Privacy Policy (Summary)

This is a very simple and highly condensed version that aims to provide you with an easy and quick overview of data processing on our site.

You will find the full version according to GDPR (effective from 25.5.2018) immediately afterwards.

How we handle your personal data

We store and process your personal data in relation to order processing in our in-house merchandise management system.
We store your personal data for future orders and to comply with legal bookkeeping requirements in the form of a customer account.
For delivery by shipping, we provide your address data to our logistics partners specifically for the individual delivery order.

How we do not handle your personal data

We do not sell your data to third parties for advertising purposes.
We do not use any third-party tracking systems (Google Analytics, etc.)
Simply visiting our website does not share your data with social networks or other third-party service providers.

How we handle access data on our site

We log accesses to our site for statistical, anonymized evaluation to improve our service.
This is done only within the framework of the data transmitted to us by the browser software you use (IP address, time, visited webpage, browser used).

How we protect your data

Your personal data is always transmitted via SSL encryption. If an attempt is made to establish an unencrypted connection to the website, the access is immediately redirected to the encrypted version, and the browser is informed that unencrypted accesses will not be possible in the future.
Your personal data, including the order, does not remain on the web server but is removed from the web server after being transferred to our in-house systems.
These in-house systems are separated from the Internet by a firewall, thus protecting them from direct attacks from the Internet.

Your Rights

You can request information about the personal data stored about you at any time.
You can request that this data be blocked for advertising use at any time.
You can also request that this data be deleted (right to be forgotten).
Please note that due to accounting obligations in Germany, we may only delete a large portion of the data after the expiry of the tax retention periods (usually 10 years).

If you have any questions or wish to exercise your rights

Please contact our data protection officer, preferably by email at datenschutz@schlaile.de or by post at:

Musikhaus Schlaile GmbH
Attn: Data Protection Officer
Kaiserstr. 175
76133 Karlsruhe

Privacy Policy according to GDPR (full version)

Here you will find our full privacy policy according to GDPR (effective from 25.5.2018).

Name and address of the responsible party

The responsible party within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Musikhaus Schlaile GmbH
Kaiserstr. 175
76133 Karlsruhe
Germany
Tel.: 0721-1302-0
E-mail: info@schlaile.de
Website: www.schlaile.de

Name and address of the Data Protection Officer

The Data Protection Officer of the responsible party is:

Ilona Lang
Musikhaus Schlaile GmbH
Kaiserstr. 175
76133 Karlsruhe
Germany
Tel.: 0721-1302-24
E-mail: datenschutz@schlaile.de
Website: www.schlaile.de

I. General information on data processing

Scope of processing personal data

We collect and use personal data of our users only to the extent necessary to provide a functional website and our content and services. The collection and use of personal data of our users is regularly carried out only with the user's consent. An exception applies in those cases where obtaining prior consent is not possible for actual reasons and the processing of the data is permitted by legal regulations.
Legal basis for the processing of personal data

If we obtain the consent of the data subject for processing personal data, Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

In the case of the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

If the processing of personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.

In the event that the vital interests of the data subject or another natural person make the processing of personal data necessary, Art. 6(1)(d) GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6(1)(f) GDPR serves as the legal basis for the processing.
Data deletion and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also occur if this has been provided for by the European or national legislator in Union regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires unless there is a need for further storage of the data for the conclusion or performance of a contract.

II. Provision of the website and creation of log files

Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected:
1. Information about the browser type and version used
2. The user's operating system
3. The user's IP address
4. Date and time of access
5. Websites from which the user's system accesses our website
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

On our website, the logo of our partner idealo (idealo internet GmbH, Ritterstraße 11, 10969 Berlin) is integrated. When calling up our website, information is automatically sent to the server of idealo by the browser used on your device.
1. Information about the browser type and version used
2. The user's operating system
3. The user's IP address
4. Date and time of access
5. On our website, the "Referrer-Policy" is set so that the visited page is not transmitted to the servers of idealo, provided that the browser supports this function. This is the case with all modern browsers (current Firefox, Chrome, Opera). In older browsers (IE, Edge, Safari), the visited page may currently also be transmitted to the servers of idealo.
Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.
Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimize the website and ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

In these purposes, our legitimate interest in data processing also lies according to Art. 6(1)(f) GDPR.
Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the case of data collection for the provision of the website, this is the case when the respective session is terminated.

