain a person’s consent for processing their personal data, the legal basis is Article 6, paragraph 1, point (a) of the EU General Data Protection Regulation (GDPR).

When processing personal data is required to fulfil a contract, with one of the parties being the person concerned, Article 6, paragraph 1, point (b) of GDPR is the legal basis. This also applies to data processing required to implement precontractual measures.

If the processing of personal data is required to fulfil a legal obligation to which the company is subject, Article 6, paragraph 1, point (c) of GDPR is the legal basis.

In the event that the vital interests of the person concerned or another natural person require the processing of personal data, Article 6, paragraph 1, point (d) of GDPR is the legal basis.

If processing is required for the purposes of the legitimate interests of our company or a third party and the interests or fundamental rights and freedoms of the person concerned do not override the first-mentioned interests, Article 6, paragraph 1, point (f) of GDPR is the legal basis for data processing.

 

3.            Data erasure and storage period

Personal data on the person concerned are deleted or disabled as soon as the purpose of the storage no longer applies. Data can also be stored if this is provided for by European or national laws, statutes or regulations to which the data controller is subject. Data is also disabled or deleted if a predetermined storage period expires unless we are required to retain data for longer to conclude or fulfil a contract.

4.            Changes to the purpose of processing and using data

As our processing method can change/develop due to technical developments and organisational changes, we reserve the right to update the current privacy policy according to new technical requirements. If you do not consent to changes made over time, Article 17 of GDPR stipulates that you may make a written request for the deletion of data that is not stored in accordance with other legal requirements, such as commercial and tax law.

IV.          Data collection, processing and use when using our website

1.             LOG FILES

Every time our website is accessed, our system automatically collects data and information from the system of the device concerned.

The following data are collected:

           IP address

           The access time and date

           Time difference to Greenwich Mean Time (GMT)

           Content of the request (the specific page)

           Access status/HTTP status code

           Data volume transferred

           The website making the request

           Browser

           Operating system and its interface

           Browser software language and version.

 

The data are also stored in our system’s log files. However, these data are not stored with other personally identifiable user data.

The legal basis for the temporary storage of these data and log files is Article 6, paragraph 1, point (f) of GDPR.

The temporary storage of IP addresses by our system is required to allow web pages to display on the user's device. The user’s IP address must therefore be stored for the duration of the session. Data is stored in log files to ensure that the website runs at full functionality. These data also help us to optimise the website and ensure the security of our IT systems. These data are not evaluated for marketing purposes.

We also have a legitimate interest in data processing in these circumstances according to Article 6, paragraph 1, point (f) of GDPR.

The data are deleted as soon as they are no longer required for the purpose that they were collected for. When collecting data to provide the website, this applies once the respective session has ended.

When data is stored in log files, this applies after seven days at the latest. Data can also be stored beyond this. In this event, users’ IP addresses are deleted or anonymised so that the device accessing the website can no longer be identified.

Collecting data to provide the website and storing data in log files are vital for the website’s operation. As a result, the user is not entitled to refuse this.

2.            COOKIES

Our website uses cookies. Cookies are text files that are stored in the internet browser or the browser on the user’s computer system. A cookie can be stored on the user’s operating system when a user accesses a website. This cookie contains a string of characters which enables the browser to be identified when the website is accessed again.

We use cookies to make our website more user-friendly. Some elements of our website require the browser to be identified even after changing pages.

The following data and information are stored in cookies:

 

Login information

Language settings

Search terms entered

Information about the number of visits to our website and the use of individual functions.

 

The website uses the following types of cookies, whose scope and functioning are detailed below:

Transient cookies: transient cookies, and particularly session cookies, are automatically deleted when you close your browser. These cookies save your session ID, which identify different page call-ups during the same session. This enables your device to be recognised when you return to our website. Session cookies are deleted when you log out or close your browser.

Persistent cookies: persistent cookies are automatically deleted after a specified time period, which can vary for different cookies. You can delete cookies in your browser's security settings at any time.

The legal basis for processing personal data when using cookies is Article 6, paragraph 1, point (f) of GDPR.

