Thomann app Privacy Notice
Thomann app Privacy Notice
(for Google-Android-compatible devices and iOS devices)
This Privacy Notice describes the way in which Thomann GmbH (hereinafter “Thomann”) processes and protects according to the General Data Protection Regulation (GDPR) and the relevant German data protection laws, in particular the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) the data you provide us with when using the Thomann app and that is required when installing the Thomann app on your Android device (e.g. compatible Android smartphone or Android tablet) or iOS device (e.g. iPhone, iPod or iPad).
Controller and Data Protection Officer
The responsible authority within the meaning of the data protection regulations for all data processing and data transmission processes through the Thomann app is:
In the event of any questions, comments, complaints or to exercise your rights as a data subject in connection with our Privacy Notice and the processing of your personal data by Thomann’s apps, you can contact Thomann’s Data Protection Officer directly by email (firstname.lastname@example.org). He will gladly take care of your data protection concerns.
Legal basis for the processing of personal data
If we obtain the consent of the data subject to process their personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing of personal data.
When processing personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR shall serve as the legal basis. This also applies to any processing required to perform pre-contractual measures.
If processing of personal data is necessary for compliance with a legal obligation to which Thomann is subject, Article 6(1)(c) GDPR shall serve as the legal basis.
In the event that the vital interests of the data subject or of another natural person necessitate the processing of personal data, Article 6 (1)(d) GDPR shall serve as the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR shall serve as the legal basis for processing.
Data deletion and storage duration
The data subject’s personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Data may be stored beyond this if provisions have been made for this by the European or national legislator in Union regulations, laws or other rules to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the standards mentioned above expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
What data do we require from you to run the Thomann app? What data is collected and stored when using the Thomann app?
Downloading and installing the Thomann app
(1) From the Google Play Store (Google-Android-compatible devices)
To use the Thomann app on your Android device (e.g. Android smartphone or Android tablet), you will need to download the Thomann app from the Google Play Store and install it on your device. To do this, you must be logged into the Google Play Store with your Android user account by entering your user name (your email address) and password.
Information and data may be collected and processed by Google through the Play Store. For further information regarding the purpose and scope of data collection, and regarding the further processing and use of your data in the Play Store by Google, see Google’s privacy rules. These are available online at http://www.google.co.uk/intl/en-GB/policies/privacy/. There you will find, amongst other things, information regarding settings for the protection of your privacy and regarding your further rights regarding the collecting, processing and use of your data by Google. For further information on using the Google Play Store, please refer to the Play Store Terms of Service, which are available online at https://play.google.com/intl/en-GB/about/play-terms.html.
(2) From the App Store or iTunes
To use the app on your iOS device (e.g. iPhone, iPod or iPad), you will need to download the app from the Apple App Store (from iTunes on a Mac) and install it on your device. To do this, you must be logged into the App Store with your Apple user account by entering your Apple ID (usually your email address) and your password.
Information and data may be collected and processed by Apple through the App Store. For information regarding the purpose and scope of data collection, and regarding the further processing and use of your data by Apple, see Apple’s own privacy rules. These are available online at https://www.apple.com/legal/privacy/en-ww/. There you will find, amongst other things, information regarding settings for the protection of your privacy and regarding your further rights regarding the collecting, processing and use of your data by Apple. For further information on using the App Store and iTunes and other online services from Apple, please refer to the Apple Terms and Conditions, which are available online at http://www.apple.com/legal/internet-services/itunes/uk/terms.html.
Permissions for the Thomann app to access data on your device
(1) For Google-Android-compatible devices
When installing the Thomann app in the Google Play Store, you must confirm the following access permissions:
- Photos/media/files, using at least one of the following elements: files on the device such as images, videos or audio elements, as well as on the device’s external storage
If you do not wish to accept these access permissions, please do not install or use the Thomann app.
The Thomann app has access to the following during use:
- Access to your device’s network functions (the Thomann app only works when the device is online)
- Access to location
- Reading, modifying or deleting USB memory content
(2) For iOS devices
The Thomann app requires access to the following data/functions of your device during use only, which you can configure in the settings of your iOS device (under Settings/Privacy):
- Access to location
- Access to the device’s network functions (the Thomann app only works when the device is online).