In the case of storage of data in log files, this is the case after no more than seven days. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or anonymized so that an assignment of the calling client is no longer possible.
Possibility of objection and removal

The collection of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

III. Processing of orders via our website

Description and scope of data processing

You can place orders on our website either as a guest without registering or by registering as a customer in our shop for future orders. Registration offers you the advantage that you can log into our shop directly with your email address and password when making a future order, without having to re-enter your contact details.

Your personal data is entered into an input mask and transmitted to us and stored. When you place an order on our website, we collect the following data both in the case of a guest order and in the case of registration in the shop:
- Salutation, first name, last name,
- a valid email address,
- address,
- phone number (landline and/or mobile)
The collection of these data is carried out,
- to identify you as our customer;
- to process, fulfill and handle your order;
- for correspondence with you;
- for invoicing;
- for the handling of any liability claims, as well as the assertion of any claims against you;
- to ensure the technical administration of our website;
- to manage our customer data.
Legal basis for data processing

The legal basis for the processing of personal data in the context of your order and/or registration is Art. 6(1)(b) GDPR.
Purpose of data processing

Data processing is carried out on your order and/or registration and is necessary for the aforementioned purposes for the appropriate processing of your order and the mutual fulfillment of obligations arising from the purchase contract according to Art. 6(1)(b) GDPR.
Transfer of data

Your personal data will be transferred to third parties by us only to the service partners involved in the contract processing, such as the logistics company entrusted with the delivery and the credit institution entrusted with payment matters. In the cases of transfer of your personal data to third parties, the scope of the transferred data is limited to the necessary minimum.

A transfer of your personal data to third parties for purposes other than those mentioned does not take place.

We also only pass on your personal data to third parties if:
1. you have given your express consent to this according to Art. 6(1)(a) GDPR,
2. the transfer is necessary according to Art. 6(1)(f) GDPR to assert, exercise or defend legal claims, and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
3. in the event that there is a legal obligation to transfer according to Art. 6(1)(c) GDPR, and
4. this is legally permissible and necessary for the processing of contractual relationships with you according to Art. 6(1)(b) GDPR.
In the context of the order process, your consent to the transfer of your data to third parties is obtained.
Duration of storage

The personal data collected by us for the processing of your order will be stored until the expiration of the statutory retention obligation and then deleted unless we are obliged to a longer storage according to Art. 6(1)(c) GDPR due to tax and commercial law retention and documentation obligations (from HGB, StGB or AO) or you have consented to further storage according to Art. 6(1)(a) GDPR.
Possibility of objection and removal

If your personal data is processed on the basis of legitimate interests according to Art. 6(1)(f) GDPR, you have the right to object to the processing of your personal data according to Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or if the objection is directed against direct marketing. In the latter case, you have a general right of objection, which is implemented by us without specifying a particular situation.

If you wish to exercise your right of objection, please call us (0721-1302-24) or send us an email to datenschutz@schlaile.de.

IV. Use of cookies

Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. If a user calls up a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website more user-friendly. Some elements of our Internet site require that the calling browser can be identified even after a page change.

The following data is stored and transmitted in the cookies:

A temporary identification number (session ID) for the user's session, which automatically expires after 24 hours.

The actual session information remains on our web server for the duration of the user's activity on our site and contains the products placed in the shopping cart and the address and payment information (payment method, in the case of direct debits: bank details).

After the order process is completed, this data is automatically deleted, or alternatively, if no order is placed, the deletion occurs on our web server at the latest after 24 hours.
Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6(1)(f) GDPR.
Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our Internet site cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.

We need cookies for the following applications:
1. Shopping cart
2. Address data and payment information during the order process
The user data collected by technically necessary cookies is not used to create user profiles.

In these purposes, our legitimate interest in processing personal data also lies according to Art. 6(1)(f) GDPR.
Duration of storage, possibility of objection and removal

Cookies are stored on the user's computer and transmitted by it to our site. Therefore, you as the user also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

V. Newsletter

Description and scope of data processing

If you purchase goods or services on our website and provide your email address, this may subsequently be used by us to send a newsletter. In such a case, only direct advertising for our similar goods or services will be sent via the newsletter.