The purpose of technically necessary cookies is to make using websites easier and more user-friendly. Some of our website’s functions cannot operate without using cookies. This requires the browser to be identified again after the page is changed.

We also have a legitimate interest in processing personal data in these circumstances according to Article 6, paragraph 1, point (f) of GDPR.

Cookies are stored on the user’s device and transferred to our site. This means that you have full control of your use of cookies. You can configure your browser settings as you wish and refuse third-party cookies or all cookies, for example, but please be aware that you may not be able to use all features of the website as a result. We use cookies to identify you for subsequent visits if you have an account with us. Otherwise, you will have to log in again for every new visit. By changing the settings in your internet browser, you can deactivate or restrict the transfer of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, you may no longer be able to fully use all of its features.

The transfer of Flash cookies cannot be prevented via your browser settings, but by changing Flash Player's settings.

3.            NEWSLETTER

You can sign up for our newsletter, where we will send you updates on our latest offers. The products and services are named in your declaration of consent.

To sign you up for our newsletter, we need to implement a double opt-in process. This means that we will send an email to your registered email address after you have registered to ask you to confirm that you still wish to receive the newsletter. If you do not confirm your registration within 24 hours, your details will be disabled and automatically deleted after a month. We also store your IP address and the time that you signed up and confirmed your registration. The purpose of this is to establish your registration and resolve any potential misuse of your personal data.

The only details you are required to submit to receive our newsletter are your email address. Submitting other, separately selected data is voluntary and used to address you personally. Subject to your consent, we store your email address to send you our newsletter. The legal basis for this is Article 6, paragraph 1, point (a) of GDPR.

You can revoke your consent to receive our newsletter and unsubscribe at any time. You can unsubscribe by clicking on the link in every newsletter, via email at info@peermusic-classical.de or by sending a message using the contact details on the Imprint section on our website.

Please note that we assess your user behaviour when sending our newsletter. This means that the emails we send contain web beacons and/or tracking pixels, which display a 1x1 pixel graphic which is stored on our website. We link the named data and web beacons with your email address and an individual ID for our assessment. The data are always collected and pseudonymised, so IDs are not linked to your other personal data and direct identification cannot be made.

You can decline this tracking at any time provided that you contact us in another way. The information is stored as long as you are signed up for the newsletter. After you unsubscribe, we will store your data in a purely statistical and anonymous manner.

4.            REGISTRATION/ONLINE SHOP

If you would like to order something from our online shop, we need you to submit the personal data we need to fulfil your order and conclude our agreement. Mandatory details are marked, other details are optional. We process the data you submit to fulfil your order. This enables us to transfer your payment details to our bank. The legal basis for this is Article 6, paragraph 1, point (b) of GDPR.

You can set up an account voluntarily so that we can store your details for future purchases. By creating an account under Create New Account, the details you submit are stored but can still be deleted. You can delete any further data, including your account, at any time.

We can also process the data you submit to send you information about other interesting products in our range or provide technical information via email.

We are required by commercial and tax law to store your address, payment and order details for a period of ten years. However, if you have not consented to us using your data (e.g. newsletter registration, see above), we will restrict data processing after two years and only use your data to comply with legal requirements.

Our order process is encrypted by TLS technology to prevent unauthorised access to your personal data, specifically financial data, by third parties.

 

5.            RENTAL MATERIAL ORDER FORM/EMAIL CONTACT

There is a contact form on our website, which you can use to get in touch with us electronically. If a user decides to do so, the data entered in the form are transferred to us and stored. These data are:

User name

Email address

 

You can also rent sheet music via the order form available to download on our website. We use the data you submit to fulfil your order. To do this, we pass your address on to a shipping company and your payment details to our bank, where necessary. We delete them after the agreement has been concluded and commercial and tax retention requirements have elapsed. These data are:

User name

Email address

Delivery address
Billing address

 

The following data is stored when the message is sent:

The user’s IP address

The time and date of registration


Your consent to data processing is collected at the dispatch stage and you are referred to this privacy policy. Alternatively, we can also contact you via your registered email address. In this case, we store the user’s personal data transferred via email.