If you confirm the access permissions and access during or after installation, you hereby give us your consent to such access to your device. The legal basis for the data processing is Article 6(1)(a) GDPR. Data is processed through certain access permissions to your device for the purposes of the technical operation and use of the Thomann app and all its features.
Data processing when using the Thomann app, in particular the Shopping function
When using the Thomann app, in particular when viewing various Thomann products, only the product views (e.g. image material, products on shopping lists) are stored in your device’s temporary storage (“caching”).
You can use the Shopping function in the Thomann app either by logging in with the log-in details (email address, password) of your existing Thomann customer account or by entering your personal data without logging in.
If you place an order using your existing Thomann customer details, you will not need to enter any further details in the Thomann app during the order process. The details stored in your customer account (first name and surname, address) will be displayed during the order process. Of course, you can amend and/or correct these details.
If you place an order through the Thomann app without logging in, the form within the Thomann app will ask you for all the details that Thomann requires to complete and process orders: first name and surname, company (optional), postal address, telephone number (only for queries), email address.
In addition, it is possible to simply import these details directly from your device’s contacts on iOS devices. In order to do this, you have to allow the Thomann app to access your contacts in your iOS device’s settings (under Settings/Privacy).
The legal basis for the data processing during product preview and ordering through the Thomann app is Article 6(1)(b) GDPR. The product preview and order functions are used to initiate a purchase contract or to fulfil a concluded purchase contract if you generate an order via the Thomann app.
Data stored on the device when using the Thomann app
The following data is stored locally on your device when using the Thomann app:
- Product details, i.e. images of the items you have viewed in the Thomann app in your device’s non-temporary memory (“cache”);
- Log-in. Of your log-in details, only your email address is stored locally; your password for accessing your Thomann customer account is not saved, but rather just a “token” that allows you to conveniently log in again. This access token, which is unique to the device you are using, is generated on Thomann’s app server for authentication purposes the first time you log into the Thomann app. The token will become invalid once the password is changed. If the app is deleted, the access token will also be deleted.
The legal basis for the storage of this data is Article 6(1)(f) GDPR. We store this data for the purpose of making the product range in the Thomann app and the use thereof more appealing. This is also the basis for our legitimate interests in data processing pursuant to Article 6(1)(f) GDPR.
Data automatically collected by using the Thomann app (usage data)
We welcome anybody to use the Thomann app free of charge and to look at the products on offer. When you use the Thomann app, we record the IP address assigned to your device along with other general usage data, in order to evaluate how and to what extent and how long you have used the Thomann app. We use Google Analytics as an analysis tool for this app-tracking. You can find details of the data collection and processing by Google Analytics under 5. There you will also find information on your right to object to data processing by Google Analytics and on the applicable legal basis.
How is your data used and passed on to third parties, and for what purpose?
Thomann will transfer your data to third parties that are involved in the processing of your order made through the Thomann app. For example, if you have placed an order via the Thomann app, Thomann will transmit your order information to the Thomann partner companies and contractors that process and deliver your order to you. Data will only be transmitted to the extent required in order to fulfil or deliver your order or to process an enquiry. We will also transmit personal data to third parties where we are required to do so by law.
To complete the order through the Thomann app, depending upon the payment method you select, it will also be necessary to pass on the payment information you have provided (e.g. credit card details), to payment service providers appointed by Thomann in order to process your order.
Data is passed on for order and payment processing purposes; the legal basis for this is Article 6(1)(b) GDPR.
What security measures have we taken to protect your data?
Thomann has taken precautions to ensure the security of your personal data. Your data will be diligently protected against loss, destruction, manipulation and unauthorised access or unauthorised disclosure and transmission. Thomann protects data collected when using the Thomann app by saving it on servers protected by passwords and firewalls (not on the device itself), which use encryption technology to prevent unauthorised access. Thomann does its utmost and implements state-of-the-art technology to provide you with a secure environment for the completion of your order through the Thomann app; however, we cannot guarantee absolute security of your data. Thomann would ask that you to take every available precaution to protect your personal data when using the Thomann app. We encourage you to at least change your passwords on a regular basis and to use a combination of letters and numbers, as well as special characters where appropriate, when setting your password.