There is no transfer of data to third parties in connection with data processing for sending newsletters. The data is used exclusively for sending the newsletter.
Legal basis for data processing

The legal basis for sending the newsletter as a result of the sale of goods or services is § 7(3) UWG.
Purpose of data processing

The collection of the user's email address serves to deliver the newsletter.
Duration of storage

The data will be deleted as soon as it is no longer necessary for achieving the purpose of its collection. The user's email address will therefore be stored as long as the newsletter subscription is active.
Possibility of objection and removal

The subscription to the newsletter can be canceled by the affected user at any time. For this purpose, there is a corresponding link in every newsletter.

Alternatively, you can unsubscribe at any time at https://www.schlaile.de/Service/Newsletter.html.

VI. Contact form and email contact

Description and scope of data processing

Several contact forms are available on our website, which can be used for electronic contact. If a user takes advantage of this opportunity, the data entered in the input mask will be transmitted to us and stored. This data is:

Feedback form (https://www.schlaile.de/Kontakt/ErrFeedback.php)

The page for which the user wants to report an error.
The message with the error description.
The transmitted type and version of the user's browser used for error diagnosis.
Optionally: the user's voluntarily provided email address for inquiries.

Callback request (https://www.schlaile.de/Service/Callback.php)

The desired department
Name, customer number (optional), your phone number
When we can reach you
Your concern

Inquiry form (https://www.schlaile.de/Instrumente/Anfrage.php)

for financing, lease-purchase, or individual solutions on each product page for musical instruments and accessories:

The user's address
Personal remarks

At the time of sending the message, the following data is also stored:

The user's IP address
Date and time of registration

For the processing of the data, your consent is obtained during the sending process and reference is made to this privacy policy.

Alternatively, contact is possible via the provided email address. In this case, the user's personal data transmitted with the email will be stored.

There is no transfer of data to third parties in this context. The data is used exclusively for processing the conversation.

Legal basis for data processing

The legal basis for processing the data is the user's consent according to Art. 6(1)(a) GDPR.

The legal basis for processing data transmitted in the course of sending an email is Art. 6(1)(f) GDPR. If the email contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6(1)(b) GDPR.

Purpose of data processing

The processing of personal data from the input mask serves us solely for processing the contact. In the case of contact via email, this also includes the necessary legitimate interest in processing the data.

The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our information technology systems.

Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For personal data from the input mask of the contact form and those sent by email, this is the case when the respective conversation with the user has ended. The conversation ends when it can be inferred from the circumstances that the relevant facts have been finally clarified.

The personal data additionally collected during the sending process will be deleted at the latest after a period of seven days.

Possibility of objection and removal

The user has the option to revoke their consent to the processing of personal data at any time. If the user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.

Please call us (0721-1302-24) or send us an email to datenschutz@schlaile.de.

All personal data stored in the course of contacting us will be deleted in this case.

VII. Web analysis by Matomo (formerly PIWIK)

Scope of processing personal data

We use the open-source software tool Matomo (formerly PIWIK) on our website to analyze the surfing behavior of our users. When individual pages of our website are accessed, the following data is stored:
1. Three bytes of the IP address of the accessing user's system
2. The accessed webpage
3. The website from which the user accessed the accessed webpage (referrer)
4. The subpages that are accessed from the accessed webpage
5. The length of stay on the webpage
6. The frequency of accessing the webpage
  
  The software runs exclusively on the servers of our website. The personal data of the users is only stored there. The data is not passed on to third parties.
  
  The software is set so that the IP addresses are not completely stored but three bytes of the IP address are masked (e.g., 192.168.002.xxx). This way, an assignment of the shortened IP address to the accessing computer is no longer possible.
Legal basis for the processing of personal data

The legal basis for processing users' personal data is Art. 6(1)(f) GDPR.
Purpose of data processing

The processing of users' personal data allows us to analyze the surfing behavior of our users. By evaluating the data obtained, we can compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. In these purposes also lies our legitimate interest in processing the data according to Art. 6(1)(f) GDPR. By anonymizing the IP address, the user's interest in protecting their personal data is sufficiently taken into account.
Duration of storage

The data will be deleted as soon as it is no longer required for our recording purposes. This is the case after no more than six months.
Possibility of objection and removal

By anonymizing the IP address, the user's interest in protecting their personal data is sufficiently taken into account.