We do not pass these data on to third parties in this instance. The data are exclusively used to process the conversation.

The legal basis for processing these data with the consent of the user is Article 6, paragraph 1, point (a) of GDPR. The legal basis for processing data transferred via email is Article 6, paragraph 1, point (f) of GDPR. If email contact is made after a contract is concluded, the legal basis for processing is also Article 6, paragraph 1, point (b) of GDPR.

The processing of personal data from the input mask only helps us to facilitate contact. If contact is made via email, the required legitimate interest relies on the processing of data.

Other personal data processed during the dispatch process help to prevent misuse of the contact form and ensure the security of our IT systems.

The data are deleted as soon as they are no longer required for the purpose that they were collected for. This applies to personal data from the input mask of the contact form and personal data sent via email when the respective conversation with the user has ended. The conversation is deemed ended when it can be concluded that the issue has been conclusively settled.

Additional personal data collected during the dispatch process are deleted after seven days at the latest.

The user can revoke consent to the processing of his or her personal data at any time. If the user contacts us via email, he or she can decline the storage of personal data at any time by using the contact details above. In this case, the conversation cannot be continued. All personal data stored during the contact are then deleted.

6.            Exporting and processing data in countries outside the European Economic Area and social plugins

Merely using our website will not mean the export of your personal data in countries outside the European Economic Area (EEA) unless this is required to fulfil a contract with you (Article 6, paragraph 1, point (b) of GDPR).  In the event that we outsource specific parts of our data processing (order processing), we ensure that the processing entity is contractually obliged to only use personal data in line with the requirements of data protection legislation and ensure that your rights are protected.

However, if you are logged into Facebook or have a Twitter or Instagram account, for example, personal data can be exported to the USA, as follows:

When using social media plugins, third-party cookies or Google Fonts, a direct connection between the user and the respective service in the USA is created, containing the user’s IP address and information about the page being visited. This direct link means that we have no control over the data collected and can only provide information about this to the best of our knowledge. We do not pass on any further information to these networks.

Facebook/Facebook Like button 

Our website uses plugins by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (Facebook). When using websites with this plugin, the data collected are transferred to Facebook servers, specifically which of our web pages you have visited. An overview of Facebook plugins is available
here: developers.facebook.com/docs/plugins/. If you are logged into Facebook, the information transferred from Facebook will be associated with your Facebook account. Other functions of the plugin and your Facebook account are also used for this (e.g. by clicking the Like button or writing a comment). Please note that we have no knowledge of the content of the data transferred to Facebook and how they are used. Information about how data are used by Facebook and your current rights and options for protecting your privacy is available in Facebook's data policy. 
https://www.facebook.com/policy.php.

Twitter

You can share our articles on Twitter if you have an account by clicking the Tweet button. More information how Twitter uses data is available via the following link: https://twitter.com/privacy.

YouTube

Where necessary, we use plugins by Google-owned site YouTube on our website. The site operator is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit one of our pages with a YouTube plugin, a connection to the YouTube servers is created and the YouTube server receives information about which of our web pages you have visited. If you are logged into your YouTube account, YouTube can directly associate your surfing behaviour with your personal profile. You can prevent this by logging out of your YouTube account. More information about how user data is handled is available in YouTube's Privacy Policy at: https://policies.google.com/privacy.

MailChimp

We send our newsletter via MailChimp, a service provided by The Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.

The email addresses of our newsletter subscribers and other data outlined here are stored on MailChimp servers in the USA. MailChimp uses this information to send and evaluate the newsletter on our behalf, and can also use these data to optimise and improve its own services, e.g. to optimise sending from a technical perspective or how the newsletter is displayed, or for commercial purposes, such as determining which countries the subscribers are in. However, MailChimp does not use the details of our newsletter subscribers to contact them itself or pass the data on to third parties.

We trust the reliability and IT and data security of MailChimp. MailChimp is certified under the EU-US Privacy Shield framework and therefore adheres to EU data protection guidelines. We have also concluded a data processing agreement with MailChimp, under which MailChimp pledges to protect our users’ data, process data on our behalf in accordance with data protection regulations and explicitly not pass on details to third parties. MailChimp’s privacy policy is available here: https://mailchimp.com/legal/privacy/.