Communication between the Thomann app installed on your device and the app server operated by Thomann is always performed via a sufficiently encrypted internet connection (SSL certificate).
In addition, technical error messages and system events in the Thomann app are logged and transmitted to Thomann. No personal data is transmitted in the process, only information that caused the Thomann app to crash. These crash reports are not associated with your device’s personal data.
We use Google Analytics. What does that mean for your data?
Use of the Thomann app is automatically logged. To do this, Thomann uses the version of Google Analytics specially designed for apps, “Mobile App Analytics”. Google Analytics is an analysis service of Google Inc. (hereinafter referred to as “Google”). The logging starts as soon as the Thomann app is downloaded and installed on your device. Google Analytics sets an “anonymous identifier”, which performs the functions of a cookie on platforms such as mobile devices, on the device you are using. This is a file that is stored on your device and enables analysis of how you use the Thomann app. The information about your use of the Thomann app generated by the anonymous identifier is usually transmitted to and stored on a Google server in the United States. Google will use this information on behalf of Thomann for the purposes of analysing use of the Thomann app, compiling reports on app activity and providing further services related to app and internet use to Thomann, the app provider. Google will not combine the IP address of your device transmitted by the Thomann app via Google Analytics with other Google data.
The following usage data is tracked and statistically evaluated using Google Analytics:
- Information about the device operating system
- The user’s IP address
- Date and time of access
- The services and functions used within the Thomann app
Right to object
You can prevent collection and transfer of the data generated by the anonymous identifier and relating to your use of the Thomann app (including your IP address) to Google, as well as the processing of such data by Google.
To do this on Android, take the following steps:
On iOS, take the following steps:
The legal basis for the data processing through Google Mobile App Analytics is Article 6(1)(f) GDPR. We use this service for advertising and marketing purposes with the aim of making Thomann’s offering through the Thomann app more attractive. We take your right to privacy seriously by allowing you to object to the use of Google Mobile Analytics and informing you in advance about this Privacy Notice.
Links to Facebook and Twitter
We link to Facebook and Twitter within the Thomann app. The sole responsibility for Facebook and its website lies with Facebook Inc., 1601 Willow Rd, Menlo Park, CA 94025, USA (hereinafter referred to as “Facebook”), and for Twitter and its websites with Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103.
No data is initially transferred to Facebook or Twitter as a result of our links to Facebook and Twitter. If you click on the link, you will be taken directly to our Facebook or Twitter page. This will open the internet browser on your device. Data is only transmitted to Facebook or Twitter if you are logged into your Facebook or Twitter user account.
For further information regarding the purpose and scope of data collection, and regarding the further processing of your data by Facebook, see Facebook’s own privacy rules. These are available online at https://www.facebook.com/full_data_use_policy. There you will find, amongst other things, information regarding settings for the protection of your privacy and regarding your further rights concerning the processing of your data by Facebook.
Rights as a data subject
If your personal data is processed, you are a data subject as defined in the GDPR and you have the following rights with regard to Thomann as the controller:
1. Information, rectification, restriction and deletion
You have the right to access the data stored about you by Thomann and information concerning its origin and recipient and the purpose of data processing by Thomann’s websites free of charge at any time. In addition, you have the right to rectify, delete or restrict the processing of your personal data, provided the legal requirements to do so are met.
Details can be found in the relevant statutory provisions, Article 15 to 19 GDPR.
2. Right to data portability
You have the right to receive the personal data concerning you that you have provided to Thomann, in a structured, commonly used and machine-readable format. Thomann can comply with this right by providing a csv export of the customer data processed about you.
3. Right to information
If you have exercised your right of rectification, deletion or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or deletion of data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.
You have the right to be informed about these recipients by Thomann.
4. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based upon point (e) or (f) of Article 6(1) GDPR, including profiling based upon those provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
5. Revocability of declarations of consent under data protection law
You may also revoke your consent with regard to Thomann at any time with effect for the future using the contact details below.
6. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
Changes to this Privacy Notice
As of: May 2018