Additionally, we intentionally use the Matomo analysis software without tracking cookies to protect the privacy of our users.

Consequently, the user does not have the possibility to object.

VIII. Rights of the data subject

If personal data of yours is processed, you are a data subject within the meaning of the GDPR, and you have the following rights against the controller:

Right of access

You can request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing is taking place, you can request information from the controller about the following:
1. the purposes for which the personal data is processed;
2. the categories of personal data that are processed;
3. the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
4. the planned duration of the storage of the personal data concerning you or, if specific information is not possible, criteria for determining the storage duration;
5. the existence of a right to rectification or deletion of the personal data concerning you, a right to restriction of processing by the controller or a right to object to this processing;
6. the existence of a right to lodge a complaint with a supervisory authority;
7. all available information about the origin of the data if the personal data is not collected from the data subject;
8. the existence of automated decision-making, including profiling, according to Art. 22(1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or an international organization. In this context, you can request to be informed about the appropriate safeguards according to Art. 46 GDPR in connection with the transfer.
Right to rectification

You have the right to rectification and/or completion against the controller if the personal data processed concerning you is inaccurate or incomplete. The controller must make the correction without delay.
Right to restriction of processing

Under the following conditions, you can request the restriction of the processing of personal data concerning you:
1. if you contest the accuracy of the personal data concerning you for a period that enables the controller to verify the accuracy of the personal data;
2. the processing is unlawful, and you oppose the deletion of the personal data and instead request the restriction of the use of the personal data;
3. the controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims, or
4. if you have objected to the processing according to Art. 21(1) GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, this data may only be processed - apart from its storage - with your consent or for the establishment, exercise, or defense of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the restriction of processing has been restricted according to the above conditions, you will be informed by the controller before the restriction is lifted.
Right to deletion
1. Deletion obligation
  
  You can request the controller to delete the personal data concerning you without delay, and the controller is obliged to delete this data without delay if one of the following reasons applies:
  1. The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
  2. You withdraw your consent on which the processing is based according to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
  3. You object to the processing according to Art. 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing according to Art. 21(2) GDPR.
  4. The personal data concerning you has been processed unlawfully.
  5. The deletion of the personal data concerning you is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.
  6. The personal data concerning you has been collected in relation to the offer of information society services according to Art. 8(1) GDPR.
2. Information to third parties
  
  If the controller has made the personal data concerning you public and is obliged to delete it according to Art. 17(1) GDPR, the controller shall take reasonable measures, including technical measures, taking into account available technology and implementation costs, to inform data controllers processing the personal data that you, as the data subject, have requested the deletion of all links to this personal data or of copies or replications of this personal data.
3. Exceptions
  
  The right to deletion does not exist insofar as processing is necessary
  1. to exercise the right to freedom of expression and information;
  2. to comply with a legal obligation that requires processing according to the law of the Union or Member States to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health according to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes according to Art. 89(1) GDPR, insofar as the right referred to in (a) is likely to render impossible or seriously impair the achievement of the objectives of this processing, or
  5. for the establishment, exercise, or defense of legal claims.
Right to information

If you have asserted the right to rectification, deletion, or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you has been disclosed of this rectification, deletion of the data, or restriction of processing unless this proves impossible or involves disproportionate effort.

You have the right to be informed about these recipients by the controller.
Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data was provided, provided that
1. the processing is based on consent according to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract according to Art. 6(1)(b) GDPR and
2. the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be adversely affected thereby.

The right to data portability does not apply to processing personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.

If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

You have the possibility, in the context of using information society services, and notwithstanding Directive 2002/58/EC, to exercise your right to object by automated means using technical specifications.
Right to withdraw consent under data protection law

You have the right to withdraw your consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
1. is necessary for entering into, or performance of, a contract between you and the controller,
2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
3. is based on your explicit consent.
However, these decisions may not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

Regarding the cases referred to in (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision.
Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data concerning you violates the GDPR.

The supervisory authority to which the complaint has been submitted informs the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy according to Art. 78 GDPR.