Using Google Fonts

We use external fonts, Google Fonts, on our website. Google Fonts is a service run by Google Inc. (Google). These fonts are integrated via a server call, generally to a Google server in the USA, and information about which of our web pages you have visited is sent to the server. Google also stores the IP address of the browser on the user’s device. More information is available in Google's Privacy Policy here: https://policies.google.com/privacy

The legal basis for processing personal data when using social media plugins is Article 6, paragraph 1, point (f) of GDPR.

We provide the services of the above-mentioned company on our website to enable users to connect with us and stay up-to-date with the latest news and information.

Information about the storage period and the deletion of data collected by the above-mentioned companies is available in their respective privacy policies. This also applies to refusal and removal options.

V.            Analytics

Google Analytics

To ensure need-based design and the continual optimisation of our website, we use Google Analytics, a web analysis service provided by Google Inc. (https://www.google.com/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, hereinafter Google). This service creates pseudonym user profiles and uses cookies. Information about your site usage collected by cookies, such as

·         Browser type/version,

·         Operating system,

·         Referrer URL (the previously visited site),

·         Host name of the accessing computer (IP address), and

·         Time of the server request

are transferred to a Google server in the USA and stored there. This information is used to evaluate website usage, compile reports on website activity and deliver services related to website and internet usage for market research and the needs-based design of this website. This information may also be passed on to third parties, provided that it is legally required or the third parties process these data on our behalf. Under no circumstances will your IP address be merged with other Google data. IP addresses will be anonymised to prevent them being identified (IP masking).

You can prevent cookies being installed via your browser settings, but please be aware that this may mean that you are not able to use all features of the website.

You can also prevent data about your use of the website (including your IP address) being created by cookies and processed by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout).

As an alternative to a browser add-on, particularly for browsers on mobile devices, you can also deactivate Google Analytics via https://tools.google.com/dlpage/gaoptout?hl=en. This sets an opt-out cookie that prevents your data being captured when you visit this website in the future. The opt-out cookie will be stored on your device and only applies when using the browser concerned and only when visiting our website. If you delete cookies in your browser, you will have to set the opt-out cookie again.

More information about data protection in relation to Google Analytics is available on its help site (https://support.google.com/analytics/answer/6004245?hl=en).

VI.          External links

Our website contains links to third-party websites. If this is not clearly identifiable, please note that it is an external link. The responsible authority has no control over the content or design of external sites. The guarantees in this privacy policy do not therefore apply to external providers.

VII.         Rights of the data subject

If your personal data is processed, you are a data subject as far as GDPR is concerned and you have the following rights in respect of the data controller:

1.            Right of access

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed.

Where that is the case, you can request access to the personal data and the following information:

(1)        The purposes of the processing,

(2)        The categories of personal data being processed,

(3)        The recipients or categories of recipient to whom the personal data have been or will be disclosed,

(4)        The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,

(5)        The existence of the right to request rectification or erasure of your personal data, the restriction of the processing of personal data by the data controller or to object to such processing,

(6)        The right to lodge a complaint with a supervisory authority,

(7)        Where the personal data are not collected from you, any available information as to their source,

(8)        The existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4 of GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

You have the right to be informed whether your personal data have been transferred a third country or to an international organisation. In this event, you have the right to request information on the appropriate safeguards pursuant to Article 46 of GDPR relating to the transfer.

2.            Right to rectification

You have the right to the rectification of inaccurate or incomplete personal data by the data controller. The data controller must do this immediately.

3.            Right to request the restriction of data processing

You have the right to request the restriction of processing of your personal data where one of the following applies:

(1)        You contest the accuracy of your personal data for a period that enables the controller to verify the accuracy of the personal data,

(2)        The processing is unlawful, you oppose the erasure of your personal data and request the restriction of their use instead,

(3)        The controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims,

(4)        You have objected to processing pursuant to Article 21, paragraph 1 of GDPR and have not yet verified whether the legitimate grounds of the controller override yours.

If processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted in line with the above conditions, you shall be informed by the controller before the restriction of processing is lifted.

4.            Right to erasure

a)            Duty of erasure

You have the right to request that the controller erases your personal data without undue delay and the controller must erase your personal data without undue delay where one of the following grounds applies:

(1)        Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,

(2)        You withdraw consent on which the processing is based according to point (a) of Article 6, paragraph 1 or point (a) of Article 9, paragraph 2 of GDPR, and there are no other legal grounds for the processing,

(3)        You object to the processing pursuant to Article 21, paragraph 1 of GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21, paragraph 2 of GDPR,

(4)        Your personal data have been unlawfully processed,

(5)        Your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject,

(6)        Your personal data have been collected in relation to the offer of information society services referred to in Article 8, paragraph 1 of GDPR.

b)            Information held by third parties

Where the controller has made your personal data public and is obliged to erase it pursuant to Article 17, paragraph 1 of GDPR, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you have requested the erasure of any links to, or copy or replication of, those personal data.

c)            Exceptions

Your right to erasure does not apply to the extent that processing is necessary:

(1)        For exercising the right of freedom of expression and information,

(2)        For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,

(3)        For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9, paragraph 2 and Article 9, paragraph 3 of GDPR,

(4)        For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89, paragraph 1 of GDPR in so far as the right referred to in point a) is likely to render impossible or seriously impair the achievement of the objectives of that processing or

(5)        For the establishment, exercise or defence of legal claims.

5.            Right to information

If you have exercised your right to the rectification, erasure or restriction of processing by the controller, he or she must inform all recipients whom the personal data were disclosed to of this rectification or erasure of data, unless this is not possible or requires disproportionate effort.

You are entitled to be informed by the controller of these recipients.

6.            Right to data portability

You have the right to receive the personal data which you have provided to a controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(1)        The processing is based on consent pursuant to point (a) of Article 6, paragraph 1 or point (a) of Article 9, paragraph 2 of GDPR or on a contract pursuant to point (b) of Article 6, paragraph 1 and

(2)        The processing is carried out by automated means.

In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This must not impair the rights and freedoms of others.

The right to data portability does not apply to the processing of personal data required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.            Right of objection

On grounds related to your individual situation, you have the right to object to the processing of your personal data at any time in accordance with point (e) or (f) of Article 6, paragraph 1 of GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8.            Right to withdraw your declaration of consent

You are entitled to withdraw your declaration of consent at any time. Withdrawing consent does not affect the legality of the processing up to point of consent being withdrawn.

9.            Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision:

(1)        Is necessary for entering into or executing a contract between you and a data controller,

(2)        Is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or

(3)        Is based on your explicit consent.

However, these decisions shall not be based on the special categories of personal data referred to in Article 9, paragraph 1 of GDPR, unless point (a) or (g) of Article 9, paragraph 2 applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller to express his or her point of view and to contest the decision.

10.          Data security

We make every effort to ensure the security of your data in line with current data protection legislation and technical possibilities.

We transfer your personal data in an encrypted manner. This applies to both your orders and your customer login. We use the SSL (secure sockets layer) coding system, but please be aware that data transfer via the internet (e.g. email communication) can result in security breaches. Watertight protection of data from third-party access is impossible.

To safeguard your data, we implement technical and organisational measures in accordance with Article 32 of GDPR, which we constantly adjust to comply with developments in technology.

We also cannot guarantee that our services will be available at any given time: malfunctions, interruptions or breakdowns cannot be ruled out. The servers we use are regularly secured.

11.          Right to lodge a complaint with a supervisory authority

Regardless of any other administrative or judicial remedy, you are entitled to lodge a complaint with a supervisory authority, particularly in your member state, at your place of work or at the location of the alleged infringement, if you are of the view that the processing of your personal data contravenes GDPR.

The supervisory authority that handles your complaint will inform the complainant about the status and result of the complaint, including the possibility of a judicial remedy in accordance with Article 78 of GDPR.